Cybersecurity scientists have uncovered a new evasive malware loader named SquidLoader that spreads by way of phishing strategies targeting Chinese corporations.
AT&T LevelBlue Labs, which first observed the malware in late April 2024, said it incorporates attributes that are created to thwart static and dynamic investigation and finally evade detection.
Attack chains leverage phishing email messages that occur with attachments that masquerade as Microsoft Word files, but, in fact, are binaries that pave the way for the execution of the malware, which is then utilized to fetch 2nd-phase shellcode payloads from a remote server, which include Cobalt Strike.
“These loaders characteristic large evasion and decoy mechanisms which assist them stay undetected when also hindering investigation,” security researcher Fernando Dominguez said. “The shellcode that is shipped is also loaded in the identical loader procedure, probably to steer clear of composing the payload to disk and consequently risk becoming detected.”
Some of the defensive evasion approaches adopted by SquidLoader encompass the use of encrypted code segments, pointless code that remains unused, Manage Move Graph (CFG) obfuscation, debugger detection, and performing direct syscalls rather of calling Windows NT APIs.
Loader malware has turn out to be a popular commodity in the prison underground for threat actors searching to provide and start further payloads to compromised hosts, whilst bypassing antivirus defenses and other security measures.
Final calendar year, Aon’s Stroz Friedberg incident detailed a loader recognized as Taurus Loader that has been noticed distributing the Taurus data stealer as well as AgentVX, a trojan with abilities to execute extra malware and established up persistence making use of Windows Registry changes, and assemble information.
The development comes as a new in-depth evaluation of a malware loader and backdoor referred to as PikaBot has highlighted that it carries on to be actively developed by its builders since its emergence in February 2023.
“The malware employs state-of-the-art anti-assessment techniques to evade detection and harden assessment, which includes system checks, indirect syscalls, encryption of following-phase and strings, and dynamic API resolution,” Sekoia stated. “The the latest updates to the malware have further more improved its capabilities, building it even a lot more hard to detect and mitigate.”
It also follows findings from BitSight that the infrastructure associated to a different loader malware referred to as Latrodectus has long gone offline in the wake of a regulation enforcement exertion dubbed Operation Endgame that noticed around 100 botnet servers, such as people connected with IcedID, SystemBC, PikaBot, SmokeLoader, Bumblebee, and TrickBot, dismantled.
The cybersecurity firm reported it noticed practically 5,000 unique victims spread throughout 10 distinct strategies, with a majority of the victims positioned in the U.S., the U.K., the Netherlands, Poland, France, Czechia, Japan, Australia, Germany, and Canada.
Uncovered this article appealing? Stick to us on Twitter and LinkedIn to study additional distinctive material we submit.
Some parts of this article are sourced from:
thehackernews.com