Cybersecurity researchers have identified a new wave of cyber attacks orchestrated by a suspected Chinese threat actor, leveraging a sophisticated malware known as “Squidoor.”
The attacks, grouped under the activity cluster CL-STA-0049, have been ongoing since at least March 2023, targeting critical sectors including government, defense, telecommunications, education, and aviation across Southeast Asia and South America.
The attackers utilized Squidoor, also referred to as “FinalDraft,” to infiltrate both Windows and Linux systems.
Squidoor is a modular backdoor engineered specifically for stealth operations within highly monitored networks.
It possesses advanced capabilities such as Outlook API exploitation, Domain Name System (DNS) tunneling, and Internet Control Message Protocol (ICMP) tunneling to maintain covert communication with its command-and-control (C2) servers.
Researchers from Palo Alto Networks’ Unit 42 have assessed with moderate to high confidence that these malicious activities originate from China.
Initial Access and Lateral Movement
The threat actors initially gained entry by exploiting vulnerabilities in Internet Information Services (IIS) servers, subsequently deploying web shells such as OutlookDC.aspx and Error.aspx variants.
These web shells served as persistent backdoors enabling sustained access and command execution on compromised systems.
The attackers further propagated these web shells across multiple servers using tools like curl and Impacket, often disguising them as certificates to evade detection.
Technical Sophistication of Squidoor Malware
Squidoor, also referred to in some reports as “FinalDraft,” is engineered for stealth operations within highly monitored environments.
It is a modular backdoor capable of executing arbitrary commands, injecting payloads into processes like mspaint.exe and conhost.exe, collecting sensitive information, and deploying additional malware payloads.
A notable aspect of Squidoor’s operation involves abusing legitimate Microsoft tools specifically the Console Debugger binary (cdb.exe) to load and execute shellcode directly into memory.
This technique falls under the category of living-off-the-land binaries and scripts (LOLBAS), which are legitimate tools misused by attackers.
The malware’s persistence mechanism involves scheduled tasks that ensure continuous access even after system reboots.
Communication between Squidoor implants within compromised networks is carefully orchestrated to minimize suspicious traffic patterns.
Additionally, attackers have exploited platforms like Pastebin to store configuration data and track implant activations globally.
Cybersecurity professionals have been advised to bolster their detection capabilities against Squidoor by closely monitoring indicators of compromise (IoCs) associated with this malware.
Palo Alto Networks has updated its security products including Cortex XDR and Advanced WildFire to detect and mitigate threats posed by this malware effectively.
%20(1).webp?w=1200&resize=1200,0&ssl=1 "“Philippines’ National Telecommunications Commission (NTC) Suffers Data Breach”")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Alleged Data Breach Targets Sports Retailer Maxi Kits")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Fortinet Fixes Security Flaws in FortiSandbox, FortiOS, and Other Key Products")
