A new campaign leveraging a decentralized malware loader, dubbed SquidLoader, is actively targeting financial service institutions in Hong Kong, with ripple effects observed across the Asia-Pacific region.
Security researchers report that SquidLoader distinguishes itself through a suite of sophisticated anti-analysis, anti-sandbox, and anti-debugging techniques, resulting in near-zero detection rates on VirusTotal at the time of discovery.
The loader acts as a conduit for remote access tool deployment, notably culminating in the delivery of a memory-resident Cobalt Strike Beacon, granting persistent external control to threat actors.
Multi-Stage Infection Chain
SquidLoader’s attack sequence commences with spear-phishing emails tailored to Hong Kong’s financial workforce crafted in simplified Chinese and disguised as routine financial documents.
By attaching a password-protected RAR archive that masquerades as an invoice, the attackers circumvent automated scanning and entice recipients into extracting the payload.
Embedded within the archive, the attack uses a PE binary fraudulently named and iconed as a Microsoft Word document, amplifying its social engineering facade.
Upon first execution, the binary copies itself as “setup_xitgutx.exe” to the public users directory and relaunches, beginning its actual malicious execution under the guise of a benign process.
Static and dynamic analysis reveal that SquidLoader leverages early execution via a hijacked __scrt_common_main_seh function, diverting the typical flow well before the program’s WinMain is reached.
A custom routine unpacks an internal payload using a bespoke per-byte transformation each byte XORed with 0xF4, incremented by 19 evading basic static detection.
The malware then demonstrates advanced API resolution through Process Environment Block (PEB) walking, individually decrypting and erasing API strings off the stack to leave minimal forensic traces.
A central custom structure on the stack houses resolved API pointers, key runtime flags, and critical environment pointers, then stowed within unused PEB space for stealthy access throughout execution.
Heavy control flow obfuscation, including redundant conditional jumps and opaque predicates, further shields underlying logic from reverse engineers.
Comprehensive Suite of Anti-Analysis Tactics
SquidLoader exhaustively surveys its host for sandbox artifacts and analysis tools. It retrieves environment information, matching usernames and execution paths to known sandbox signatures.
The malware terminates instantly if processes associated with debuggers, analysis tools, or antivirus applications are detected utilizing robust blacklists and conditional process checks.
Further, it calls undocumented NT functions (such as NtQuerySystemInformation and NtQueryInformationProcess) to probe for kernel debuggers or debug object handles, exiting if anomalies are detected.
A clever thread/APC timing trick is employed to catch emulated environments: a long-sleeping thread and APC queuing are used to set a flag, while thread states and NTStatus values are checked after synchronizations that emulator sandboxes frequently mishandle.
SquidLoader also summons a Mandarin-language error dialog, forcing user interaction sidestepping non-interactive sandboxing altogether.
Upon clearing its anti-analysis gauntlet, SquidLoader transmits a comprehensive system inventory over HTTPS to a command and control (C2) domain mimicking Kubernetes infrastructure a tactic aimed at blending with legitimate enterprise cloud traffic.
The C2 path /api/v1/namespaces/kube-system/services is a deliberate choice for camouflage.
Ultimately, the loader retrieves and deploys a Cobalt Strike Beacon in memory, enabling lateral movement or data theft.
Emerging evidence suggests that the actors are targeting regional financial actors across Hong Kong, Singapore, Australia, and China, with customized spear-phishing content attuned to each locale.
Indicators of Compromise (IOCs)
| Context | SHA256 | C2 Servers |
|---|---|---|
| Hong Kong | bb0f370e11302ca2d7f01d64f0f45fbce4bac6fd5613d8d48df29a83d382d232 b2811b3074eff16ec74afbeb675c85a9ec1f0befdbef8d541ac45640cacc0900 6960c76b624b2ed9fc21546af98e1fa2169cd350f37f6ca85684127e9e74d89c 9dae4e219880f0e4de5bcba649fd0741e409c8a56b4f5bef059cdf3903b78ac2 | hxxps://39.107.156.136/api/v1/namespaces/kube-system/services |
| Singapore | 34d602d9674f26fa2a141c688f305da0eea2979969f42379265ee18589751493 | hxxps://8.140.62.166/api/v1/namespaces/kube-system/services |
| China | a244bfcd82d4bc2de30fc1d58750875b638d8632adb11fe491de6289ff30d8e5 | hxxps://38.55.194.34/api/v1/namespaces/kube-system/services |
| Australia | 2d371709a613ff8ec43f26270a29f14a0cb7191c84f67d49c81d0e044344cf6c | hxxps://47.116.178.227/api/v1/namespaces/kube-system/services |
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates
