Cybersecurity researchers have discovered a new evasive malware loader. Squid Loader It spreads through phishing campaigns targeting organizations in China.
AT&T LevelBlue Labs, which first observed the malware in late April 2024, said the malware incorporates capabilities designed to thwart static and dynamic analysis and ultimately evade detection.
The attack chain leverages phishing emails with attachments disguised as Microsoft Word documents, but are actually binaries that pave the way for the execution of malware, which is then used to retrieve second-stage shellcode payloads from remote servers such as Cobalt Strike.
“These loaders have sophisticated evasion and decoy mechanisms to remain undetected and hinder analysis,” said security researcher Fernando Dominguez. “The delivered shellcode is also loaded in the same loader process, potentially avoiding writing the payload to disk and avoiding the risk of detection.”
The defense evasion techniques employed by SquidLoader include the use of encrypted code segments, meaningless code left unused, Control Flow Graph (CFG) obfuscation, debugger detection, and making direct system calls instead of calling Windows NT APIs.
Loader malware has become a hot commodity in the criminal underworld for threat actors looking to deliver and launch additional payloads onto compromised hosts while evading antivirus defenses and other security measures.
Last year, the Aon Stroz Friedberg incident detailed a loader known as the Taurus Loader, which has been observed distributing the Taurus information stealer malware as well as AgentVX, a trojan capable of using Windows registry modifications to execute more malware, establish persistence, and gather data.
The development comes after a new detailed analysis of the malware loader and backdoor known as PikaBot revealed that it has been actively developed by its developers since emerging in February 2023.
“The malware uses advanced anti-analysis techniques, including system checks, indirect system calls, next stage and string encryption, and dynamic API resolution to evade detection and enhance analysis,” Sequoia said. “Recent updates to this malware have further strengthened its capabilities, making it even more difficult to detect and mitigate.”
Additionally, BitSight findings show that infrastructure associated with another loader malware called Latrodectus was taken offline through a law enforcement effort called Operation Endgame, which dismantled more than 100 botnet servers, including those associated with IcedID, SystemBC, PikaBot, SmokeLoader, Bumblebee and TrickBot.
The cybersecurity firm said it had identified around 5,000 victims across 10 different attack campaigns, with the majority of victims residing in the US, UK, Netherlands, Poland, France, Czech Republic, Japan, Australia, Germany and Canada.
