Squidloader Goes Hunting for Careless Users

Cybersecurity researchers have recently uncovered a new malicious Squidloader bootloader that is being distributed through phishing campaigns targeting Chinese organizations.

According to specialists at Levelblue Labs, the malicious code, known as Squidloader, was first identified in late April 2024. Squidloader employs sophisticated techniques to evade both static and dynamic analysis, making it difficult to detect.

The attackers behind these campaigns are using phishing emails with attachments disguised as Microsoft Word documents. However, these attachments are actually binary files that execute malicious code. This code then downloads a second stage of malware from a remote server, including the notorious Cobalt Strike.

Fernando Dominges, a security researcher, highlighted the complex evasion mechanisms employed by Squidloader loaders. These mechanisms include creating false targets and loading shell-code into the same process to avoid detection by traditional security measures.

Squidloader utilizes various evasion techniques, such as encrypting code segments, including unnecessary code, and bypassing the usual Windows NT API calls by executing direct system calls.

Malware loaders like Squidloader are favored by cyber attackers as they allow for the delivery and execution of additional malicious payloads on compromised devices. This helps them bypass antivirus protection and other security measures.

The evolving landscape of cybersecurity demands constant vigilance and adaptability. The emergence of advanced threats like Squidloader underscores the importance of a comprehensive approach to cybersecurity.

Organizations must focus not only on enhancing technical security measures but also on educating employees about identifying and thwarting phishing attacks. Even the most sophisticated security systems can be circumvented due to human error, making employee awareness crucial in combating cyber threats.

/Reports, release notes, official announcements.