Threat Analysis: SquidLoader – Still Swimming Under the Radar

Executive summary

A new wave of SquidLoader malware samples are actively targeting financial services institutions in Hong Kong. This sophisticated malware exhibits significant evasion capabilities, achieving near-zero detection rates on VirusTotal at the time of analysis. SquidLoader employs an attack chain culminating in the deployment of a Cobalt Strike Beacon for remote access and control. Its intricate anti-analysis, anti-sandbox, and anti-debugging techniques, coupled with its sparse detection rates, pose a significant threat to targeted organizations. This blog post provides a detailed technical analysis of the observed SquidLoader sample, highlighting its key features and indicators of compromise, including advanced anti-debugging tricks.

The observed SquidLoader attack follows a five-stage infection chain:

1. Spear-phishing email: The attack commences with a targeted spear-phishing email directed at employees of Hong Kong financial services institutions.
2. Password-Protected RAR archive: The email contains an attachment disguised as an invoice within a password-protected RAR archive. The provided password in the email body facilitates the initial interaction.
3. Malicious PE binary: Upon extraction, the RAR archive reveals a PE binary. This binary is crafted with an icon and name mimicking a Microsoft Word document to deceive the user. However, the underlying file properties resemble a legitimate “AMDRSServ.exe” (Radeon settings host service), further aiding in social engineering.