Listen to this Post
In a rising wave of cyber attacks, security experts have uncovered a sophisticated operation, attributed to a suspected Chinese hacker group, deploying a new form of malware called “Squidoor.” This malware has been wreaking havoc across critical sectors such as government, defense, telecommunications, education, and aviation, primarily in Southeast Asia and South America. The ongoing attacks, which have been active since March 2023, are executed under the activity cluster labeled CL-STA-0049. Here’s an in-depth look at how these cybercriminals are operating and what can be done to defend against them.
the Attack
Cybersecurity researchers have discovered a new series of cyber attacks orchestrated by a suspected Chinese threat actor, using the malware “Squidoor.” These attacks, which have been active since March 2023, target key sectors including government, defense, telecommunications, education, and aviation, mainly in Southeast Asia and South America. The malware is a modular backdoor designed for stealth operations within highly monitored networks, capable of infiltrating both Windows and Linux systems.
The malware, also known as “FinalDraft,” utilizes advanced capabilities like Outlook API exploitation, DNS tunneling, and ICMP tunneling, enabling attackers to maintain covert communication with their command-and-control (C2) servers. Researchers from Palo Alto Networks’ Unit 42 have high confidence that the source of the attacks is linked to China.
The attack vector involves exploiting vulnerabilities in Internet Information Services (IIS) servers. Once inside, the attackers deploy web shells like OutlookDC.aspx and Error.aspx, which serve as persistent backdoors, allowing the attackers to maintain control and execute commands on compromised systems. These web shells are spread across multiple servers using tools such as curl and Impacket, often disguised as certificates to avoid detection.
Squidoor malware is engineered for stealth, making it capable of performing various malicious tasks without raising suspicion. It can execute arbitrary commands, inject payloads into common processes like mspaint.exe and conhost.exe, collect sensitive data, and deploy additional malware. One of its key features is abusing legitimate Microsoft tools, such as the Console Debugger binary (cdb.exe), to load and run shellcode directly into memory, a technique known as “living off the land.”
To maintain persistence, Squidoor uses scheduled tasks, ensuring that access remains even after system reboots. The malware also communicates subtly with its C2 servers, avoiding detection by monitoring systems. Additionally, attackers exploit platforms like Pastebin to store configuration data and track implant activations.
Cybersecurity experts advise businesses and organizations to enhance their detection capabilities and closely monitor indicators of compromise (IoCs) related to Squidoor. Palo Alto Networks has updated its security products to defend against the threats posed by this malware.
What Undercode Says:
The emergence of the Squidoor malware, attributed to Chinese threat actors, demonstrates an increasingly sophisticated level of cyberattacks. This particular malware, designed for covert operations within highly scrutinized networks, is a significant step forward in the cyber espionage tactics employed by state-sponsored groups. Squidoor’s modular design means it can be adapted for various tasks depending on the needs of the attackers, making it both versatile and dangerous.
One of the most concerning aspects of Squidoor is its ability to exploit trusted, legitimate toolsālike Microsoftās cdb.exe. By using living-off-the-land binaries and scripts (LOLBAS), attackers can operate without raising red flags in monitoring systems. The use of common processes such as mspaint.exe and conhost.exe to inject payloads is another example of the subtlety with which Squidoor operates. The malware is engineered not just for infiltration but for prolonged, undetected operation within compromised systems.
The
The fact that Squidoor can operate across both Windows and Linux systems adds another layer of complexity for defenders. The attackās ability to exploit multiple platforms means organizations need to employ comprehensive, cross-platform detection strategies. Additionally, the use of web shells and the strategic spread of these shells across multiple servers via tools like Impacket and curl shows a highly coordinated attack plan, with efforts made to maintain persistent access to victim systems.
The advice from cybersecurity experts to monitor IoCs and bolster detection capabilities is essential, but it is clear that attackers are constantly evolving their techniques to stay one step ahead. To effectively defend against threats like Squidoor, organizations need to be proactive in their security posture, continually updating their defenses to address the latest methods used by threat actors.
It is also critical to note the role of platforms like Pastebin in storing configuration data. The exploitation of public services for clandestine communications illustrates how attackers continue to adapt and find new ways to hide their tracks. This highlights the need for broader monitoring across not just enterprise networks but also open-source platforms that are often overlooked in traditional security protocols.
Fact Checker Results:
- The malware Squidoor has been confirmed to be used in targeted cyberattacks since at least March 2023.
- The attacks, attributed to a Chinese group, have been targeting critical sectors in Southeast Asia and South America.
- Security products from Palo Alto Networks, including Cortex XDR and Advanced WildFire, have been updated to detect and mitigate Squidoor-related threats.
References:
Reported By: https://cyberpress.org/chinese-hackers-launch-new-cyber-attacks-on-global-organizations/
Extra Source Hub:
https://www.instagram.com
Wikipedia
Undercode AI
Image Source:
Pexels
Undercode AI DI v2
