A sophisticated backdoor malware called \u201cSquidoor\u201d being deployed by suspected Chinese threat actors against organizations across South America and Southeast Asia.<\/p>\n
The malware, designed for exceptional stealth, offers attackers multiple methods to maintain persistent access to compromised networks while evading detection from advanced security<\/a> systems.<\/p>\n Initial access is gained primarily through exploiting vulnerabilities in Internet Information Services (IIS) servers, followed by the deployment of multiple web shells that serve as persistent backdoors.<\/p>\n These web shells exhibit significant similarities in their structure and obfuscation techniques, suggesting a common origin.<\/p>\n Palo Alto Networks researchers identified<\/a> that Squidoor is a sophisticated multi-platform backdoor built specifically to operate undetected in highly monitored and secured networks.<\/p>\n The malware exists in both Windows and Linux variants, demonstrating the threat actor\u2019s commitment to compromising diverse environments regardless of operating system.<\/p>\n The technical sophistication of Squidoor is particularly evident in its communication mechanisms.<\/p>\n The Windows version supports ten different protocols for command and control (C2) communication, while the Linux version supports nine.<\/p>\n These methods include HTTP-based communication, reverse TCP\/UDP connections, DNS tunneling, and even Microsoft Outlook mail API communication, allowing attackers to adapt to different network environments and security controls.<\/p>\n \u201cThe threat actor stored some of the web shells<\/a> on bashupload.com and downloaded and decoded them using certutil,\u201d according to the research report.<\/p>\n The attackers then used curl and Impacket to spread the web shells across different servers within compromised networks.<\/p>\n Perhaps the most innovative aspect of Squidoor is its ability to leverage Microsoft Outlook as a covert communication channel.<\/p>\n When configured to use this method, the malware logs into the Microsoft identity platform using a hard-coded refresh token.<\/p>\n It then queries the drafts folder in Outlook, searching for emails with specific subject line patterns containing randomly generated numbers that help differentiate between different Squidoor implants.<\/p>\n The communication flow involves sophisticated encoding and encryption techniques<\/a>.<\/p>\n Email contents undergo multiple stages of processing: transformation using CryptStringToBinaryA WinAPI, Base64 decoding, a combination of AES and custom XOR decryption, and finally zlib decompression.<\/p>\n This deobfuscated content provides commands for Squidoor to execute, ranging from reconnaissance to payload injection.<\/p>\n For persistence, Squidoor creates a scheduled task named \u201cMicrosoftWindowsAppIDEPolicyManager\u201d that executes the malicious shellcode at regular intervals, ensuring the backdoor remains active even after system reboots.<\/p>\n The malware can also inject additional payloads into legitimate processes like mspaint.exe, conhost.exe, and taskhostw.exe to further conceal its activities.<\/p>\n The post Chinese Hackers New Malware Dubbed \u2018Squidoor\u2019 Attacking Global Organizations<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhkLelbw8gOfUwnXJ3HoUvuOqdjVpW_x23m1F9Z_JZTwOWlw8tERxHffErx0vqJoP1Ea3wYyphIsgKFu3D1uzE6qP48x54VNQd7QMMlBJXZ29tD48a-Gxgy1e0G3ZR5hf1DzqxdYdx1_9rKS-tAk1izOBCXtzKHFj5gHJPUF03KcLGKAQUPCqqUAaXYdOs\/s16000\/Execution%2520flow%2520%28Source%2520-%2520Plao%2520Alto%2520Networks%29.webp?ssl=1\")
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh4illyHuR1VCMmOp7HOTHOtkJbbMLFyleqyyGgucwGyUNK-PKnnUJdODLZBFvOUcNX1Uofsxjv76fOWMuAEuhvrnIcAWujpsT2d-7d5AVZHzWTPp4FP1IDZDmVvO8VnmDtK2XirZjPzTRHIxWqR_tYTi95q2HUCVwDXV35UNCzhFeRo90s9GYH1Ne4h-c\/s16000\/Flow%2520of%2520the%2520communication%2520mechanism%2520via%2520Outlook%2520API%2520%28Source%2520-%2520Plao%2520Alto%2520Networks%29.webp?ssl=1\")
Outlook Transport Channel: A Stealthy Communication Vector<\/strong><\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhKYmqI7rwxpXr63zjk0x57RFYfhk8Yg40HRRXfHSJYau4V4ySJUw2xAVW3j2UpYrtee6GrsuZ4POK-12ceotTM2cn_I-Mug-H05lt_moyQcogHit0esREQ41NGozAjC88AVOEaA1_3V1Dh9M4cxeH7bt26RMjaMUQ_6bTEcX09Qk53rB19EKB86nFJWBU\/s16000\/HTTP%2520POST%2520request%2520by%2520Squidoor%2520for%2520logging%2520in%2520to%2520the%2520Microsoft%2520identity%2520platform%2520%28Source%2520-%2520Plao%2520Alto%2520Networks%29.webp?ssl=1\")
Are you from SOC\/DFIR Teams? \u2013 Analyse Malware Incidents & get live Access with ANY.RUN ->\u00a0Start Now for Free<\/a>.<\/strong><\/code><\/strong><\/strong><\/p>\n