A new wave of malware targeting financial institutions in Hong Kong has been identified, featuring SquidLoader.
This stealthy loader deploys the Cobalt Strike Beacon and boasts advanced anti-analysis tactics.
In a new advisory published on Monday, security researchers at Trellix said the malware has been observed evading nearly all detection, making it particularly dangerous for its intended victims.
Highly Evasive, Multi-Stage Attack Chain
The SquidLoader campaign begins with targeted spear-phishing emails. These messages, written in Mandarin, impersonate financial institutions and contain a password-protected RAR archive disguised as an invoice.
Once opened, users find a malicious PE binary camouflaged as a Microsoft Word document. This file, while visually deceptive, mimics the legitimate “AMDRSServ.exe” to aid in social engineering.
Once executed, SquidLoader embeds itself in the system and begins a multi-stage infection process in which it:
-
Self-unpacks to decrypt its internal payload
-
Dynamically resolves critical Windows APIs through obfuscated code
-
Initializes a custom stack-based structure for storing operational data
-
Executes a variety of evasion routines designed to bypass sandbox, debugger and antivirus tools
-
Contacts a remote command-and-control (C2) server and downloads the Cobalt Strike Beacon
Read more on malware evasion techniques: Ransomware Groups Prioritize Defense Evasion for Data Exfiltration
Extensive Anti-Analysis and Evasion Features
One of SquidLoader’s defining traits is its extensive anti-analysis strategy. It uses environmental checks, string obfuscation, control flow confusion and undocumented Windows syscalls to stay hidden. The malware terminates itself if any known analysis tools or antivirus processes are detected, including “windbg.exe,” “ida64.exe” and “MsMpEng.exe.”
To bypass emulators and automated sandboxes, SquidLoader launches threads with long sleep durations and employs asynchronous procedure calls to monitor for abnormal behavior. If any check fails or the system shows signs of debugging, the malware exits.
Another tactic includes displaying a fake error message in Mandarin, “The file is corrupted and cannot be opened,” which requires user interaction, further impeding automated analysis.
After these checks, SquidLoader contacts a C2 server using a URL that mimics Kubernetes service paths, likely to blend in with normal enterprise traffic. It then gathers and transmits host data, including username, IP address, OS version and administrative status.
Finally, it downloads a Cobalt Strike Beacon from a secondary IP address, granting persistent remote access to attackers.
The campaign is geographically focused, with strong indicators of targeting institutions in Hong Kong. However, similar samples suggest related attacks may be underway in Singapore and Australia.
To defend against threats such as SquidLoader, organizations should consider strengthening email filtering, endpoint monitoring and behavioral analysis capabilities.
