SquidLoader Deploys Stealthy Malware with Near-Zero Detection to Evade Security Measures

A fresh variant of SquidLoader malware has surfaced, actively entering Hong Kong institutions with previously unheard-of stealth, which is alarming for the financial industry.

This sophisticated loader achieves near-zero detection rates on platforms like VirusTotal, leveraging intricate anti-analysis, anti-sandbox, and anti-debugging mechanisms to deploy Cobalt Strike Beacons for remote access.

The malware’s attack chain begins with spear-phishing emails in Mandarin, disguised as legitimate financial correspondence, containing password-protected RAR archives that extract a PE binary masquerading as a Microsoft Word document or the benign AMDRSServ.exe.

Upon execution, SquidLoader relocates itself to C:UsersPublicsetup_xitgutx.exe, hijacking the __scrt_common_main_seh function in the CRT prologue to initiate malicious operations before reaching WinMain, effectively bypassing initial inspections.

Advanced Evasion Tactics

Technical dissection reveals a multi-stage infection process. The initial unpacking stage employs a simple yet effective loop to de-obfuscate packed bytes via XOR with 0xF4 followed by adding 19, unveiling subsequent payloads.

Stage two involves PEB walking to dynamically resolve APIs from ntdll.dll and kernel32.dll, with API names XORed and overwritten to erase static traces.

A custom stack structure stores resolved pointers, flags, and PEB/TEB addresses, saved in an unused PEB section for easy access, while heavy control flow obfuscation via conditional jumps complicates reverse engineering.

Stage three ramps up evasion with anti-sandbox checks, such as verifying usernames against “Abby” or “WALKER,” and ensuring the process image matches the relocated path.

It enumerates processes via NtQuerySystemInformation to blacklist tools like OllyDbg (misspelled as Olldbg.exe), x64dbg.exe, IDA Pro, and antivirus processes including MsMpEng.exe for Windows Defender.

Undocumented syscalls like NtQueryInformationProcess (0x1e) detect debug objects, and NtQuerySystemInformation (0x23) flags kernel debuggers, triggering self-termination if anomalies arise.

A novel anti-emulation trick creates a long-sleeping thread (16 minutes via SleepEx), queues an APC with NtQueueApcThread to set a flag in its data structure, and uses NtWaitForSingleObject to verify execution; deviations, common in emulators or hooked sandboxes, cause termination.

Additional measures include NtIsProcessInJob for Microsoft emulator detection, dynamic string obfuscation, and a user-interaction-required Mandarin error message box (“The file is corrupted and cannot be opened”) to foil automated analysis.

C2 Integration

Post-evasion, SquidLoader contacts its C2 server at endpoints like hxxps://39.107.156.136/api/v1/namespaces/kube-system/services, mimicking Kubernetes traffic to blend in.

It transmits host details IP, username, OS version, PID, admin status before downloading and executing Cobalt Strike Beacon shellcode in memory, connecting to secondary C2s such as 182.92.239.24 for persistence.

Similar low-detection samples target Singapore, China, and Australia, sharing Kubernetes-themed URLs, indicating a coordinated campaign with geographic adaptations.

Phishing emails, dated March 31, 2025, pose as bond registration forms with encrypted attachments (password: 20250331), underscoring social engineering’s role.

This malware’s sparse detections and advanced techniques pose severe risks, urging financial entities to monitor for IOCs and enhance behavioral defenses.

Indicators of Compromise (IOCs)

Stay Updated on Daily Cybersecurity News. Follow us on Google News, LinkedIn, and X.