SquidLoader Malware Campaign Hits Hong Kong Financial Firms – Source:hackread.com

Trellix Advanced Research Center has exposed a new wave of highly sophisticated SquidLoader malware actively targeting financial services institutions in Hong Kong. This discovery, detailed in Trellix’s technical analysis, shared with Hackread.com, highlights a significant threat due to the malware’s near-zero detection rates on VirusTotal at the time of analysis. Evidence also points to a broader campaign, with similar samples observed targeting entities in Singapore and Australia.

A Covert Attack

The attack begins with spear-phishing emails written in Mandarin, accurately crafted to impersonate financial institutions. These emails deliver a password-protected RAR archive containing a malicious executable. The email body itself is crucial to the deception, as it provides the password for the attachment. The subject line often poses as a “Registration Form for Bond Connect Investors Handling Foreign Exchange Business through Overseas Banks.”

The email claims to be from a financial representative, requesting the recipient to check and confirm the attached “scanned copy of the Bond Connect investor foreign exchange business registration form.” This file is cunningly disguised, not only mimicking a Microsoft Word document icon but also falsely adopting the file properties of a legitimate AMDRSServ.exe to bypass initial scrutiny.

Upon execution, SquidLoader unleashes a complex five-stage infection. It first unpacks its core payload, then initiates contact with a Command and Control (C2) server using a URL path that mimics legitimate Kubernetes services (e.g., /api/v1/namespaces/kube-system/services) to blend with normal network traffic.

This initial C2 communication transmits critical host information, including IP address, username, computer name, and Windows version, back to its operators. Finally, the malware downloads and executes a Cobalt Strike Beacon, which then establishes a connection to a secondary C2 server at a different address (e.g., 182.92.239.24), granting attackers persistent remote access.

Evasive Tactics and Global Implications

A key reason for SquidLoader’s danger is its extensive array of anti-analysis, anti-sandbox, and anti-debugging techniques. These include checking for specific analysis tools like IDA Pro (ida.exe) or Windbg (windbg.exe) and common sandbox usernames.

Notably, it employs a sophisticated threading trick involving long sleep durations and Asynchronous Procedure Calls (APCs) to detect and evade emulated environments. Should it detect any analysis attempt, the malware self-terminates. After its checks, it displays a deceptive pop-up message in Mandarin: “The file is corrupted and cannot be opened,” requiring user interaction that can thwart automated sandboxes.

“Its intricate anti-analysis, anti-sandbox, and anti-debugging techniques, coupled with its sparse detection rates, pose a significant threat to targeted organisations,” Trellix researchers emphasised in their report.

The observed targeting in multiple countries highlights the global nature of this evolving threat, urging financial institutions worldwide, particularly in Hong Kong, Singapore, and Australia, to increase their security against such highly evasive adversaries.