One Article Review
| Source |  AlienVault Lab Blog |
|---|---|
| Identifiant | 8521071 |
| Date de publication | 2024-06-18 11:03:00 (vue: 2024-06-19 12:10:02) |
| Titre | LevelBlue Labs découvre un nouveau chargeur très évasif ciblant les organisations chinoises LevelBlue Labs Discovers Highly Evasive, New Loader Targeting Chinese Organizations |
| Texte | Executive Summary LevelBlue Labs recently discovered a new highly evasive loader that is being delivered to specific targets through phishing attachments. A loader is a type of malware used to load second-stage payload malware onto a victim’s system. Due to the lack of previous samples observed in the wild, LevelBlue Labs has named this malware “SquidLoader,” given its clear efforts at decoy and evasion. After analysis of the sample LevelBlue Labs retrieved, we uncovered several techniques SquidLoader is using to avoid being statically or dynamically analyzed. LevelBlue Labs first observed SquidLoader in campaigns in late April 2024, and we predict it had been active for at least a month prior. The second-stage payload malware that SquidLoader delivered in our sample is a Cobalt Strike sample, which had been modified to harden it against static analysis. Based on SquidLoader’s configuration, LevelBlue Labs has assessed that this same unknown actor has been observed delivering sporadic campaigns during the last two years, mainly targeting Chinese-speaking victims. Despite studying a threat actor who seems to focus on a specific country, their techniques and tactics may be replicated, possibly against non-Chinese speaking organizations in the near future by other actors or malware creators who try to avoid detections. Loader Analysis In late April 2024, LevelBlue Labs observed a few executables potentially attached to phishing emails. One of the samples observed was ‘914b1b3180e7ec1980d0bafe6fa36daade752bb26aec572399d2f59436eaa635’ with a Chinese filename translating to “Huawei industrial-grade router related product introduction and excellent customer cases.” All the samples LevelBlue Labs observed were named for Chinese companies, such as: China Mobile Group Shaanxi Co Ltd, Jiaqi Intelligent Technology, or Yellow River Conservancy Technical Institute (YRCTI). All the samples had descriptive filenames aimed at luring employees to open them, and they carried an icon corresponding to a Word Document, while in fact being executable binaries. These samples are loaders that download and execute a shellcode payload via a GET HTTPS request to the /flag.jpg URI. These loaders feature heavy evasion and decoy mechanisms which help them remain undetected while also hindering analysis. The shellcode that is delivered is also loaded in the same loader process, likely to avoid writing the payload to disk and thus risk being detected. Due to all the decoy and evasion techniques observed in this loader, and the absence of previous similar samples, LevelBlue Labs has named this malware “SquidLoader”. Most of the samples LevelBlue Labs observed use a legitimate expired certificate to make the file look less suspicious. The invalid certificate (which expired on July 15, 2021) was issued to Hangzhou Infogo Tech Co., Ltd. It has the thumbprint “3F984B8706702DB13F26AE73BD4C591C5936344F” and serial number “02 0E B5 27 BA C0 10 99 59 3E 2E A9 02 E3 97 CB.” However, it is not the only invalid certificate used to sign the malicious samples. The command and control (C&C) servers SquidLoader uses employ a self-signed certificate. In the course of this investigation all the discovered C&C servers use a certificate with the following fields for both the issuer and the subject: Common Name: localhost Organizational Unit: group Organization: Company Locality: Nanjing State/Province: Jiangsu Country: CN When first executed, the SquidLoader duplicates to a predefined location (unless the loader is already present) and then restarts from the new location. In this case the target location was C:\BakFiles\install.exe. This action appears to be an intentional decoy, executing the loader with a non-suspicio |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | $external $home “02 “debug “file “huawei “jump “squidloader ‘s cobalt even however ” all +12 /api/v1/pods /flag 001: 002: 003: 005: 008: 07; 0a| 0x0 0x1e 0x23 0x5 0xc0000353 0xcafecafe 0xffffffff35013501 10: 11: 12: 13: 14000770e 140007710 14: 15: 16: 17: 18: 19: 200 2021 2024 20| 20|snd|0d 60bec57db4f367e60c6961029d952fa6; 6a: 6b: 6c:fixed 7a: 7b: above absence accepts access accounting achieve acp action actions activities activity activity; actor actors actual actually addition additional additionally addr address addresses admin adversary after against aimed alert algorithm all allocated allows almost already also altered always among amounts analysis analyzed analyzing another anti antivirus any api apis appears application april apt are are: areas arithmetic as: china assembly assessed assigned associated att&ck attached attachment attachments attempt attention author authors automated available avoid avoided avoids bakfiles based beacon because been been active before beginning begins behavior being below besides beyond binaries binary bitwise blacklisted blocks blog blue body both both static branch break bundled but bypass bypassing byte c&c calculations call called calling calls campaigns can can: cannot capability carried carry case cases caught causes certain certificate cfg channel check checked checkin checking checking: checks china chinese chrome claiming class classify classtype:trojan cleanup clear clearly clients cn cnc cobalt cobaltstrike code code’s collecting command common companies compiler component computer con: conceal conclusion configuration connection conservancy consider considers consistent contain contains content content: continue control controlled con|rcv corresponding corresponds count country country: course crafted crash crashing created creates creating creators credible cryptography current custom customer data dbgx debug debugger debuggers deceive decoding decoy decrypted decrypting decryption decrypts default defense defensive delivered delivering demand demographics deobfuscate/decode deploy descriptive despite detected detection detection: detections detects developer development different direct directly disassemble disassembled disassemblers disassembly discovered discovers disk diskpartscript displacement displays document documents does done download due duplicates during dword dynamic dynamically each easier easily eax effort efforts elude email emails embedded employ employee employees emulated emulators enables encrypted encryption end endian endless enough entirely entrypoint environments error established; evading evasion evasive evasive loader that even example example: excellent exe executable executables execute executed executes executing executing the execution executive exfiltrate exfiltrated exfiltrating existence exits expected expired explore extensive fact family feature features fields figure file filename filenames files filler fin fin: finally findings finds first fixed flattened flow flow:established flow:to focus following form format found frame from full function functions further future gather gathered gathering gcc generate generated generates generating get gets given gives google grade graph group guardrails had hangzhou hardcoded harden has have having header header; heavy help helping hidden hide highlighted highly hinder hindering his home hooks how however http https icon icons ida ida64 identifiable identify identity ids illegal immediately implemented imports impossible improper in: include included includes incorrect independent indicators industrial infinite infogo information initial inspecting install instead institute instruction instructions instructions: instructs intelligence intelligent intent intentional interfaces introduction invalid investigation invokes iocs is: issued issuer its itself jiangsu jiaqi jmp jpg july jump jumping jumps keep keeps kernel key keys keywords know known kubernetes labs lack last late |
| Tags | Malware Tool Threat Mobile Prediction Technical |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.