FlagThis

A new malware campaign, named "Squidoor," is targeting governments, defense, telecommunications, education, and aviation sectors in Southeast Asia and South America. Researchers at Palo Alto Networks, Lior Rochberger and Tom Fakterman, have analyzed the backdoor, attributing it to a suspected Chinese threat actor known as CL-STA-0049. Squidoor is a multi-vector modular backdoor designed for stealth and adaptability.

This sophisticated malware exploits techniques such as abusing cdb.exe, Outlook API, DNS, and ICMP tunneling for command and control (C2). Attackers gain initial access by exploiting vulnerabilities and deploying web shells. The backdoor is dropped using weaponized Excel documents and deploys a stealthy RAT and additional payloads. Squidoor employs LOLBAS techniques, like using Microsoft’s Console Debugger, to load shellcode directly into memory, bypassing traditional antivirus detection.

ImgSrc: blogger.googleu

References :

• gbhackers.com: Squidoor: Multi-Vector Malware Exploiting Outlook API, DNS & ICMP Tunneling for C2
• Virus Bulletin: Palo Alto Networks researchers Lior Rochberger & Tom Fakterman analyse Squidoor. The backdoor was used in a malicious activity cluster targeting governments, defence, telecommunication, education and aviation sectors in Southeast Asia and South America.
• Anonymous ???????? :af:: Have you heard of the rarely observed technique abusing cdb.exe? A new backdoor called Squidoor utilizes this technique, and is in the toolkit of a suspected Chinese threat actor targeting multiple countries and sectors.
• Talkback Resources: Squidoor: Suspected Chinese Threat Actor’s Backdoor Targets Global Organizations
• www.cysecurity.news: New Malware Targets Aviation and Satellite Firms

Classification:

• HashTags: #Squidoor #APT #CyberEspionage
• Company: Palo Alto Networks
• Target: Government, Defense, Telecom, Education, Aviation
• Attacker: CL-STA-0049
• Product: cdb.exe
• Feature: Multi-Vector Backdoor
• Malware: Squidoor
• Type: Malware
• Severity: Major