Source URL: https://unit42.paloaltonetworks.com/?p=138415
Source: Unit 42
Title: Squidoor: Suspected Chinese Threat Actor’s Backdoor Targets Global Organizations
Feedly Summary: We analyze the backdoor Squidoor, used by a suspected Chinese threat actor to steal sensitive information. This multi-platform backdoor is built for stealth.
The post Squidoor: Suspected Chinese Threat Actor’s Backdoor Targets Global Organizations appeared first on Unit 42.
AI Summary and Description: Yes
**Summary:**
The text discusses a comprehensive analysis of a sophisticated cyber threat activity cluster attributed to a suspected Chinese threat actor, focusing on the “Squidoor” backdoor malware targeting various high-profile sectors. This analysis reveals the attack’s methods, including stealth techniques for maintaining access and exfiltrating sensitive information. The insights provided in this report are highly relevant for cybersecurity professionals tasked with defending against advanced, state-sponsored threats, particularly in sectors like government and telecommunications.
**Detailed Description:**
The article outlines a cyber threat known as CL-STA-0049, involving targeted attacks primarily in government, defense, telecommunications, education, and aviation sectors in Southeast Asia and South America. Key points include:
– **Threat Actor Identification:**
– Attributed to a suspected Chinese threat actor.
– Focus on high-value targets for data acquisition.
– **Malicious Activity Overview:**
– The deployment of targeting techniques with a new sophisticated backdoor named “Squidoor” (also referred to as FinalDraft).
– Squidoor operates on both Windows and Linux systems, showcasing its versatility.
– **Attack Techniques:**
– Use of multiple entry vectors, including the exploitation of vulnerabilities in Internet Information Services (IIS) and subsequent installation of web shells.
– Lateral movement within compromised endpoints, maintaining persistent access through web shells.
– **Communication and Stealth:**
– Squidoor supports ten unique methods for command and control (C2) communication, utilizing techniques like Outlook API interactions, DNS tunneling, and ICMP tunneling, enabling attackers to remain undetected.
– Sophisticated obfuscation techniques used to disguise the malware’s activities and command structure.
– **Modular and Stealthy Operations:**
– Squidoor exhibits modularity, allowing for varied attack strategies and data exfiltration methods.
– The use of living-off-the-land binaries and other uncommon techniques (like the Cdb.exe exploitation) enhances its stealth capabilities.
– **Exfiltration and Payload Delivery:**
– The malware can collect sensitive data, execute arbitrary commands, inject payloads, and communicate internally or externally through its diverse communication methods.
– The provisioning of communication over Microsoft-related technologies exploits legitimate systems to avoid detection.
– **Mitigation Recommendations:**
– Recommendations for cybersecurity professionals and defenders to adopt enhanced detection and prevention measures.
– Specific coverage details indicating how Palo Alto Networks’ products could mitigate such advanced threats, emphasizing proactive monitoring and configuration to counteract Squidoor’s techniques.
– **Indicators of Compromise:**
– Provides SHA256 hashes for both Squidoor Windows and Linux versions, associated web shells, and malicious domains/indicators linked with the threat actor’s infrastructure.
– **Call to Action:**
– Urges cybersecurity practitioners to study the threat intelligence to improve detection, prevention, and overall security posture against complex threats.
By sharing this detailed analysis, the article serves as a critical resource for cybersecurity professionals looking to bolster their defenses against sophisticated state-sponsored cyber threats.