Summary: A newly identified stealthy backdoor called Squidoor targets high-profile organizations in Southeast Asia and South America, linked to a suspected Chinese threat actor. The malware is highly modular, designed for both Windows and Linux, and uses advanced methods, including Outlook API tunneling, to maintain persistent access and exfiltrate sensitive information. Attackers exploit IIS server vulnerabilities to deploy web shells and employ covert communication techniques to carry out their operations undetected.
Affected: High-profile organizations, including government, defense, telecommunication, education, and aviation sectors
Keypoints :
- Squidoor has been actively used since March 2023 and is linked to suspected Chinese threat actor CL-STA-0049.
- The malware exploits IIS server vulnerabilities to deploy web shells for remote command execution.
- Squidoor employs multiple covert communication methods, including Outlook API tunneling, to avoid detection.
- The use of a rarely observed Living-Off-The-Land technique with Microsoft Console Debugger (cdb.exe) enhances its stealth capabilities.
- Attackers leverage draft emails to send encoded commands without raising suspicion in outbound network traffic.
Source: https://securityonline.info/new-stealthy-backdoor-squidoor-linked-to-chinese-threat-actor/