TapTechNews June 25th news, the security company LevelBlue under the US operator AT&T recently released a report, exposing a Trojan horse named SquidLoader, which mainly affected Simplified Chinese users. The hacker packaged the related Trojan horse into various product introduction documents to attack unsuspecting victims.
TapTechNews learned from the report that the hacker set up a series of phishing documents named Product Introduction and Customer Success Cases of Huawei Industrial Grade Router, Brief Introduction of Yellow River Conservancy Technical Institute, etc. But in fact, these documents are all hidden executable files. It is said that it is mainly named this way to attract unsuspecting victims to be deceived. Once the victim opens the document, these hidden executable files will automatically send a GetHTTPS request to the URL on the remote server set by the hacker, and then automatically deploy the SquidLoader Trojan horse.
It is worth noting that this Trojan horse is said to have a high anti-detection ability. In order to make it look like a normal system process, the hacker uses an expired legal certificate to deceive the system. At the same time, a large amount of code from applications such as WeChat and mingw-gcc (which cannot actually be executed normally) is also mixed in the file to prevent detection by the security company. At the same time, some function functions built into the Trojan horse contain call or jmp instructions to point to another function function, resulting in parsing errors in the anti-compilation tool of the security company.
In addition, the hacker also uses various meaningless decoy instructions in the code to deceive the researchers and uses the XOR key to encrypt specific strings through the stack. In addition, these hackers also perform control flow graph (CFG) obfuscation processing on the function functions related to ShellCode, resulting in the CFG being flattened into an infinite loop with a large number of switch strings, further preventing detection by the security company.
Accordingly, the security company warns users that they should be careful when downloading any document files to prevent the key content in the device from leaking. The security company also warns that since such attack techniques/approaches are easy to replicate, it is very likely to be imitated by other hacker developers in the future.