Full Report
We analyze the backdoor Squidoor, used by a suspected Chinese threat actor to steal sensitive information. This multi-platform backdoor is built for stealth. The post Squidoor: Suspected Chinese Threat Actor’s Backdoor Targets Global Organizations appeared first on Unit 42.
Analysis Summary
# Threat Actor: CL-STA-0049 (Associated with Squidoor Backdoor)
## Attribution & Identity
Attribution is assessed with moderate-high confidence to a **suspected Chinese threat actor**. No formal threat group name or specific aliases beyond the cluster ID (CL-STA-0049) are provided, other than the association with the malware named Squidoor.
## Activity Summary
The activity cluster, identified as CL-STA-0049, has been active since at least **March 2023**. The primary activities involve **collecting sensitive information** from compromised organizations and gathering intelligence on **high-ranking officials and individuals** within those organizations. The entry vector observed utilizes **web shells**.
## Tactics, Techniques & Procedures
- **Entry Vector:** Web shells.
- **Malware Used:** Squidoor (aka FinalDraft) backdoor (targets Windows and Linux).
- **Stealth Capabilities:** Advanced backdoor designed for stealth with multiple modules.
- **C2 Communication Protocols:** Utilizes a rarely seen set of protocols for C2 communication, including:
- Outlook API
- Domain Name System (DNS) tunneling
- Internet Control Message Protocol (ICMP) tunneling
## Targeting
- **Sectors:** Governments, defense, telecommunication, education, and aviation sectors.
- **Geography:** Southeast Asia and South America.
- **Victims:** Organizations within the specified high-risk sectors in the targeted regions. (No specific organization names provided).
## Tools & Infrastructure
- **Malware Families Used:** Squidoor (FinalDraft).
- **Infrastructure (C2):** C2 communication relies on Outlook API, DNS tunneling, and ICMP tunneling. (Specific C2 domains/IPs were not detailed in the provided text).
## Implications
This threat actor poses a significant risk due to their focus on high-value, strategic sectors (government, defense, critical infrastructure) across targeted geographies in Asia and South America. The use of the advanced, stealthy Squidoor backdoor, especially one capable of leveraging legitimate protocols like Outlook API and DNS/ICMP tunneling for C2, suggests a sophisticated and persistent espionage operation aiming for long-term data exfiltration.
## Mitigations
Defense recommendations are centered around detecting and preventing the TTPs associated with Squidoor:
- Implement detection strategies targeting anomalous C2 communications utilizing Outlook API, DNS tunneling, and ICMP tunneling.
- Enhance visibility against web shell-based initial access vectors.
- Utilize services like Cortex XDR/XSIAM, Advanced WildFire, Advanced URL Filtering, and Advanced Threat Prevention for layered defense.