Squidoor: Suspected Chinese Threat Actor’s Backdoor Targets Global Organizations

    Friday, February 28, 2025 In: Threat Research Print

    Date: 02/28/2025

    Severity: Medium

    Summary

    "Squidoor: Suspected Chinese Threat Actor’s Backdoor Targets Global Organizations" covers a sophisticated backdoor, Squidoor (also known as FinalDraft), targeting Windows and Linux systems. Used by a Chinese threat actor, it collects sensitive information and communicates stealthily using protocols like Outlook API, DNS tunneling, and ICMP tunneling. The article highlights a new Windows variant and provides insights into its command and control (C2) communication, aiming to help cybersecurity professionals detect and mitigate this threat.

    Indicators of Compromise (IOC) List

    URL/Domains

    Support.vmphere.com

    Update.hobiter.com

    microsoft-beta.com

    zimbra-beta.info

    microsoftapimap.com

    IP Address

    209.141.40.254

    104.244.72.123

    47.76.224.93

    Hash

    f663149d618be90e5596b28103d38e963c44a69a5de4a1be62547259ca9ffd2d

83406905710e52f6af35b4b3c27549a12c28a628c492429d3a411fdb2d28cc8c

8187240dafbc62f2affd70da94295035c4179c8e3831cb96bdd9bd322e22d029

fa2a6dbc83fe55df848dfcaaf3163f8aaefe0c9727b3ead1da6b9fa78b598f2b

3fcfc4cb94d133563b17efe03f013e645fa2f878576282805ff5e58b907d2381

f45661ea4959a944ca2917454d1314546cc0c88537479e00550eef05bed5b1b9

9f62c1d330dddad347a207a6a565ae07192377f622fa7d74af80705d800c6096

461f5969b8f2196c630f0868c2ac717b11b1c51bc5b44b87f5aad19e001869cc

224becf3f19a3f69ca692d83a6fabfd2d78bab10f4480ff6da9716328e8fc727

6c1d918b33b1e6dab948064a59e61161e55fccee383e523223213aa2c20c609c

81bd2a8d68509dd293a31ddd6d31262247a9bde362c98cf71f86ae702ba90db4

7c6d29cb1f3f3e956905016f0171c2450cca8f70546eee56cface7ba31d78970

c8a5388e7ff682d3c16ab39e578e6c529f5e23a183cd5cbf094014e0225e2e0a

1dd423ff0106b15fd100dbc24c3ae9f9860a1fcdb6a871a1e27576f6681a0850

82e68dc50652ab6c7734ee913761d04b37429fca90b7be0711cd33391febff0a

e8d6fb67b3fd2a8aa608976bcb93601262d7a95d37f6bae7c0a45b02b3b325ad

2b6080641239604c625d41857167fea14b6ce47f6d288dc7eb5e88ae848aa57f

33689ac745d204a2e5de76bc976c904622508beda9c79f9d64c460ebe934c192

5dd361bcc9bd33af26ff28d321ad0f57457e15b4fab6f124f779a01df0ed02d0

945313edd0703c966421211078911c4832a0d898f0774f049026fc8c9e7d1865

a7d76e0f7eab56618f4671b5462f5c210f3ca813ff266f585bb6a58a85374156

265ceb5184cac76477f5bc2a2bf74c39041c29b33a8eb8bd1ab22d92d6bebaf5

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    userdomainname like "Support.vmphere.com" or url like "Support.vmphere.com" or userdomainname like "microsoftapimap.com" or url like "microsoftapimap.com" or userdomainname like "zimbra-beta.info" or url like "zimbra-beta.info" or userdomainname like "Update.hobiter.com" or url like "Update.hobiter.com" or userdomainname like "microsoft-beta.com" or url like "microsoft-beta.com"

    Detection Query 2

    dstipaddress IN ("104.244.72.123","209.141.40.254","47.76.224.93") or ipaddress IN ("104.244.72.123","209.141.40.254","47.76.224.93") or publicipaddress IN ("104.244.72.123","209.141.40.254","47.76.224.93") or srcipaddress IN ("104.244.72.123","209.141.40.254","47.76.224.93")

    Detection Query 3

    sha256hash IN ("81bd2a8d68509dd293a31ddd6d31262247a9bde362c98cf71f86ae702ba90db4","2b6080641239604c625d41857167fea14b6ce47f6d288dc7eb5e88ae848aa57f","224becf3f19a3f69ca692d83a6fabfd2d78bab10f4480ff6da9716328e8fc727","83406905710e52f6af35b4b3c27549a12c28a628c492429d3a411fdb2d28cc8c","3fcfc4cb94d133563b17efe03f013e645fa2f878576282805ff5e58b907d2381","e8d6fb67b3fd2a8aa608976bcb93601262d7a95d37f6bae7c0a45b02b3b325ad","33689ac745d204a2e5de76bc976c904622508beda9c79f9d64c460ebe934c192","a7d76e0f7eab56618f4671b5462f5c210f3ca813ff266f585bb6a58a85374156","265ceb5184cac76477f5bc2a2bf74c39041c29b33a8eb8bd1ab22d92d6bebaf5","fa2a6dbc83fe55df848dfcaaf3163f8aaefe0c9727b3ead1da6b9fa78b598f2b","8187240dafbc62f2affd70da94295035c4179c8e3831cb96bdd9bd322e22d029","82e68dc50652ab6c7734ee913761d04b37429fca90b7be0711cd33391febff0a","6c1d918b33b1e6dab948064a59e61161e55fccee383e523223213aa2c20c609c","7c6d29cb1f3f3e956905016f0171c2450cca8f70546eee56cface7ba31d78970","f45661ea4959a944ca2917454d1314546cc0c88537479e00550eef05bed5b1b9","945313edd0703c966421211078911c4832a0d898f0774f049026fc8c9e7d1865","f663149d618be90e5596b28103d38e963c44a69a5de4a1be62547259ca9ffd2d","9f62c1d330dddad347a207a6a565ae07192377f622fa7d74af80705d800c6096","461f5969b8f2196c630f0868c2ac717b11b1c51bc5b44b87f5aad19e001869cc","c8a5388e7ff682d3c16ab39e578e6c529f5e23a183cd5cbf094014e0225e2e0a","1dd423ff0106b15fd100dbc24c3ae9f9860a1fcdb6a871a1e27576f6681a0850","5dd361bcc9bd33af26ff28d321ad0f57457e15b4fab6f124f779a01df0ed02d0")

    Reference:

    https://unit42.paloaltonetworks.com/advanced-backdoor-squidoor/


    Tags

    MalwareBackdoorSquidoorChinaThreat Actors

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.