Squidoor: Unmasking a Sophisticated Multi-Platform Backdoor in APT Operations

Speaker:
Lior Rochberger, Senior Threat Researcher, Palo Alto Networks
Tom Fakterman, Senior Threat Researcher, Palo Alto Networks

This talk will delve into a highly sophisticated Chinese APT campaign, tracked as CL-STA-0049, that has been targeting governments, defense, telecommunication, education and aviation sectors in Southeast Asia and South America since at least March 2023. Drawing on our extensive threat hunting methodologies and in-depth analysis, attendees will gain a comprehensive understanding of this complex, multi-stage attack chain and its advanced evasion techniques designed to bypass traditional security measures.

The session will explore the complex and modular 'Squidoor' backdoor, a prime example of evolving state-sponsored tactics. We'll provide a detailed analysis of Squidoor's architecture, features, and capabilities, showcasing both its Windows and Linux versions. Participants will learn about its unprecedented array of 10 different C2 communication methods, including rarely seen techniques such as abusing Outlook for C2 communication, DNS tunneling, and ICMP tunneling.

We'll unveil our advanced threat hunting methodologies that led to the detection of this elusive campaign, offering insights into cutting-edge detection strategies. The presentation will equip security professionals with actionable knowledge on identifying and defending against such sophisticated threats, providing the latest intelligence on Chinese APT operations.

By the end of this talk, attendees will have gained valuable insights into advanced persistent threats, state-sponsored tactics, and innovative backdoor mechanisms. They will be better prepared to enhance their organization's threat detection and response capabilities, armed with strategies to defend against similar threats in their environments.

For more information about Infosec In the City, SINCON https://www.infosec-city.com/