Squirrelwaffle, a new malware threat, has made its way into the open, giving supporting actors a footing and a mechanism to deliver malware onto compromised devices and networks.
According to researchers, the new virus spreads through spam campaigns, with the most recent efforts releasing Qakbot and Cobalt Strike.
Squirrelwaffle, discovered by Cisco Talos researchers, is one of the technologies that surfaced as an Emotet successor immediately after the widely used botnet was disrupted by law enforcement.
This new danger initially surfaced in September 2021, with high distribution quantities after the month. While the spam campaign predominantly leverages English-language stolen reply-chain email campaigns, the threat actors also use emails in French, Polish, Dutch, and German.
These emails usually contain links to malicious ZIP packages located on attacker-controlled web domains, as well as a malicious.doc or.xls attachment that, when viewed, executes malware-retrieving code.
The perpetrators employ the DocuSign signature tool as bait to lure recipients into activating macros in their MS Office suite on various papers tested and evaluated by Talos researchers.
For obfuscation, the code uses string reversal, writes a VBS script to %PROGRAMDATA%, and runs it.
This step downloads Squirrelwaffle from one of the five hardcoded URLs and installs it on the infected machine as a DLL file. The Squirrelwaffle loader subsequently installs malware like Qakbot or Cobalt Strike, a frequently used penetration testing tool.
Cobalt Strike is a legal penetration testing tool used to examine an organization’s infrastructure to find security flaws and vulnerabilities.
Threat actors (often observed using cracked versions of Cobalt Strike during ransomware attacks) employ Cobalt Strike’s cracked versions for post-exploitation chores after distributing beacons, which provide them permanent remote access to infected machines.
To avoid discovery and analysis, Squirrelwaffle includes an IP blocklist populated with well-known security research organizations. Squirrelwaffle communicates with the C2 infrastructure using HTTP POST requests that are encrypted (XOR+Base64).
The threat actors use previously compromised web servers to assist the file distribution part of their activities, with most sites running WordPress 5.8.1. The adversaries use “antibot” software on these systems to avoid white-hat discovery and analysis.
Other recognized actors have used several of the approaches discussed in the Cisco Talos study in the past. As a result, Squirrelwaffle might be a relaunch of Emotet by individuals who eluded law enforcement or other threat actors looking to fill the hole left by the infamous virus.
Cisco Talos encourages all companies and security experts to become aware of the TTPs employed in this malware’s campaigns due to its rising use.