Squirrelwaffle spamming campaign: drops Cobalt Strike and Qakbot

Malicious spammers found using the new malware named SquirrelWaffle that can follow in the steps of Emotet

SquirrelWaffle malware email campaigns drop other trojans and penetration tools

The new threat can be the new major threat since the frequency of spam campaigns increased. Malware loader spams users using the malicious Microsft Office documents and delivers Qakbot malware and the penetration-testing tool Cobalt Strike.^[1] Cisco Talos researchers reported^[2] the malspam campaigns that started in the middle of September, stating that this threat can be the next big thing:

Recently, a new threat, referred to as “SQUIRRELWAFFLE” is being spread more widely via spam campaigns, infecting systems with a new malware loader. This is a malware family that's been spread with increasing regularity and could become the next big player in the spam space.

The particular malspam tool emerged as the replacement for a well-known Emotet trojan when the widely used botnet was stopped by law enforcement. researchers note that campaigns used similar characteristics to the Emotet and other more established threats.^[3] These recent campaigns used stolen reply-chain email campaigns and focused on English emails. But emails in French, German, Dutch, and Polish got detected.

Emails with hyperlinks and malicious ZIP archives used

SquirrelWaffle malspam campaigns used stolen email threads to come as the reply in such email chains. It is common to have these pieces to be distributed via emails or text messages. Email messages then contain hyperlinks to malicious ZIP archives that are hosted on the web servers controlled by the criminals. Also, file attachments on such emails mainly come in .doc or .xls form of document. Once such document gets opened, the malware code is launched and the payload can get retrieved on the targeted system.^[4]

When samples were analyzed, Talos research team found one o the piece using the DocuSign platform for signing documents. This is the technique used to trick people into allowing the macros on the Microsoft Office document. Once the macro is enabled and the code gets launched, the payload of other threats can be executed.

SquirrelWaffle can be retrieved from hardcoded URLs and drop the virus as a DLL on the system without causing any other symptoms. The DLL also features the IP blocklist in the configuration, so the automated analysis platforms and security researcher detection can be evaded. This loader once launched can spread other malware, in this case, Qakbot and Cobalt Strike penetration tool.

Cobalt Strike widely used by malicious actors

Cobalt Strike penetration testing tool is a legitimate application that is abused by malicious actors.^[5] The application is designed as the attack framework that can be used to test the infrastructure of organizations to discover security flaws and vulnerabilities.

Cracked versions of the tool get widely abused by the attackers and get mainly used in ransomware attacks. This tool gets used after the initial exploitation because after beacon deployment it can provide attackers with persistent remote access to affected networks.

The SquirrelWaffle is the newly found threat in the malware landscape, but researchers think that it can be as major as Emotet.^[6] Organizations should be aware of the particular features and characteristics the threat has since those businesses and companies can get targeted in such malspam campaigns.

The infection is used as a vector to deliver bots, trojans, other threats that eventually create damage and can be used to target various organizations across the world. The similarities to other more advanced threats show that SquirrelWaffle malware is the thing that can be mentioned in the future. Comprehensive defenses, security controls, and prevention measures should be implemented.