The malware first appeared in September 2021, and its spread peaked at the end of the month.
Cisco Talos has discovered a new malware called Squirrelwaffle that provides attackers with an initial position on a compromised system and the ability to download additional malware onto it.
Squirrelwaffle is distributed as part of spam campaigns to infect Qakbot and Cobalt Strike computers and is one of the tools that emerged after the Emotet botnet was eliminated by law enforcement officials.
The malware first appeared in September 2021, and its spread peaked at the end of the month.
During the attack, the victim receives a letter in English, French, Dutch or Polish. The letter contains a hyperlink to a malicious ZIP archive hosted on a web server controlled by hackers, as well as a malicious attachment (.doc or .xls file) that launches malicious code when opened.
In several malicious documents studied by experts, attackers used the digital signature service DocuSign as bait to force recipients to activate macros in the MS Office package. Line flips were used to obfuscate the code they contain. This code wrote a VBS script in% PROGRAMDATA% and executed it.
Next, the Squirrelwaffle loader was extracted from one of the five hardcoded URLs and delivered to the compromised system as a DLL file. Squirrelwaffle then downloaded malware like Qakbot or the penetration testing tool Cobalt Strike.
Cobalt Strike is a legitimate security testing tool for enterprise IT infrastructure. However, hacked versions of it are very popular among cybercriminals (in particular, ransomware operators love it).
Squirrelwaffle is also equipped with a blacklist of IPs not allowed for attacks. It includes well-known information security companies that malware must avoid in order to avoid detection and subsequent analysis.
Squirrelwaffle's communication with the C&C framework is encrypted (XOR + Base64) and done via HTTP POST requests.
The campaign spreads malicious files from pre-compromised web servers, and most of these sites are running WordPress 5.8.1. Attackers deploy anti-bot scripts on web servers to prevent their detection and analysis by information security specialists.
Cisco Talos has discovered a new malware called Squirrelwaffle that provides attackers with an initial position on a compromised system and the ability to download additional malware onto it.
Squirrelwaffle is distributed as part of spam campaigns to infect Qakbot and Cobalt Strike computers and is one of the tools that emerged after the Emotet botnet was eliminated by law enforcement officials.
The malware first appeared in September 2021, and its spread peaked at the end of the month.
During the attack, the victim receives a letter in English, French, Dutch or Polish. The letter contains a hyperlink to a malicious ZIP archive hosted on a web server controlled by hackers, as well as a malicious attachment (.doc or .xls file) that launches malicious code when opened.
In several malicious documents studied by experts, attackers used the digital signature service DocuSign as bait to force recipients to activate macros in the MS Office package. Line flips were used to obfuscate the code they contain. This code wrote a VBS script in% PROGRAMDATA% and executed it.
Next, the Squirrelwaffle loader was extracted from one of the five hardcoded URLs and delivered to the compromised system as a DLL file. Squirrelwaffle then downloaded malware like Qakbot or the penetration testing tool Cobalt Strike.
Cobalt Strike is a legitimate security testing tool for enterprise IT infrastructure. However, hacked versions of it are very popular among cybercriminals (in particular, ransomware operators love it).
Squirrelwaffle is also equipped with a blacklist of IPs not allowed for attacks. It includes well-known information security companies that malware must avoid in order to avoid detection and subsequent analysis.
Squirrelwaffle's communication with the C&C framework is encrypted (XOR + Base64) and done via HTTP POST requests.
The campaign spreads malicious files from pre-compromised web servers, and most of these sites are running WordPress 5.8.1. Attackers deploy anti-bot scripts on web servers to prevent their detection and analysis by information security specialists.
