Cobalt Strike was delivered by Squirrelwaffle malware

Squirrelwaffle, a new malware threat, has been discovered in the wild, and it is being exploited by malicious attackers to get an initial foothold and drop malware onto infected systems and networks.

 

The new malware spreads through spam campaigns, with the most recent campaigns releasing Qakbot and Cobalt Strike.

 

Cisco Talos researchers identified the Squirrelwaffle malware. It’s one of the tools that arose as an Emotet alternative shortly after the widely used botnet was disrupted by law authorities.

 

The new threat initially surfaced in September 2021, with higher distribution quantities at the end of the month. The spam campaign primarily leverages English-language stolen reply-chain email campaigns, but the threat actors also use emails in French, German, Dutch, and Polish.

 

These emails usually contain links to malicious ZIP packages located on attacker-controlled web domains, as well as a malicious.doc or.xls attachment that, when viewed, executes malware-retrieving code.

 

The perpetrators utilise the DocuSign signature tool as bait to mislead users into allowing macros in their MS Office suite, according to Talos researchers who sampled and examined multiple papers.

 

For obfuscation, the code uses string reversal, then writes a VBS script to % PROGRAMDATA % and runs it.

 

This activity downloads Squirrelwaffle from one of the five hardcoded URLs and instals it on the infected machine as a DLL file.

 

The Squirrelwaffle loader subsequently instals malware such as Qakbot or Cobalt Strike, a frequently used penetration testing tool.

 

Cobalt Strike is a legal penetration testing tool that is used to examine an organization’s infrastructure in order to find security flaws and vulnerabilities.

 

However, after deploying beacons that provide them with permanent remote access to infected devices, threat actors use cracked versions of Cobalt Strike for post-exploitation operations.

 

To avoid detection and analysis, Squirrelwaffle includes an IP blocklist populated with well-known security research firms.

 

Squirrelwaffle communicates with the C2 infrastructure using HTTP POST requests that are encrypted (XOR+Base64).

 

To assist the file distribution part of their activities, the threat actors use previously compromised web servers, with the majority of these sites running WordPress 5.8.1.

 

Squirrelwaffle could be a reincarnation of Emotet, created by individuals who eluded law enforcement or other threat actors looking to fill the hole left by the legendary malware.

 

Cisco Talos urges all companies and security experts to become aware of the strategies used in this malware’s campaigns as its use increases.

 

You might also like:

Beware of the Squid Game malware

Facebook files a lawsuit against a Ukrainian hacker

How to protect yourself from phishing attacks

REvil ransomware shut down again, says reports