A new malware loader is being used by attackers to gain an initial foothold into targeted networks and drop malware.

About the Squirrelwaffle campaign

According to Cisco Talos, Squirrelwaffle was first spotted in September, with an increase in distribution around the end of the month.
  • The spam campaign uses stolen reply-chain email campaigns mostly written in English but there were attempts in German, Dutch, Polish, and French as well.
  • They use the DocuSign signing platform as a lure to fool targeted users into enabling macros on their MS Office suite.
  • Hackers use previously compromised web servers to support the file distribution action, where most of the sites are running the WordPress 5.8.1 version.
  • Post-infection, Squirrelwaffle deploys malware such as Qakbot or Cobalt Strike.

As it appears, Squirrelwaffle developers have put ample effort into ensuring that the malware remains hidden and is not easy to analyze.

Anti-detection and obfuscation

Squirrelwaffle uses an IP block list consisting of a number of known security research firms to avoid detection and analysis. Moreover, all communications between Squirrelwaffle and its C2 communications are encrypted and sent using HTTP POST requests.
  • On these servers, the attacker has used antibot scripts that further stop white-hat detection and analysis.
  • Further, a malicious code after enabling macros uses string reversal for obfuscation, writes a VBS script, and executes it. 
  • It delivers Squirrelwaffle from one of the five hardcoded URLs in the form of a DLL file.

Closing thoughts

Squirrelwaffle may be a new malware in town but has the potential to become a menace in the upcoming days. Therefore, organizations and their security teams are suggested to jot down the TTPs. It may help them identify the threat at an initial stage before it can damage their computer networks or systems.

Cyware Publisher