SquirrelWaffle Malware Detection

November 03, 2021 · 3 min read

The throne is never vacant! Meet SquirrelWaffle, a new malicious loader in town striving to replace the infamous Emotet. Since the beginning of autumn 2021, SquirrelWaffle has been massively compromising hosts via spam campaigns to provide adversaries the ability to drop second-stage payloads, including such samples as Qakbot and Cobalt Strike.

Attack Kill Chain

SquirrelWaffle is a newcomer in the spam domain, being first spotted in mid-September 2021. It has been increasingly pushed with the help of malspam that relied on boobytrapped Microsoft Office docs. 

According to the analysis of the SquirrelWaffle attack framework performed by Cisco Talos, adversaries relied on the email thread hijacking technique to masquerade spam as legitimate replies to existing email threads. Such a tactic copycats Emotet’s approach of gaining credibility and proves that SquirrelWaffle maintainers go after Emotet fame. 

Notably, the majority of fake notifications are delivered in English, however, basic localization is performed. Spam changes the language on the fly to fit the original email thread. Currently, researchers detected French, Dutch, German, and Polish being used in addition to prevailing English-language messages.

The spam includes links redirecting unsuspecting victims to malicious ZIP archives located at the servers under hackers’ control. The archives contain Word or Excel files that drop malware onto infected machines if opened. Notably, adversaries leverage the DocuSign signing service to mislead victims and persuade them to enable macros. After SquirrelWaffle successfully lands on the user’s machine, it drops second-stage malware, like Qakbot malware or CobaltStrike pentesting tool.

To cover the traces and avoid detection, SquirrelWaffle leverages an IP block list populated across major security firms. In addition, all communications between the new loader and command-and-control (C&C) infrastructure are encrypted with XOR and Base64 to be then sent via HTTP POST requests. Finally, to succeed in the file distribution aspect of the campaigns, threat actors rely on previously compromised web servers, most of which are running WordPress 5.8.1.

SquirrelWaffle Detection and Mitigation

As SquirrelWaffle is increasingly accelerating the scale and scope of its nefarious efforts, businesses worldwide should strengthen their defense against the new threat. To detect possible attacks against your infrastructure, you can download a set of Sigma rules available in the SOC Prime’s Detection as Code platform.

SquirrelWaffle Loader Activity with CobaltStrike

SquirrelWaffle Malware Drops Cobalt Strike

SquirrelWaffle Behavioral Patterns (via cmdline)

SquirrelWaffle Compromises Victims via a Malspam Campaign

SquirrelWaffle Loader with Qakbot and CobaltStrike

New SquirrelWaffle Malware with Cobalt Strike (via proxy)

The full list of detection content addressing the SquirrelWaffle infections is available here. All the detection rules are mapped to the MITRE ATT&CK Framework, thoroughly curated, and verified.

Explore the world’s first Detection as Code platform for collaborative cyber defense, threat hunting and discovery to boost threat detection capabilities and defend against attacks easier, faster and more efficiently. Eager to craft your own Sigma and YARA rules to make the world a safer place? Join our Threat Bounty Program to get recurrent rewards for your valuable input!

Go to Platform Join Threat Bounty

Was this article helpful?

Like and share it with your peers.

Related Posts