An all-new malware threat called Squirrelwaffle has surfaced. It is now supplying threat actors with a staging ground on company systems and an avenue for dropping malware onto compromised networks.

In the most recently identified campaigns, the malware has spread through insidious spam campaigns, dropping the banking Trojan Qbot and Cobalt Strike.

Malicious software uncovered

Squirrelwaffle malware was identified by cybersecurity researchers from Cisco Talos. The cybercriminal tool was among the many malicious options that arrived to fill the void created by the Emotet botnet being disrupted by law enforcement agencies.

The new malware was first identified in September this year, with distribution volumes reaching their peak before the start of October. The spam campaign mainly employs stolen reply-chain-type email campaigns using English language, however, emails using French, Polish, German and Dutch have also been observed.

These messages contain hyperlinks that lead to malicious ZIP archives that are hosted on web servers under hacker control and typically involve a malicious .xls or .doc attachment. When the document is opened by an unwitting user, it starts to run code designed to retrieve malware.

Cisco Talos analysed and sampled several of the documents and discovered that the threat actors behind the attacks use the well-known signing platform DocuSign as bait to fool victims into enabling macros on the MS Office suite they use.

How does the Squirrelwaffle malware work?

Once the code has been activated by the user, it uses string reversal to obfuscate its activity and writes a dedicated VBS script to “%PROGRAMDATA%”, and then executes it.

Effectively. this action retrieves the Squirrelwaffle malware from one of five different hardcoded URLs and delivers it onto the compromised networks as a DLL file.

The dedicated Squirrelwaffle loader then drops malware like Qbot or the much-abused pen testing tool known as Cobalt Strike.

A legitimate tool to run penetration tests, Cobalt Strike is designed to be an attack framework for organisations to health-check their infrastructure and seek out any weaknesses or gaps in their cybersecurity.

However, cracked editions of Cobalt Strike are often employed by threat actors (often in ransomware attacks) to perform post-exploitation tasks following beacon deployment. The misused tool then gives them persistent access to a company’s compromised devices from a remote location.

Squirrelwaffle also boasts an IP blocklist, fully populated with established cybersecurity research firms, helping it to escape detection and in-depth analysis.

All channels of communications between Squirrelwaffle and the command-and-control server infrastructure are encrypted and transmitted using HTTP POST requests.

The threat operators leverage compromised web servers in order to support file distribution during their activities. Most of these sites run WordPress 5.8.1. The operators also deploy “antibot” scripts on these servers, helping them further evade detection and study.

It is believed by many that Squirrelwaffle may simply be an Emotet reboot, launched by past members who escaped law enforcement, while others feel it may be a new malware operation seeking to take the place of the infamous outfit.

Security professionals are advised to familiarise themselves with the TTPs employed in the malware campaigns.