Say hello there to what could be the up coming significant spam participant: SquirrelWaffle, which is spreading with increasing frequency via spam strategies and infecting methods with a new malware loader.
SquirrelWaffle, a new malware loader, is mal-spamming malicious Microsoft Office environment documents to deliver Qakbot malware and the penetration-testing tool Cobalt Strike – two of the most frequent threats on a regular basis observed targeting corporations all over the world.
Cisco Talos scientists reported on Tuesday that they received wind of the malspam campaigns starting in mid-September, when they noticed the boobytrapped Office environment documents functioning to infect programs with SquirrelWaffle in the original stage of the an infection chain.

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
The campaigns are applying stolen email threads to appear off as replies in these threads, similar to how the virulent Emotet malware – typically spread through destructive email messages or text messages – will work. “The campaigns by themselves attribute various very similar characteristics to the campaigns earlier viewed involved with set up threats like Emotet,” Cisco Talos scientists discussed.
“Due to the prevalence of these campaigns, businesses should be mindful of SQUIRRELWAFFLE and the way it could be made use of by attackers to even further compromise corporate networks,” they encouraged.
The SquirrelWaffle emails normally contain hyperlinks to malicious ZIP archives being hosted on attacker-managed web servers, researchers said. An instance of a person of the malspam e-mail is demonstrated down below.
Sample of SquirrelWaffle malspam email. Resource: Cisco Talos.
Most of the messages – 76 % – are prepared in English. But the language made use of in the reply concept shifts to match what was used in the authentic email thread, “demonstrating that there is some localization having put dynamically,” Cisco Talos mentioned. Moreover English, the top 5 languages staying utilized also contain French, German, Dutch and Polish.
Not Always the Ripest Nut in the Nest
These squirrels are not constantly picking up acorns that are fated to improve into majestic, revenue-building oaks. Scientists mentioned that, “consistent with other threats also leveraging stolen email threads,” SquirrelWaffle took a handful of potshots in picking which email chains to hijack.
They furnished the next illustration, in which the attacker replied to an extortion email concept – a choice that’s probably “ineffective in convincing the receiver to accessibility the content in the physique of the email,” scientists understated.
The SquirrelWaffle attacker’s mal-spam reply to an extortionist’s email. Supply: Cisco Talos.
SquirrelWaffle Not Scampering as Furiously as Emotet – But
SquirrelWaffle isn’t as prolific as Emotet – at least, not yet, however it’s growing steadily. Cisco Talos shared a graph, shown down below, illustrating the quantity of the strategies among Sept. 1 and Oct. 15.
Quantity of SquirrelWaffle campaigns tracked from Sept. 1 to Oct. 15, 2021. Supply: Cisco Talos.
“While the volume involved with these strategies is not nonetheless reaching the same level viewed beforehand with threats like Emotet, it appears to be quite reliable and might increase more than time as the adversaries infect extra users and improve the dimensions of their botnet,” Cisco Talos predicted.
Malspam O-Matic
In analyzing the campaign, scientists observed various attributes that pointed to the destructive Office files as probable getting been crafted using an automated builder. For case in point, in the the latest campaigns, “the Microsoft Excel spreadsheets have been crafted to make static examination with resources like XLMDeobfuscator a lot less helpful,” they explained.
The earliest data files ended up submitted to community malware repositories on Sept. 10. 3 times later on, the marketing campaign volume began to ramp up and “has been characterized by day-to-day spam runs observed given that then,” in accordance to the writeup.
More signals that it is getting cranked out with an automated builder: “The URL composition of the SQUIRRELWAFFLE distribution servers seems relatively tied to the daily strategies, and rotates each individual number of times,” according to the investigation. Cisco Talos gave the case in point of the desk, demonstrated below, which depicts variance in the URL landing internet pages viewed over a period of time of a number of times.
SquirrelWaffle timeline. Supply: Cisco Talos.
“This rotation is also reflected in the maldoc macros by themselves, with the macro function names and hashes rotating at the same time,” the scientists extra.
How the Squirrel Twitches
Victims who drop for the email messages and click on their hyperlinks wind up downloading a destructive ZIP archive that has tainted Microsoft Workplace documents, which have been evenly split among Phrase paperwork and Excel spreadsheets. The caveat: This is an actively evolving danger, and scientists have found the menace actor shift from an preliminary reliance on making use of Word files to an virtually unique use of Excel spreadsheets.
In the earlier email strategies applying destructive Phrase documents, researchers observed the menace actor gussy up the doc so it appeared like it was linked with the DocuSign doc-sharing and signing system: a well-liked alternative for working with official transactions.
Malicious Phrase file supposed to seem like it’s affiliated with DocuSign. Source: Cisco Talos.
At any level, the Business data files, be they .DOC or .XLS, spring the upcoming-stage ingredient, which is the SquirrelWaffle payload.
In all of the SquirrelWaffle campaigns noticed so significantly, the rigged one-way links made use of to host the ZIP archives consist of Latin text and follow a URL structure comparable to this one:
abogados-en-medellin[.]com/odit-error/assumenda[.]zip
But in several scenarios, the campaign contains separate ZIP archives currently being hosted in different directories on the exact area. Inside of the ZIP archives, the malicious Office environment data files generally comply with a naming convention comparable to these illustrations:
- chart-1187900052.xls
- diagram-127.doc
- diagram_1017101088.xls
- Specification-1001661454.xls
They’re Kicking Servers When They are Currently Down
The malware distribution strategies are evidently leaping on formerly compromised web servers: mainly people jogging variations of WordPress, with the most common compromised edition becoming WordPress 5.8.1.
Scientists also determined a person case of “a SQL dump associated to an AZORult panel existing on the very same host currently being made use of as a C2 server by SQUIRRELWAFFLE,” they mentioned.
They could not determine out if the accountable actor was the exact danger or whether the server experienced been gang-attacked by many actors: “As is usually the situation with vulnerable servers uncovered to the internet, it is unclear whether this panel was being administered by the identical menace actor or if the server had basically been compromised by a number of unrelated entities,” Cisco Talos stated.
The More Malware Changes…
Cisco Talos reported that while the SquirrelWaffle risk is reasonably new, the workings – together with the distribution strategies, infrastructure and command-and-command (C2) implementations – have a good deal in common with people noticed from other, more established threat actors.
“Organizations really should go on to employ thorough defense-in-depth security controls to make certain that they can avoid, detect, or react to SQUIRRELWAFFLE strategies that might be encountered in their environments,” they suggested.
Check out out our free impending live and on-demand from customers on the web town halls – distinctive, dynamic conversations with cybersecurity experts and the Threatpost group.
Some elements of this posting are sourced from:
threatpost.com