A new malware family, referred to as Squirrelwaffle, may become a major business disruptor. Once Squirrelwaffle slips into network ecosystems, the malware can be used to inflict intensive damage. In some cases, Squirrelwaffle serves as a courier for other malware infections, from Qakbot to Cobalt Strike.

What is Squirrelwaffle malware?

In mid-September, a malspam campaign delivering malicious documents was dubbed Squirrelwaffle. The payload was dubbed GradeAMaple.

Just kidding! In all seriousness, the Squirrelwaffle hackers appear to be using stolen email threads to launch the malware. In other words, hackers hijack a business email thread, and then send a phony reply that includes malware in the attachment.

Investigators have found stolen email chains in English, Dutch, German, Polish and French. The language in the emails looks natural, suggesting that hackers either speak multiple languages or hire contractors to assist with localization.

How it works

This malware is vicious! The emails include hyperlinks to malicious ZIP archives hosted on hacker-controlled web servers. Typically, emails include a malicious .doc or an .xls attachment that operates malware retrieving code. Hackers aim to trick victims into clicking on the attachments.

Within several examples analyzed by researcher, cyber criminals attempted to coerce recipients into signing a fictitious DocuSign file, which enabled macros on MS Office suites.

DocuSign Image_

Technical details

The code within the malicious document leverages string reversal for obfuscation, writes a VBS script to %PROGRAMDATA% and then executes it. In turn, this operation retrieves Squirrelwaffle from one of the five hardcoded URLs, delivering it in the form of a DLL file onto the compromised system. The Squirrelwaffle loader then unleashes malware.

To help the malware evade detection, developers included an IP blocklist that’s populated with notable security research firms. Communications between Squirrelwaffle and the C2 infrastructure are encrypted (XOR + Base64) and sent through HTTP POST requests.

Attackers rely on previously compromised web servers to distribute files throughout their operations. Via the compromised servers, attackers run “antibot” scripts that deceive some detection and analysis solutions.

Why it matters

Squirrelwaffle emerged shortly after law enforcement disrupted the notorious Emotet botnet. Some researchers believe that Squirrelwaffle may be a reboot of Emotet, operated by persons who evaded police, Interpol or other authorities.

On account of Squirrelwaffle’s continued proliferation, researchers advise technical administrators to study the TTPs leveraged in this malware campaign.

Indicators of compromise associated with this campaign include hashes (SHA256) and domains.

How to avoid Squirrelwaffle

The makers of Squirrelwaffle have gone to great length in order to render the malware difficult to identify and analyze.

  1. Endpoint security products can help. Read about endpoint solutions here.
  2. Email security solutions can block emails sent by attackers. Read about email security solutions here.
  3. Next generation firewalls can potentially identify malicious behavior connected to Squirrelwaffle. Get firewall information here.
  4. Patch and update software at regular intervals.
  5. The single best defense against Squirrelwaffle may be alerting employees to avoid clicking on attachments.

In summary

The email-based malware landscape is continually evolving. Variations on this campaign are already emerging, and organizations should take care to prevent and detect this threat.

Although Squirrelwaffle is not as well-known as Emotet, researchers believe that could change in the near future and that Squirrelwaffle could reshape the malware landscape.

To learn more about pressing issues in the cyber world, please join us at the premiere cyber security event of the year – CPX 360 2022. Register here.

*Image courtesy of Bleepingcomputer.com.