Is SquirrelWaffle the New Emotet? How to Detect the Latest MalSpam Loader
Since early September, SentinelLabs has been tracking the rapid rise of a new malware loader that previous researchers have dubbed “SquirrelWaffle”. The tool has been utilized in multiple global attacks since then and is being likened to Emotet in the way it is being used to conduct massive malspam campaigns.
In this post, we explain how SquirrelWaffle works, what to look out for and how to protect your business from the latest malspam loader.
What Is SquirrelWaffle Malware?
SquirrelWaffle is a recent malware loader that is distributed through malspam – malicious spam mail – with the purpose of infecting a device with second-stage malware such as cracked copies of the red teaming tool Cobalt Strike and QakBot, a well-known malware that started life as a simple banking trojan but has since evolved into a multi-functional framework with RAT (Remote Access Trojan)-like capabilities.
Researchers have noted how the infection chain may begin with an email reply chain attack, in which a threat actor neither inserts themselves as a new correspondent nor attempts to spoof someone else’s email address. Instead, the attacker sends the malicious SquirrelWaffle email from a hijacked account belonging to one of the participants. Since the attacker has access to the whole thread, they can tailor their malspam message to fit the context of an ongoing conversation. Given that the recipient likely already trusts the sender, there’s an increased likelihood of the target opening the maldoc or clicking the link. Email reply chain attacks were a hallmark of Emotet campaigns and contributed a great deal to its success.
SquirrelWaffle first appeared in early September and defenders have noticed an uptick in incidences of infection since then. SentinelLabs researchers have also noticed that the malware drops unique payloads even from the same infection chain and that file path patterns are continuing to evolve.
How Does SquirrelWaffle Infect Devices?
Initial delivery of SquirrelWaffle as a first stage loader often comes courtesy of a phishing email with either a malicious MS Word or Excel attachment or embedded link leading to a zip-compressed malicious document download. These maldocs contain VBS macros which execute PowerShell to retrieve and launch the SquirrelWaffle loader.
The initial SquirrelWaffle files are written to disk as prescribed by the malicious PowerShell script responsible for their retrieval. For example, early clusters of malicious documents dropped SquirrelWaffle using this set of file names:
C:\Datop\test.test C:\Datop\test1.test C:\Datop\test2.test
Importantly, no two runs of the same malicious document will produce the same SquirrelWaffle payloads. On each execution, the payloads written to disk will have unique hashes.
"C:\Users\<redact>\AppData\Local\Temp\Temp1_natusut-1501184.zip\grade-2086577786.xls" C:\Datop\test.test - 8d7089f17bd5706309d7c6986fdd1140d6c5b4b2 C:\Datop\test1.test - 52452f6f0ab73531fe54935372d9c34eb50653d8 "C:\Users\<redact>\OneDrive - folder, Inc\Desktop\grade-2086577786.xls" C:\Datop\test.test - bce0e9e1c6d2e7b12648ef316748191f10ed8582 C:\Datop\test1.test - 8ba7694017d1cea1d4b73f39479726478df88b20 "C:\Users\