Uptick in Squirrelwaffle Loader Spam

Description

Update: 10/5/21 - The "What is the Status of Coverage" section has been updated to reflect the latest IPS signature.

FortiGuard Labs is aware of recent uptick in malicious spam that delivers the Squirrelwaffle Loader malware. Some public reports suggest that Squirrelwaffle Loader leverages reply chain technique which Qakbot and Emotet typically use. Squirrelwaffle Loader spam messages commonly include an embedded link. When the link is clicked, a zip file containing an Office file with a malicious VBA macro will be downloaded. Opening the Office file extracts a VBS file which then retrieves Squirrelwaffle Loader leading to the delivery of the attack framework CobaltStrike.

How Does this Squirrelwaffle Loader Spam Campaign Work?

The spam emails that deliver Squirrelwaffle Loader typically arrives with an embedded link. Clicking the link leads to a remotely hosted zip file containing an Office file that has a malicious VBA macro in it. Upon opening, the Office file drops a VBS file that retrieves Squirrelwaffle Loader from a remote host.

What is the Reply Chain Technique that Squirrelwaffle Loader Leverages to Send Out Malicious Spam Messages?

The reply chain technique, also known as "thread hijack", is a tactic employed by threat actors to make the victim believe that the malicious email they receive is part of a legitimate email thread. Reply chains typically begins with the threat actor collecting legitimate emails from the victim. Then, those stolen emails are used as a "reply" email to deliver the malicious messages. Because the reply chain technique utilizes legitimate email threads that the victim is familiar with, the tactic tends to catch the victim off-guard and the person is more likely to open a link or an email attachment.

What is the Payload of Squirrelwaffle Loader?

CobaltStrike is reported as the payload. CobaltStrike then typically connects to its Command and Control (C&C) server and downloads and installs additional malware.

What is the Status of Coverage?

FortiGuard Labs provide the following AV coverage:

VBA/Valyria.5321!tr

W32/GenKryptik.FKCT!tr

W32/Kryptik.HACT!tr

W32/Cridex.FKTO!tr

VBA/Agent.9F19!tr

W32/PossibleThreat

VBA/Logan.1868!tr

W32/GenKryptik.FKTO!tr

Malicious_Behavior.SB

W32/Cridex.MMW!tr.dldr

JS/Agent.EJX!tr

MSOffice/Agent.DIY!tr

Customers running the latest IPS definitions are protected with the following signature:

Squirrelwaffle.Malware.C2 (18.169)

All network IOCs mentioned in this report are blocked by the WebFiltering client.

Appendix

SQUIRRELWAFFLE LOADER WITH COBALT STRIKE (Malware Traffic Analysis)

“Squirrelwaffle” Maldoc Analysis (Security Soup)