Threat Signal Report

Uptick in Squirrelwaffle Loader Spam

Description

Update: 10/5/21 - The "What is the Status of Coverage" section has been updated to reflect the latest IPS signature.


FortiGuard Labs is aware of recent uptick in malicious spam that delivers the Squirrelwaffle Loader malware. Some public reports suggest that Squirrelwaffle Loader leverages reply chain technique which Qakbot and Emotet typically use. Squirrelwaffle Loader spam messages commonly include an embedded link. When the link is clicked, a zip file containing an Office file with a malicious VBA macro will be downloaded. Opening the Office file extracts a VBS file which then retrieves Squirrelwaffle Loader leading to the delivery of the attack framework CobaltStrike.


How Does this Squirrelwaffle Loader Spam Campaign Work?

The spam emails that deliver Squirrelwaffle Loader typically arrives with an embedded link. Clicking the link leads to a remotely hosted zip file containing an Office file that has a malicious VBA macro in it. Upon opening, the Office file drops a VBS file that retrieves Squirrelwaffle Loader from a remote host.


What is the Reply Chain Technique that Squirrelwaffle Loader Leverages to Send Out Malicious Spam Messages?

The reply chain technique, also known as "thread hijack", is a tactic employed by threat actors to make the victim believe that the malicious email they receive is part of a legitimate email thread. Reply chains typically begins with the threat actor collecting legitimate emails from the victim. Then, those stolen emails are used as a "reply" email to deliver the malicious messages. Because the reply chain technique utilizes legitimate email threads that the victim is familiar with, the tactic tends to catch the victim off-guard and the person is more likely to open a link or an email attachment.


What is the Payload of Squirrelwaffle Loader?

CobaltStrike is reported as the payload. CobaltStrike then typically connects to its Command and Control (C&C) server and downloads and installs additional malware.


What is the Status of Coverage?

FortiGuard Labs provide the following AV coverage:

VBA/Valyria.5321!tr

W32/GenKryptik.FKCT!tr

W32/Kryptik.HACT!tr

W32/Cridex.FKTO!tr

VBA/Agent.9F19!tr

W32/PossibleThreat

VBA/Logan.1868!tr

W32/GenKryptik.FKTO!tr

Malicious_Behavior.SB

W32/Cridex.MMW!tr.dldr

JS/Agent.EJX!tr

MSOffice/Agent.DIY!tr


Customers running the latest IPS definitions are protected with the following signature:

Squirrelwaffle.Malware.C2 (18.169)


All network IOCs mentioned in this report are blocked by the WebFiltering client.

Telemetry

Appendix

SQUIRRELWAFFLE LOADER WITH COBALT STRIKE (Malware Traffic Analysis)

Squirrelwaffle” Maldoc Analysis (Security Soup)


Definitions

Traffic Light Protocol

Color When Should it Be used? How may it be shared?

TLP: RED

Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.

TLP: AMBER

Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.

TLP: GREEN

Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.

TLP: WHITE

Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.