A new malware dubbed Squirrelwaffle has emerged, supporting actors with an initial foothold and a way to drop malware onto compromised systems and network, spreads via spam campaigns dropping Qakbot and Cobalt Strike in the most recent campaigns. Famously known to replace Emotet tool

The spam campaign primarily uses stolen reply chain email campaigns in English, the threat actors also utilize French, German, Dutch, and Polish emails.

These emails contain hyperlinks to malicious ZIP archives hosted on attacker-controlled web servers and typically include a malicious .doc or a .xls attachment that runs malware-retrieving code if opened.

Advertisements

The actors use the DocuSign signing platform as bait to trick the recipients into enabling macros on their MS Office suite. The contained code leverages string reversal for obfuscation, writes a VBS script to %PROGRAMDATA%, and executes it.

This action fetches Squirrelwaffle from one of the five hardcoded URLs, delivering it in the form of a DLL file onto the compromised system.

Macro code running to fetch payloads from the C2

The Squirrelwaffle loader then deploys malware like Qakbot or the widely abused penetration testing tool Cobalt Strike.

Cacked versions of Cobalt Strike are also used by threat actors for post-exploitation tasks after deploying beacons, which provide them with persistent remote access to compromised devices.

Squirrelwaffle also features an IP blocklist  that is populated with notable security research firms as a way to evade detection and analysis. All communications between Squirrelwaffle and the C2 infrastructure are encrypted (XOR+Base64) and sent via HTTP POST requests.

The threat actors leverage previously compromised web servers to support the file distribution aspect of their operations, with most of these sites running WordPress 5.8.1. The adversaries deploy “antibot” scripts that help prevent white-hat detection and analysis.

Advertisements

Squirrelwaffle may be a reboot of Emotet by members who dodged law enforcement or other threat actors attempting to fill the void left behind by the notorious malware. Organizations should aware of TTPs used in the campaign to defend.

Also Read: SqirrelEngine Abuses Games

Indicators of Compromise

Squirrelwaffle ZIP archive URLs

  • hxxp://amaimaging[.]com/voluptas-quidem/documents.zip
  • hxxp://beautifulgist[.]com/id-alias/documents.zip
  • hxxp://bussiness-z[.]ml/qui-quia/documents.zip
  • hxxp://gadhwadasamaj.techofi[.]in/expedita-consequatur/documents.zip
  • hxxp://inetworx.co[.]za/voluptate-sunt/documents.zip
  • hxxp://insurance.akademiilmujaya[.]com/beatae-sunt/documents.zip
  • hxxp://prevenzioneformazionelavoro[.]it/quasi-reprehenderit/documents.zip
  • hxxp://procatodicadelacosta[.]com/neque-et/documents.zip
  • hxxp://readgasm[.]com/repudiandae-provident/documents.zip
  • hxxp://rinconadadellago[.]com.mx/qui-quia/documents.zip
  • hxxp://saraviatowing[.]net/et-praesentium/documents.zip
  • hxxp://shahanaschool[.]in/illum-accusamus/documents.zip
  • hxxp://srv7.corpwebcontrol[.]com/np/prog_est.zip
  • hxxp://srv7.corpwebcontrol[.]com/np/user_est.zip
  • hxxp://stripemovired.ramfactoryarg[.]com/nostrum-ab/documents.zip
  • hxxp://syncun[.]com/natus-aut/documents.zip
  • hxxp://tradingview-brokers.skoconstructionng[.]com/molestiae-voluptatum/documents.zip
  • hxxps://abogados-en-medellin[.]com/odit-error/documents.zip
  • hxxps://amaimaging[.]com/voluptas-quidem/ducimus.zip
  • hxxps://builtbvbh-com[.]gq/eum-est/voluptas.zip
  • hxxps://builtbybh-com[.]gq/eum-est/voluptas.zip
  • hxxps://builtybybh-com[.]gq/eum-est/voluptas.zip
  • hxxps://cctvfiles[.]xyz/aliquam-ipsam/documents.zip
  • hxxps://focus.focalrack[.]com/enim-rerum/ducimus.zip
  • hxxps://inetworx.co[.]za/voluptate-sunt/est.zip
  • hxxps://kmslogistik[.]com/repellat-et/est.zip
  • hxxps://moeinjelveh[.]ir/et-eligendi/placeat.zip
  • hxxps://readgasm[.]com/repudiandae-provident/voluptas.zip
  • hxxps://saraviatowing[.]net/et-praesentium/placeat.zip
  • hxxps://sextoystore.co[.]in/temporibus-aut/est.zip
  • hxxps://shivrajengineering[.]in/qui-dolores/placeat.zip

Squirrelwaffle Loader URLs

  • hxxps://ghapan[.]com/Kdg73onC3oQ/090921.html
  • hxxps://yoowi[.]net/tDzEJ8uVGwdj/130921.html
  • hxxps://gruasingenieria[.]pe/LUS1NTVui6/090921.html
  • hxxps://chaturanga.groopy[.]com/7SEZBnhMLW/130921.html
  • hxxps://lotolands[.]com/JtaTAt4Ej/130921.html
  • hxxps://cortinastelasytrazos[.]com/Yro6Atvj/sec.html
  • hxxps://orquideavallenata[.]com/4jmDb0s9sg/sec.html
  • hxxps://fundacionverdaderosheroes[.]com/gY0Op5Jkht/sec.html

Squirrelwaffle Word Document File MD5 Hashes

  • 326498ae163f0d6b8a863d24793f152d
  • 2156a1a8b0c579a51ea77d1bc7062b49
  • 5e9f33e5baa6d6efca91c8db78c01bd0
  • fae4ca3c95a5068063637b2f2ed3a5b2
  • a449e5044437c453fce2ead881aa8161
  • c27545fbb3b4ff35277bce1383655e46
  • c774e400b46f4c0bb90c11e349bc36a0
  • c2ed8fc614aeda36a7e3a638fa7db16a
  • db11964b27738bf4e3a1501e11bd54ad
  • 822e20c95df7165009600a9bfbff9b5e
  • c1ed800a4ae9d4efd61de3aa7fd657b4
  • b478bc389fc15e17b231984fa80e2b0d
  • e599a656599a2680c9392c7329d9d519
  • da48063b7d75ec645f4370b95c28675c
  • c3bd4145feaaae541cb17ccc7cbd2e44
  • 558f97103085394c3a35c9b03839fe72
  • a07f5b21376cd2b661f36dcdc2081b75
  • 5b50f7beabcff32bd02de2dda2766a7b

Squirrelwaffle VBS File MD5 Hash

  • 9da69f65ce4e8e57aef3ea1dd96f42ec

Squirrelwaffle Loader MD5 Hashes

  • 7e9ba57db08f53b56715b0a8121bd839
  • 5ec89ea30af2cc38ae183d12ffacbcf7
  • a3ecc9951178447b546b004ea2dfd93f
  • 9545905ea3735dcac289eead39e3f893
  • 732ce2ef4b18042ef9e3f3e52ad59916
  • cb905bb6a38b5d253eb64aab46eafbd7
  • ebeeef845d0d666363935da89a57b44d
Advertisements

Unpacked DLL file MD5 Hash

  • 3ecc9ca5e744d7ddafa04834c70b95c3

Domain used by the DLL for Squirrelwaffle CnC

  • 107[.]180[.]12[.]15 port 80 centralfloridaasphalt[.]com
  • 119[.]235[.]250[.]50 port 80 kmslogistik[.]com
  • 143[.]95[.]80[.]83 port 80 chaturanga[.]groopy[.]com
  • 160[.]153[.]129[.]37 port 80 mercyfoundationcio[.]org
  • 160[.]153[.]129[.]37 port 80 shoeclearanceoutlet[.]co[.]uk
  • 160[.]153[.]131[.]187 port 80 spiritofprespa[.]com
  • 166[.]62[.]28[.]139 port 80 jhehosting[.]com
  • 166[.]62[.]28[.]139 port 80 key4net[.]com
  • 166[.]62[.]28[.]139 port 80 lead[.]jhinfotech[.]co
  • 166[.]62[.]28[.]139 port 80 voip[.]voipcallhub[.]com
  • 166[.]62[.]28[.]139 port 80 voipcallhub[.]com
  • 194[.]181[.]228[.]45 port 80 bartek-lenart[.]pl
  • 194[.]181[.]228[.]45 port 80 lenartsa[.]webd[.]pro
  • 202[.]52[.]147[.]113 port 80 amjsys[.]com
  • 203[.]124[.]44[.]95 port 80 novamarketing[.]com[.]pk
  • 216[.]219[.]81[.]3 port 80 ems[.]prodigygroupindia[.]com
  • 216[.]219[.]81[.]3 port 80 hrms[.]prodigygroupindia[.]com

Cobalt Strike Stager MD5 Hashes

  • 116301fd453397fdf3cb291341924147
  • ef799b5261fd69b56c8b70a3d22d5120

Cobalt Strike CnC Servers

  • 213.227.154[.]92:443/jquery-3.3.1.min.js
  • 213.227.154[.]92:8080/jquery-3.3.1.min.js
  • systemmentorsec[.]com:443/jquery-3.3.1.min.js
  • systemmentorsec[.]com:8080/jquery-3.3.1.min.js