A new malware loader with the potential to become “the next big thing” in spam operations has been detected. Dubbed SquirrelWaffle, the threat is “mal-spamming” malicious Microsoft Office documents. The end goal of the campaign is delivering the well-known Qakbot malware, as well as Cobalt Strike. These are two of the most common culprits used for targeting organizations worldwide.
SquirrelWaffle Malware: A New Threat for Organizations
According to Cisco Talos researchers Edmund Brumaghin, Mariano Graziano and Nick Mavis, “SquirrelWaffle provides threat actors with an initial foothold onto systems and their network environments.” This foothold can later be utilized to facilitate further compromise and malware infections, depending on the hackers’ monetization preferences.
“Organizations should be aware of this threat, as it will likely persist across the threat landscape for the foreseeable future,” the researchers said. A previous threat of the same caliber is Emotet, which has been plaguing organizations for years. Since Emotet operations were disrupted by law enforcement, security researchers have been waiting for a new player to rise. And it has.
As per the report, beginning in mid-September 2021, the Cisco Talos team, observed malspam campaigns delivering malicious Microsoft Office documents that initiate the infection process with SquirrelWaffle. “Similar to what has been observed in previous threats like Emotet, these campaigns appear to be leveraging stolen email threads, as the emails themselves appear to be replies to existing email threads,” the report noted. These emails typically contain hyperlinks to malicious ZIP archives, hosted on hacker-controlled web servers, as seen in many other similar campaigns.
What is specific about the SquirrelWaffle email spam?
The language targeted by the reply messages typically matches the language used in the original email thread, demonstrating that there is some localization taking place dynamically. While the majority of the emails were written in English, the use of other languages across these campaigns highlight that this threat is not limited to a specific geographic region.
Other languages used by the mal-spam operators include French, German, Dutch, and Polish.
Cisco Talos has observed steady activity associated with SquirrelWaffle, meaning that the volume of the spam could increase over time, as well as the size of the botnet.
In terms of the infection process, the victim is sent to a ZIP archive via a hyperlink that contains a malicious Office document. Most documents are either Microsoft Word or Microsoft Excel, all containing the malicious code that retrieves the next stage component, or the SquirrelWaffle payload.
“Organizations should continue to employ comprehensive defense-in-depth security controls to ensure that they can prevent, detect, or respond to SQUIRRELWAFFLE campaigns that may be encountered in their environments,” Cisco Talos concluded.
More about the now-dead Emotet malware
In August 2020, security researchers created an exploit and subsequently a killswitch (dubbed EmoCrash) to prevent the Emotet malware from spreading. Emotet has been described as an all-in-one malware which could be programmed by threat actors to either download other malware and steal files, or recruit the contaminated hosts into the botnet network. Known since at least 2014, the malware had been used in countless attacks against both private targets and company and government networks.
One of the last Emotet-themed campaigns took advantage of the Covid-19 crisis. The botnet was detected spreading malicious files masqueraded as documents with video instructions on how to protect against the coronavirus. Instead of learning anything useful, the potential victim would get a computer infection ranging from Trojans to worms, according to telemetry data from IBM X-Force and Kaspersky shared last year.