I. Targeted Entities

  • Microsoft Office Documents

II. Introduction

A new malware loader, SquirrelWaffle, is malware-spamming malicious Microsoft Office documents to deliver Qakbot malware.

III. Background Information

Cisco Talos researchers discovered malspam campaigns beginning in mid-September when they noticed booby-trapped Office documents infecting systems with SquirrelWaffle in the initial stage of the infection chain.[1] The campaigns are using stolen email threads to come off as replies in those, legitimate, threads. The SquirrelWaffle emails typically contain hyperlinks to malicious ZIP folders hosted on attacker-controlled web servers, Cisco Talos researchers say.[1] 76% of the emails are written in English, but the language shifts to the language that was used in the original email thread. The top five languages used include English, French, German, Dutch, and Polish.[1]

Cisco Talos researchers say that SquirrelWaffle isn’t a towering and majestic oak tree, at least not yet. The researchers provided an example of an email in which an attacker replied to an extortion email, which the researchers say is, “ineffective in convincing the recipient to access the content in the body of the email”.[1] The Cisco Talos researchers also say that SquirrelWaffle isn’t as prolific as other campaigns, like Emotet, but is growing.[1]

The Cisco Talos researchers analyzed the SquirrelWaffle campaign and found characteristics that pointed to the malicious Office documents as likely having been crafted using an automated builder. For example, in this campaign, “the Microsoft Excel spreadsheets were crafted to make static analysis with tools like XLMDeobfuscator less effective.”[1] The researchers have also said that SquirrelWaffle has seen daily spam runs since September 10th. Another sign that SquirrelWaffle is being distributed with an automated builder is that the URL structure of its distribution servers is tied to the daily campaigns, and rotates every few days.[1]

Victims who click on the links in the malicious emails end up downloading a ZIP archive that contains infected Office files, specifically Word documents and Excel spreadsheets. However, researchers have noticed a shift away from Word documents and an almost exclusive use of Excel spreadsheets.[1] When Word documents were being used, the documents were spruced up in such a way to persuade users that the document was a Docusign document, a service used for sharing and signing documents. Whether a Word document or Excel spreadsheet is used, they are the vehicles that lead to the next stage: the SquirrelWaffle payload.

In all of the SquirrelWaffle campaigns seen, the links used to host the ZIP archives contain Latin words and follow a structure similar to this: abogados-en-medellin[.]com/odit-error/assumenda[.]zip.[1] Inside of the ZIP archives, the infected Office files often follow a naming convention like the following: chart-1187900052.xls or diagram-127.doc.[1]

The malware distributions are, seemingly, jumping on previously compromised web servers, primarily those running versions of WordPress, with the most prevalent compromised version being WordPress 5.8.1.[1] Cisco Talos researchers were unable to discern whether the responsible actor was the same threat or if the server had been attacked by multiple, different, actors. Although SquirrelWaffle is relatively new, researchers say that the implementations have a lot in common with those seen from other, more established threat actors. Cisco Talos recommends that organizations continue to use comprehensive defense security controls in order to prevent, detect, or respond to SquirrelWaffle campaigns that they may encounter.[1]

IV. MITRE ATT&CK

  • T1059 – Command and Scripting Interpreter
    SquirrelWaffle leverages access to scripts in order to initialize its attack vector.
  • T1137 – Office Application Startup
    Office Application Word can be set to startup, automatically providing a platform for malware drops.
  • T1055 – Process Injection
    Malicious processes run on top of the victim OS.
  • T1592 – Gather Victim Host Information
    SquirrelWaffle scans the host system for key information during the infection process.

V. Recommendations

  • Patch Systems and Keep Them Updated
    Make sure your systems are always updated with the latest patch to avoid any malware taking advantage of outdated systems and zero-day vulnerabilities
  • Set Antivirus Programs to Conduct Regular Scans
    Ensure that antivirus and antimalware programs are scanning assets using up-to-date signatures
  • Malware Monitoring
    Continuously monitor current and new types of malware. Stay up to date on intel and advancements to prevent, defend, and mitigate these types of threats.
  • Strong Cyber Hygiene
    Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified.
    Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a
  • Turn on Endpoint Protection
    Enable endpoint detection and response (EDR) to stop unknown malware in the product you’re using.

VI. Indicators of Compromise (IOCs)

The link below has been included to assist with the download of some identified IOCs related to this Threat Advisory report. Be on the lookout for these IOCs, as well as anything that looks similar.

https://usf.app.box.com/file/878072989113

VII. References

(1) Vaas, Lisa. “Squirrelwaffle Loader Malspams, Packs Qakbot, Cobalt Strike.” Threatpost English Global, October 26, 2021. https://threatpost.com/squirrelwaffle-loader-malspams-packing-qakbot-cobalt-strike/175775/.

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: James Krepps, Dorian Pope