Cybersecurity Threat Advisory 0073-21: New Malware Used to Deploy Qakbot and Cobalt Strike
Threat actors have begun using a new malware loader named Squirrelwaffle to gain an initial foothold in target networks and drop malware, including Qakbot and Cobalt Strike, onto compromised systems and networks in recent campaigns.
Technical Detail & Additional Information
WHAT IS THE THREAT?
Having initially come to light in September of this year, the Squirrelwaffle malware loader is initially delivered via a malicious email campaign. In a strategy similar to those observed in previous threats like Emotet, threat actors appear to be utilizing stolen email threads, making their malicious communications appear as replies to existing email threads. These emails typically contain hyperlinks to malicious ZIP files containing malicious Microsoft office files, including Word documents and Excel sheets, that are hosted on attacker-controlled web servers and initiate the infection process when their content is executed. Several threat actors have been observed using the DocuSign signing platform to trick recipients into enabling macros in their Microsoft Office Suite. The contained code uses string reversal to obfuscate its actions, writes a VBS script to %PROGRAMDATA%, and executes it. Squirrelwaffle is fetched from a hardcoded URL and delivered in the form of a DLL file onto the compromised system. Finally, Squirrelwaffle deploys malware like Qakbot, a banking trojan known to target businesses for the purpose of stealing their login credentials and draining their bank accounts, or the widely-abused penetration testing tool Cobalt Strike, which can be used to establish and maintain a covert unauthorized presence on victim networks.
WHY IS IT NOTEWORTHY?
Squirrelwaffle has been gaining popularity in recent months as an effective new malware loader for threat actors to use in their campaigns. Because it utilizes a number of obfuscation techniques, including blocking IPs of noted security research firms and deploying antibot scripts to prevent detection and analysis, Squirrelwaffle has the potential to become a serious threat to any organization that does not employ a comprehensive defense-in-depth strategy to combat against cyber threats.
WHAT IS THE EXPOSURE OR RISK?
The more layers of defense your organization has against cyber threats, the less at risk it is of falling victim to Squirrelwaffle. Because these attacks require several steps to successfully infect a system, there are multiple opportunities to stop them. For example, an organization that combines Email Protection with Security Awareness Training and Endpoint Protection, which can catch and stop a threat as early as its arrival in the user’s inbox through Email Protection or through the user’s security awareness or endpoint protection—will be far better protected than an organization that uses security awareness training alone. The more layers of security, the better.
WHAT ARE THE RECOMMENDATIONS?
To secure your organization against Squirrelwaffle, Barracuda MSP recommends combining the following measures for a comprehensive defense-in-depth strategy:
- Deploy an endpoint protection solution. Endpoint protection can prevent the malware detailed in this advisory from executing in your network.
- Deploy SKOUT Email Protection or another email protection solution to block malicious emails, like the ones used to spread Squirrelwaffle, and alert users to potential threats in their inbox.
- Block known Squirrelwaffle IOCs, which include these domains and hashes (SHA256), across your network.
- Enforce multifactor authentication (MFA) across your organization’s applications and services to ensure only authorized users access resources.
- Conduct regular security awareness training to keep users armed with the information they need to combat threats of this nature.
For more in-depth information about the threat and recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.