[MART] - Daily Diary #378 - Squirrelwaffle Loader Deploys Qakbot and Cobalt Strike

CTAS-MAT ctas-mat at appgate.com
Wed Oct 27 20:13:17 UTC 2021 

Hello,

I hope everyone is doing well!

Below is the entry for today.

10/27/2021 - Diary entry #378:


Squirrelwaffle is a threat being spread via spam campaigns, since September 2021, to deliver malicious Microsoft Office documents (maldocs). These spam campaigns leverage stolen email threads with links to malicious ZIP artifacts containing a maldoc with the DOC or XLS formats. The language used in the campaigns is led by English with 76%, followed by French, German, Dutch, and Polish.


As soon as they infect the system, whether being executed by rundll32.exe or regsvr32.exe (two native Windows binaries), Squirrelwaffle is used to deliver Qakbot or Cobalt Strike. Covered in many of our Daily Diaries, Qakbot is a well-known banking trojan, and Cobalt Strike is a penetration-testing tool commonly used during attacks, including Solar Winds' incident covered in many of our Daily Diaries. However, Squirrelwaflle loader can be used to remotely deploy other secondary malicious payloads sent by the attacker.


Although Squirrelwaffle is new, it reveals an interesting structure to deploy multi-purpose threats, similar to others such as IceID (covered in Daily Diary #240), which took place after the Emotet disruption - also used as backdoor/botnet to load other types of malware.


Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Tarijon de Almeida
Malware Analyst
Appgate

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>
O: +55 11 97467 9549

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/mart/attachments/20211027/a655c053/attachment.htm>

More information about the MART mailing list