Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

SquirrelWaffle

134
Global rank
125 infographic chevron month
Month rank
111 infographic chevron week
Week rank
0
IOCs

SquirrelWaffle is a dropper that distributes Qbot and Cobalt Strike, in addition to other malware families. It leverages malicious documents that are part of compromised emails to drop second-level payloads to affected devices.

Dropper
Type
Unknown
Origin
8 September, 2021
First seen
11 February, 2024
Last seen

How to analyze SquirrelWaffle with ANY.RUN

Dropper
Type
Unknown
Origin
8 September, 2021
First seen
11 February, 2024
Last seen

IOCs

URLs
http://com.co/WHe08obY
http://astetinternational.com/arW5e44Y7vzO
http://vicamtaynam.com/VtyiHAft
http://snsvidyapeeth.in/aXmo2Dr3
http://razisystem.ir/MqvvkX0cWvn
http://com.br/qQofZMaJm
http://dancongnghe.xyz/yRByhX6J3REI
http://com.br/PGYpETW7
http://co.za/3GilA8Eo3r
http://iconskw.com/cqdPtAbZ
http://ebookchuyennganh.com/v9PMvQDxHK8W
http://vscm.in/V3tYKxDz
http://avyanshglobal.com/6pYjPlqf
http://org.in/rWA02HQY4
http://alsader.net/BHdQaiQ9rt
http://trinitytesttubebaby.com/QR2JvfE3Sv
http://primahills-online.com/ypCiZn7tMx
http://apexbiotech.net/VQgunQ4t5Ue
http://sukmabali.com/ZXxcLYs3rzRQ
http://alkimia-prod.com/nT0imyzmo
Last Seen at

Recent blog posts

post image
How Transport Company Gets Real-Time IOC and...
watchers 556
comments 0
post image
Release Notes: Threat Intelligence Reports, N...
watchers 2987
comments 0
post image
Enriching ANY.RUN's TI Feeds with Unique IOCs...
watchers 737
comments 0

What is SquirrelWaffle malware?

Discovered in September 2021, SquirrelWaffle is a loader/dropper malware strain designed to infect systems with malicious payloads. Security professionals speculate that it emerged as a replacement for Emotet after law enforcement dismantled the notorious botnet. It remains unclear whether the same group is responsible for this new threat, or if a different crew has stepped in to capitalize on the void left by the infamous malware.

The Squirrelwaffle payload, a PE DLL, is dropped on infected systems and executed using either rundll32.exe or regsvr32.exe, depending on the maldoc initiating the infection process. For instance, the payload can be executed using rundll32.exe with the following syntax: cmd.exe /c rundll32.exe C:\ProgramData[DLL FILENAME],ldr.

Primarily functioning as a malware loader, the DLL allows for deploying additional malware, with Qbot and Cobalt Strike installations often observed following the initial compromise. The DLL contains an IP blocklist in its configuration to further evade automated analysis platforms and security research organizations.

One of the the DLL's functionalities involves encoding and decoding information to enable communication between the victim system and the C2 infrastructure. The malware communicates with the C2 over HTTP POST requests containing obfuscated data, which is XOR-obfuscated and Base64-encoded.

The URL used for victim-C2 communication comprises a random alphanumeric string and the victim's IP address. The HTTP POST request body contains information about the victim system, such as %APPDATA% configuration, host name, username, and workstation configuration.

The C2 server responds with a status code and the previously sent beacon information obfuscated using the same method. This C2 channel can also deliver secondary payloads as per the attacker's discretion.

It is also worth noting that threat actors use compromised web servers, primarily running WordPress 5.8.1, for file distribution and deploy "antibot" scripts to avoid white-hat detection.

Analyzing SquirrelWaffle malware in ANY.RUN

ANY.RUN's cloud-based interactive sandbox facilitates seamless analysis of SquirrelWaffle samples for malware analysts. The platform efficiently compiles and displays execution data in accessible formats while gathering artifacts and Indicators of Compromise (IOCs) in real time.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Due to the specific traits inside its POST requests, SquirrelWaffle may be detected by network activity. On the screenshot below, loader was detected by a Suricata rule.

SquirrelWaffle’s network activity The SquirrelWaffle’s network activity with a detected loader

SquirrelWaffle malware execution

In order to be as inconspicuous as possible, Squirrelwaffle execution flow is simple. The loader often sneaks into the systems after a user opens a malicious document. Then the payload is downloaded, and it starts execution. While active, Squirrelwaffle connects to the Command & Control server to download the next-step payload.

Checked out a sample we've analyzed.

SquirrelWaffle’s malware configuration Malware configuration extracted from SquirrelWaffle

SquirrelWaffle malware distribution

SquirrelWaffle is primarily delivered through malicious documents in phishing campaigns, often employing stolen reply-chain attacks for distribution. This method involves hijacking an existing account to send phishing emails, rather than fabricating an account or creating a new one.

This technique boasts a high success rate, as it is challenging to defend against. By gaining access to email history, adversaries can craft convincing messages and continue existing conversation. This leaves few discernible phishing indicators. Researchers note that SquirrelWaffle-distributing emails are well-composed, and the attackers adeptly mimic the style of prior correspondence, regardless of the language.

While the malware predominantly targets English-speaking users, campaigns in French, German, Dutch, and Polish have also been detected — though they account for less than 30% of the total volume at the time of writing.

The malicious emails typically contain hyperlinks to infected ZIP archives hosted on attacker-controlled servers. These emails usually include a malicious .doc or .xls attachment, which triggers the execution of malware-retrieving code when opened.

The attackers fake the DocuSign signing platform, persuading recipients to enable macros in their MS Office suite. The embedded code employs string reversal for obfuscation, creates a VBS script in %PROGRAMDATA%, and then executes it.

This process retrieves Squirrelwaffle from one of five hardcoded URLs and delivers it as a DLL file to the compromised system. Subsequently, the Squirrelwaffle loader deploys malware such as Qakbot or the often-misused penetration testing tool, Cobalt Strike.

Conclusion

In the wake of Emotet's disruption, it was inevitable that threat actors would devise a substitute. It may be premature to declare SquirrelWaffle as the definitive replacement, but it possesses the fundamental attributes needed to potentially become the next prominent dropper and assume Emotet's role.

We recommend that organizations and researchers examine the TTPs (tactics, techniques, and procedures) utilized by this malware operation while it is still in the (relatively) early stages of gaining traction.

HAVE A LOOK AT

Cobalt Strike screenshot
Cobalt Strike
cobaltstrike
Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks.
Read More
Razr screenshot
Razr
razr
Razr is a destructive ransomware that infiltrates systems to encrypt files, rendering them inaccessible to users. It appends the ".razr" extension to the encrypted files and drops a ransom note, typically named "README.txt," instructing victims on how to pay the ransom to obtain the decryption key. The malware often spreads through phishing emails with malicious attachments or by exploiting vulnerabilities in software and operating systems. Razr employs strong encryption algorithms, making it challenging to decrypt files without the attackers' key.
Read More
StrelaStealer screenshot
StrelaStealer
strela
StrelaStealer is a malware that targets email clients to steal login credentials, sending them back to the attacker’s command-and-control server. Since its emergence in 2022, it has been involved in numerous large-scale email campaigns, primarily affecting organizations in the EU and U.S. The malware’s tactics continue to evolve, with attackers frequently changing attachment file formats and updating the DLL payload to evade detection.
Read More
LokiBot screenshot
LokiBot
lokibot loader trojan
LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals.
Read More
Spyware screenshot
Spyware
spyware
Spyware is a stealth form of malware whose primary objective is to gather sensitive information, such as personal data, login credentials, and financial details, by monitoring user activities and exploiting system vulnerabilities. Spyware operates secretly in the background, evading detection while transmitting collected data to cybercriminals, who can then use it for malicious purposes like identity theft, financial fraud, or espionage.
Read More
Gh0st RAT screenshot
Gh0st RAT
gh0st
Gh0st RAT is a malware with advanced trojan functionality that enables attackers to establish full control over the victim’s system. The spying capabilities of Gh0st RAT made it a go-to tool for numerous criminal groups in high-profile attacks against government and corporate organizations. The most common vector of attack involving this malware begins with spam and phishing emails.
Read More