Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

SquirrelWaffle

143
Global rank
138 infographic chevron month
Month rank
126 infographic chevron week
Week rank
0
IOCs

SquirrelWaffle is a dropper that distributes Qbot and Cobalt Strike, in addition to other malware families. It leverages malicious documents that are part of compromised emails to drop second-level payloads to affected devices.

Dropper
Type
Unknown
Origin
8 September, 2021
First seen
11 February, 2024
Last seen

How to analyze SquirrelWaffle with ANY.RUN

Dropper
Type
Unknown
Origin
8 September, 2021
First seen
11 February, 2024
Last seen

IOCs

URLs
http://com.co/WHe08obY
http://astetinternational.com/arW5e44Y7vzO
http://vicamtaynam.com/VtyiHAft
http://snsvidyapeeth.in/aXmo2Dr3
http://razisystem.ir/MqvvkX0cWvn
http://com.br/qQofZMaJm
http://dancongnghe.xyz/yRByhX6J3REI
http://com.br/PGYpETW7
http://co.za/3GilA8Eo3r
http://iconskw.com/cqdPtAbZ
http://ebookchuyennganh.com/v9PMvQDxHK8W
http://vscm.in/V3tYKxDz
http://avyanshglobal.com/6pYjPlqf
http://org.in/rWA02HQY4
http://alsader.net/BHdQaiQ9rt
http://trinitytesttubebaby.com/QR2JvfE3Sv
http://primahills-online.com/ypCiZn7tMx
http://apexbiotech.net/VQgunQ4t5Ue
http://sukmabali.com/ZXxcLYs3rzRQ
http://alkimia-prod.com/nT0imyzmo
Last Seen at

Recent blog posts

post image
ANY.RUN Becomes a Gold Winner in Threat Intel...
watchers 144
comments 0
post image
How Malware Analysis Training Powers Up SOC a...
watchers 309
comments 0
post image
Evolution of Tycoon 2FA Defense Evasion Mecha...
watchers 2963
comments 0

What is SquirrelWaffle malware?

Discovered in September 2021, SquirrelWaffle is a loader/dropper malware strain designed to infect systems with malicious payloads. Security professionals speculate that it emerged as a replacement for Emotet after law enforcement dismantled the notorious botnet. It remains unclear whether the same group is responsible for this new threat, or if a different crew has stepped in to capitalize on the void left by the infamous malware.

The Squirrelwaffle payload, a PE DLL, is dropped on infected systems and executed using either rundll32.exe or regsvr32.exe, depending on the maldoc initiating the infection process. For instance, the payload can be executed using rundll32.exe with the following syntax: cmd.exe /c rundll32.exe C:\ProgramData[DLL FILENAME],ldr.

Primarily functioning as a malware loader, the DLL allows for deploying additional malware, with Qbot and Cobalt Strike installations often observed following the initial compromise. The DLL contains an IP blocklist in its configuration to further evade automated analysis platforms and security research organizations.

One of the the DLL's functionalities involves encoding and decoding information to enable communication between the victim system and the C2 infrastructure. The malware communicates with the C2 over HTTP POST requests containing obfuscated data, which is XOR-obfuscated and Base64-encoded.

The URL used for victim-C2 communication comprises a random alphanumeric string and the victim's IP address. The HTTP POST request body contains information about the victim system, such as %APPDATA% configuration, host name, username, and workstation configuration.

The C2 server responds with a status code and the previously sent beacon information obfuscated using the same method. This C2 channel can also deliver secondary payloads as per the attacker's discretion.

It is also worth noting that threat actors use compromised web servers, primarily running WordPress 5.8.1, for file distribution and deploy "antibot" scripts to avoid white-hat detection.

Analyzing SquirrelWaffle malware in ANY.RUN

ANY.RUN's cloud-based interactive sandbox facilitates seamless analysis of SquirrelWaffle samples for malware analysts. The platform efficiently compiles and displays execution data in accessible formats while gathering artifacts and Indicators of Compromise (IOCs) in real time.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Due to the specific traits inside its POST requests, SquirrelWaffle may be detected by network activity. On the screenshot below, loader was detected by a Suricata rule.

SquirrelWaffle’s network activity The SquirrelWaffle’s network activity with a detected loader

SquirrelWaffle malware execution

In order to be as inconspicuous as possible, Squirrelwaffle execution flow is simple. The loader often sneaks into the systems after a user opens a malicious document. Then the payload is downloaded, and it starts execution. While active, Squirrelwaffle connects to the Command & Control server to download the next-step payload.

Checked out a sample we've analyzed.

SquirrelWaffle’s malware configuration Malware configuration extracted from SquirrelWaffle

SquirrelWaffle malware distribution

SquirrelWaffle is primarily delivered through malicious documents in phishing campaigns, often employing stolen reply-chain attacks for distribution. This method involves hijacking an existing account to send phishing emails, rather than fabricating an account or creating a new one.

This technique boasts a high success rate, as it is challenging to defend against. By gaining access to email history, adversaries can craft convincing messages and continue existing conversation. This leaves few discernible phishing indicators. Researchers note that SquirrelWaffle-distributing emails are well-composed, and the attackers adeptly mimic the style of prior correspondence, regardless of the language.

While the malware predominantly targets English-speaking users, campaigns in French, German, Dutch, and Polish have also been detected — though they account for less than 30% of the total volume at the time of writing.

The malicious emails typically contain hyperlinks to infected ZIP archives hosted on attacker-controlled servers. These emails usually include a malicious .doc or .xls attachment, which triggers the execution of malware-retrieving code when opened.

The attackers fake the DocuSign signing platform, persuading recipients to enable macros in their MS Office suite. The embedded code employs string reversal for obfuscation, creates a VBS script in %PROGRAMDATA%, and then executes it.

This process retrieves Squirrelwaffle from one of five hardcoded URLs and delivers it as a DLL file to the compromised system. Subsequently, the Squirrelwaffle loader deploys malware such as Qakbot or the often-misused penetration testing tool, Cobalt Strike.

Conclusion

In the wake of Emotet's disruption, it was inevitable that threat actors would devise a substitute. It may be premature to declare SquirrelWaffle as the definitive replacement, but it possesses the fundamental attributes needed to potentially become the next prominent dropper and assume Emotet's role.

We recommend that organizations and researchers examine the TTPs (tactics, techniques, and procedures) utilized by this malware operation while it is still in the (relatively) early stages of gaining traction.

HAVE A LOOK AT

DeerStealer screenshot
DeerStealer
deerstealer
DeerStealer is an information-stealing malware discovered in 2024 by ANY.RUN, primarily targeting sensitive data such as login credentials, browser history, and cryptocurrency wallet details. It is often distributed through phishing campaigns and fake Google ads that mimic legitimate platforms like Google Authenticator. Once installed, it exfiltrates the stolen data to a remote command and control (C2) server. DeerStealer’s ability to disguise itself as legitimate downloads makes it particularly dangerous for unsuspecting users.
Read More
Ransomware screenshot
Ransomware
ransomware
Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.
Read More
Lumma screenshot
Lumma
lumma
Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.
Read More
Stealc screenshot
Stealc
stealc
Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests.
Read More
Cobalt Strike screenshot
Cobalt Strike
cobaltstrike
Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks.
Read More
Phobos screenshot
Phobos
phobos ransomware
Phobos is a ransomware that locks or encrypts files to demand a ransom. It uses AES encryption with different extensions, which leaves no chance to recover the infected files.
Read More