Threat Actors Using Squirrelwaffle Loader to Deploy Qakbot & Cobalt Strike Malware

Shortly after the disturbance of the widely utilized botnet, Emotet by the police, Squirrelwaffle became an option to Emotet. The first signs of this brand-new hazard appeared in September 2021, and the distribution volumes reached a peak at the end of that month.

A new threat emerged just recently in the wild that drops malware like Qakbot and Cobalt Strike onto negotiated networks and systems; this brand-new risk is called as “Squirrelwaffle” and danger stars are actively spreading Squirrelwaffle through a number of destructive email campaigns.

Email Campaigns & & Languages Used

When done, after that from one of the 5 hardcoded URLs, it brings Squirrelwaffle in DLL form to provide it onto the endangered system. Now, here, at this moment, if the Squirrelwaffle in DLL kind is successfully delivered onto the victims system, then using rundll32.exe the destructive DLL is carried out.

With a C2 over HTTP POST requests consisting of obfuscated data, the malware attempts to interact, and the body of the HTTP POST demand consists of the following info about the victim system:-.


Additionally, it is possible that Squirrelwaffle is a revamped variation of Emotet by the members who left the police; or it might be a new attempt by other risk stars who are attempting the fill the void left by Emotet.

% APPDATA% setup.
The hostname of the system.
The username of the victim.
The Workstation configuration of the system.

In order to technique receivers into making it possible for the macros within MS Office Suite, danger actors utilize DocuSign as bait.

In addition to stolen reply-chain email projects in English, however, the spammers likewise use emails in the following languages:-.

After completing all the stages, the Squirrelwaffle loader releases malware like Qakbot and Cobalt Strike. For post-exploitation jobs after releasing beacons, the threat actors utilize the broken versions of Cobalt Strike to acquire access to jeopardized gadgets from another location.

You can follow us on Linkedin, Twitter, Facebook for everyday Cybersecurity updates.

According to the report “A malicious.doc or.xls attachment is generally connected to an e-mail that connects to malicious ZIP archives hosted on attacker-controlled web servers and runs malware retrieval code on opening.”.

As part of the attack, string turnaround is used to obfuscate the code, which then composes a VBS script to the %PROGRAMDATA% directory, and then executes it.

Attack process.

So, the experts of Cisco Talos have prompted all the security professionals and organizations to remain familiar with the brand-new TTPs used by the risk stars.