Threat Actors Using Squirrelwaffle Loader to Deploy Qakbot & Cobalt Strike Malware

Soon after the disturbance of the widely used botnet, Emotet by the law enforcement firms, Squirrelwaffle became an option to Emotet. The first indications of this new hazard appeared in September 2021, and the distribution volumes reached a peak at the end of that month.

A new hazard emerged recently in the wild that drops malware like Qakbot and Cobalt Strike onto negotiated networks and systems; this brand-new risk is called as “Squirrelwaffle” and danger actors are actively spreading out Squirrelwaffle through numerous harmful e-mail projects.

Email Campaigns & & Languages Used

It is possible that Squirrelwaffle is a revamped version of Emotet by the members who got away the law enforcement; or it might be a new attempt by other risk stars who are trying the fill the space left behind by Emotet.

Attack procedure.

The experts of Cisco Talos have actually advised all the security specialists and organizations to stay conscious of the brand-new TTPs utilized by the danger stars.

According to the report “A malicious.doc or.xls attachment is generally attached to an e-mail that links to destructive ZIP archives hosted on attacker-controlled web servers and runs malware retrieval code on opening.”.

As soon as done, after that from among the five hardcoded URLs, it fetches Squirrelwaffle in DLL kind to deliver it onto the endangered system. Now, here, at this moment, if the Squirrelwaffle in DLL type is effectively provided onto the victims system, then using rundll32.exe the destructive DLL is performed.

After finishing all the stages, the Squirrelwaffle loader deploys malware like Qakbot and Cobalt Strike. For post-exploitation jobs after deploying beacons, the hazard stars utilize the broken variations of Cobalt Strike to gain access to compromised devices from another location.

In order to trick receivers into allowing the macros within MS Office Suite, hazard stars utilize DocuSign as bait.

In addition to taken reply-chain e-mail campaigns in English, however, the spammers also utilize e-mails in the following languages:-.

As part of the attack, string reversal is used to obfuscate the code, which then composes a VBS script to the %PROGRAMDATA% directory site, and after that performs it.

% APPDATA% setup.
The hostname of the system.
The username of the victim.
The Workstation setup of the system.

With a C2 over HTTP POST demands containing obfuscated information, the malware tries to interact, and the body of the HTTP POST demand consists of the following info about the victim system:-.


You can follow us on Linkedin, Twitter, Facebook for day-to-day Cybersecurity updates.