What is SquirrelWaffle Malware?

Cyber SecurityAnti VirusSafe & Security

SquirrelWaffle, a new malware family, has the potential to be a big commercial disruptor. Once SquirrelWaffle has infiltrated network ecosystems, it can be utilized to cause significant damage. SquirrelWaffle is sometimes used as a delivery system for other malware infections, such as Qakbot and Cobalt Strike.

SquirrelWaffle Malware: What Is It?

SquirrelWaffle is a new malware loader that spreads via malspam (malicious spam email) with the goal of infecting a device with second-stage malware such as cracked copies of the red teaming tool Cobalt Strike and QakBot, a well-known malware that started out as a simple banking trojan but has since evolved into a multi-functional framework with RAT (Remote Access Trojan)-like capabilities.

The infection chain could start with an email reply chain attack, in which a threat actor neither inserts themselves as a new correspondent nor tries to fake someone else's email account, according to researchers. Instead, the attacker uses a compromised account belonging to one of the participants to send the fraudulent SquirrelWaffle email.

The attacker can adapt their malspam message to fit the context of an existing conversation because they have access to the entire thread. Because the recipient is likely to believe the sender, there's a higher chance that the target may open the maldoc or click the link. Emotet campaigns were known for their email reply chain attacks, which contributed greatly to their success.

SquirrelWaffle first surfaced in early September, and since then, defenders have noted an increase in illness cases. The virus drops unique payloads even from the same infection chain, according to SentinelLabs researchers, and file path patterns are evolving.

How Does SquirrelWaffle Spread?

The developers of SquirrelWaffle, also known as the dropper malware, have gone to great lengths to keep it concealed and difficult to study.

  • SquirrelWaffle spreads mostly through Microsoft Office document attachments in spam emails.

  • When the victims open a ZIP file containing the malicious Office documents, the infection vector begins. The SquirrelWaffle DLL is downloaded via the VBA macros in that file, which subsequently spreads Cobalt Strike, an additional attack vector.

  • The attackers might potentially exploit the DocuSign signing platform as bait to lure recipients into allowing macros in their Microsoft Office suite.

Why Does It Matter?

SquirrelWaffle appeared immediately after the famed Emotet botnet was shut down by law authorities. SquirrelWaffle, according to some academics, could be a relaunch of Emotet, run by people who eluded police, Interpol, and other authorities.

  • Because of SquirrelWaffle's ongoing spread, experts recommend that technical administrators analyze the TTP used in this malware operation.

  • Hashes (SHA256) and domains are two indicators of compromise linked with this campaign.

Tips for Staying Safe from Malware Attacks

Here are five methods to help you keep safe against SquirrelWaffle and other potential malware threats −

Avoid Attachments from Unknown Sources

The first line of defense against any sort of malware is to avoid opening attachments that appear to be suspicious.

Most well-targeted malware, such as phishing attempts, are deceptive, and detecting them might take a lot of technical knowledge. Phishing is a type of scam in which people are tricked into clicking on a link or receiving an email that appears to be from a trusted source. When the victim clicks on the link, it may take them to a phony website, prompting them to submit their personal information, or take them to a website that infects their device directly with malware.

As a result, use caution while opening attachments and avoid clicking on them unless you are certain of their origin.

Install a Good Antivirus Software

Investing in anti-virus software and endpoint protection is essential for preventing malware assaults. Malicious malware can be detected and prevented by using certain anti-virus software.

These tools can also be used to observe hacked devices and deliver alert alerts when a person visits a potentially dangerous website. Most anti-virus software now includes automatic updates to improve protection against newly developed viruses.

Keep an eye out for Compromise Indicators

Anti-virus software may be unable to identify malware in some cases, or malware may be innovative and deceptive, as in the instance of the SquirrelWaffle. If you find yourself in this circumstance, it's essential to keep an eye out for Compromise Indicators (IoC).

IoC is an indicator that your device has been infected with malware. You might observe abnormal behavior on your devices, such as geographical disparities, an increase in database reads, or a higher number of authentication attempts on your network, for example.

Regularly Update Your Software

Updates are released to resolve security concerns, patch software flaws, remove vulnerabilities from older and outdated systems, improve hardware operational functionality, and provide compatibility for newer equipment types.

As a result, in addition to installing anti-virus software, you should keep your software up to date on a regular basis. Hackers will be unable to acquire access to your computer and infect it with malware as a result of this.

Avoid Free Apps from Unknown Sources

Buying and downloading software from reputable sources minimize the risk of malware infection. Because they do not want to jeopardize their reputation, reputable brands take extra precautions to ensure that malware-infected programs are not distributed. Additionally, paid App versions are often more secure than their free counterparts.

Updated on 29-Aug-2022 12:22:12