Hackers Using Squirrelwaffle Loader to Deploy Qakbot and Cobalt Strike

A new spam e mail marketing campaign has emerged as a conduit for a formerly undocumented malware loader that permits the attackers to acquire an original foothold into enterprise networks and fall malicious payloads on compromised techniques.

“These bacterial infections are also utilized to facilitate the shipping of supplemental malware such as Qakbot and Cobalt Strike, two of the most frequent threats consistently observed focusing on companies around the planet,” mentioned researchers with Cisco Talos in a technical generate-up.

Automatic GitHub Backups

The malspam campaign is thought to have commenced in mid-September 2021 by means of laced Microsoft Workplace documents that, when opened, triggers an an infection chain that qualified prospects to the machines finding contaminated with a malware dubbed SQUIRRELWAFFLE.

Mirroring a method that is dependable with other phishing assaults of this variety, the newest procedure leverages stolen e-mail threads to give it a veil of legitimacy and trick unsuspecting customers into opening the attachments.

What is actually additional, the language employed in the reply messages matches the language made use of in the authentic e mail thread, demonstrating a case of dynamic localization place in put to enhance the chance of achievements of the marketing campaign. The best 5 languages made use of to supply the loader are English (76%), followed by French (10%), German (7%), Dutch (4%), and Polish (3%).

Qakbot and Cobalt Strike

E-mail distribution volumes capitalizing on the new danger peaked all-around September 26, centered on details compiled by the cybersecurity organization.

Though earlier compromised internet servers, primarily working variations of the WordPress material management program (CMS), operate as the malware distribution infrastructure, an fascinating strategy observed is the use of “antibot” scripts to block internet requests that originate from IP addresses not belonging to victims but rather automatic investigation platforms and stability investigate companies.

The malware loader, apart from deploying Qakbot and the infamous penetration testing software Cobalt Strike on the contaminated endpoints, also establishes communications with a distant attacker-managed server to retrieve secondary payloads, generating it a powerful multi-reason utility.

“Following the Emotet botnet takedown previously this yr, legal menace actors are filling that void,” Zscaler observed in an assessment of the same malware past month. “SQUIRRELWAFFLE seems to be a new loader taking gain of this hole. It is not however clear if SQUIRRELWAFFLE is designed and dispersed by a known risk actor or a new group. Nonetheless, identical distribution tactics had been earlier utilized by Emotet.”

Fibo Quantum