A brand new malware loader is being utilized by attackers to achieve an preliminary foothold into focused networks and drop malware.
Concerning the Squirrelwaffle marketing campaign
- The spam marketing campaign makes use of stolen reply-chain e-mail campaigns principally written in English however there have been makes an attempt in German, Dutch, Polish, and French as effectively.
- They use the DocuSign signing platform as a lure to idiot focused customers into enabling macros on their MS Workplace suite.
- Hackers use beforehand compromised internet servers to help the file distribution motion, the place many of the websites are working the WordPress 5.8.1 model.
- Publish-infection, Squirrelwaffle deploys malware akin to Qakbot or Cobalt Strike.
Because it seems, Squirrelwaffle builders have put ample effort into making certain that the malware stays hidden and isn’t straightforward to investigate.
Anti-detection and obfuscation
- On these servers, the attacker has used antibot scripts that additional cease white-hat detection and evaluation.
- Additional, a malicious code after enabling macros makes use of string reversal for obfuscation, writes a VBS script, and executes it.
- It delivers Squirrelwaffle from one of many 5 hardcoded URLs within the type of a DLL file.
Squirrelwaffle could also be a brand new malware on the town however has the potential to develop into a menace within the upcoming days. Subsequently, organizations and their safety groups are instructed to jot down the TTPs. It might assist them establish the menace at an preliminary stage earlier than it will probably injury their laptop networks or methods.