Squirrelwaffle
Squirrelwaffle is a loader that was first seen in September 2021. It has been used in spam email campaigns to deliver additional malware such as Cobalt Strike and the QakBot banking trojan.[1][2]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Squirrelwaffle has used HTTP POST requests for C2 communications.[1] |
| Enterprise | T1560 | .003 | Archive Collected Data: Archive via Custom Method |
Squirrelwaffle has encrypted collected data using a XOR-based algorithm.[1] |
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Squirrelwaffle has used PowerShell to execute its payload.[1][2] |
| .003 | Command and Scripting Interpreter: Windows Command Shell |
Squirrelwaffle has used |
||
| .005 | Command and Scripting Interpreter: Visual Basic |
Squirrelwaffle has used malicious VBA macros in Microsoft Word documents and Excel spreadsheets that execute an |
||
| Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
Squirrelwaffle has encoded its communications to C2 servers using Base64.[1] |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
Squirrelwaffle has decrypted files and payloads using a XOR-based algorithm.[1][2] |
|
| Enterprise | T1041 | Exfiltration Over C2 Channel |
Squirrelwaffle has exfiltrated victim data using HTTP POST requests to its C2 servers.[1] |
|
| Enterprise | T1105 | Ingress Tool Transfer |
Squirrelwaffle has downloaded and executed additional encoded payloads.[1][2] |
|
| Enterprise | T1027 | .002 | Obfuscated Files or Information: Software Packing |
Squirrelwaffle has been packed with a custom packer to hide payloads.[1][2] |
| .013 | Obfuscated Files or Information: Encrypted/Encoded File |
Squirrelwaffle has been obfuscated with a XOR-based algorithm.[1][2] |
||
| Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
Squirrelwaffle has been distributed via malicious Microsoft Office documents within spam emails.[2] |
| .002 | Phishing: Spearphishing Link |
Squirrelwaffle has been distributed through phishing emails containing a malicious URL.[1] |
||
| Enterprise | T1218 | .010 | System Binary Proxy Execution: Regsvr32 |
Squirrelwaffle has been executed using |
| .011 | System Binary Proxy Execution: Rundll32 |
Squirrelwaffle has been executed using |
||
| Enterprise | T1082 | System Information Discovery |
Squirrelwaffle has gathered victim computer information and configurations.[1] |
|
| Enterprise | T1016 | System Network Configuration Discovery |
Squirrelwaffle has collected the victim’s external IP address.[1] |
|
| Enterprise | T1033 | System Owner/User Discovery |
Squirrelwaffle can collect the user name from a compromised host.[1] |
|
| Enterprise | T1204 | .001 | User Execution: Malicious Link |
Squirrelwaffle has relied on victims to click on a malicious link send via phishing campaigns.[1] |
| .002 | User Execution: Malicious File |
Squirrelwaffle has relied on users enabling malicious macros within Microsoft Excel and Word attachments.[1][2] |
||
| Enterprise | T1497 | Virtualization/Sandbox Evasion |
Squirrelwaffle has contained a hardcoded list of IP addresses to block that belong to sandboxes and analysis platforms.[1][2] |
|