Squirrelwaffle is a loader that was first seen in September 2021. It has been used in spam email campaigns to deliver additional malware such as Cobalt Strike and the QakBot banking trojan.[1][2]

ID: S1030
Platforms: Windows
Contributors: Sebastian Showell-Westrip, BT Security; Harry Hill, BT Security; Catherine Williams, BT Security
Version: 1.0
Created: 09 August 2022
Last Modified: 26 August 2022

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Squirrelwaffle has used HTTP POST requests for C2 communications.[1]

Enterprise T1560 .003 Archive Collected Data: Archive via Custom Method

Squirrelwaffle has encrypted collected data using a XOR-based algorithm.[1]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Squirrelwaffle has used PowerShell to execute its payload.[1][2]

.003 Command and Scripting Interpreter: Windows Command Shell

Squirrelwaffle has used cmd.exe for execution.[2]

.005 Command and Scripting Interpreter: Visual Basic

Squirrelwaffle has used malicious VBA macros in Microsoft Word documents and Excel spreadsheets that execute an AutoOpen subroutine.[1][2]

Enterprise T1132 .001 Data Encoding: Standard Encoding

Squirrelwaffle has encoded its communications to C2 servers using Base64.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

Squirrelwaffle has decrypted files and payloads using a XOR-based algorithm.[1][2]

Enterprise T1041 Exfiltration Over C2 Channel

Squirrelwaffle has exfiltrated victim data using HTTP POST requests to its C2 servers.[1]

Enterprise T1105 Ingress Tool Transfer

Squirrelwaffle has downloaded and executed additional encoded payloads.[1][2]

Enterprise T1027 Obfuscated Files or Information

Squirrelwaffle has been obfuscated with a XOR-based algorithm.[1][2]

.002 Software Packing

Squirrelwaffle has been packed with a custom packer to hide payloads.[1][2]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Squirrelwaffle has been distributed via malicious Microsoft Office documents within spam emails.[2]

.002 Phishing: Spearphishing Link

Squirrelwaffle has been distributed through phishing emails containing a malicious URL.[1]

Enterprise T1218 .010 System Binary Proxy Execution: Regsvr32

Squirrelwaffle has been executed using regsvr32.exe.[1]

.011 System Binary Proxy Execution: Rundll32

Squirrelwaffle has been executed using rundll32.exe.[1][2]

Enterprise T1082 System Information Discovery

Squirrelwaffle has gathered victim computer information and configurations.[1]

Enterprise T1016 System Network Configuration Discovery

Squirrelwaffle has collected the victim’s external IP address.[1]

Enterprise T1033 System Owner/User Discovery

Squirrelwaffle can collect the user name from a compromised host.[1]

Enterprise T1204 .001 User Execution: Malicious Link

Squirrelwaffle has relied on victims to click on a malicious link send via phishing campaigns.[1]

.002 User Execution: Malicious File

Squirrelwaffle has relied on users enabling malicious macros within Microsoft Excel and Word attachments.[1][2]

Enterprise T1497 Virtualization/Sandbox Evasion

Squirrelwaffle has contained a hardcoded list of IP addresses to block that belong to sandboxes and analysis platforms.[1][2]