SquirrelWaffle – Malicious Email Campaign

SquirrelWaffle – Malicious Email Campaign

Threat Description
CTM360 has observed increased activity in propagation of SquirrelWaffle, a malware loader that is being actively spread via email campaigns. This new threat is using malicious Microsoft Excel and Word documents to deliver Qakbot malware and Cobalt Strike. It uses a technique called thread hijacking which uses existing email conversations of its victims to spread to new victims. As the email originates from a trusted source, the user is more likely to fall victim to it.

Attack Chain
● User receives email from a known compromised third party (vendor, partner, colleague) with a malicious URL.
● The received email uses stolen email threads to come off as replies in those threads.
● When the user clicks on the URL, a zip file is downloaded which contains the malicious Word or Excel file.
● The user is lured into clicking on “Enable Content” (macros) when the malicious Word or Excel file is opened which then executes the malware.
● Newly registered domains are used to host the payload.

For more details, Download attachment