SquirrelWaffle, a Windows trojan

Demystify Cyber obtained and analysed samples of malware used in in malicious email campaignsm in and around September 2021, using file share and electronic agreements sites.

BLUF

Squirrelwaffle is a Windows trojan first noticed in malicious email campaigns around 13 or 14 September 2021. It has been seen delivered by the “TR” botnet that was often used for the emotet malware. The payload vector in the samples we obtained was via malspam emails misusing the legitimate Docusign service. The malicious emails contained a link to download a Microsoft Word attachment from a zip folder. The documents in the samples we analysed were called ‘diagram’ and followed by numbers. Example Diagram - 1, Diagram - 84,

Demystify Cyber was unable to determine if there was any logic to the file names beyond being used to trick recipients into downloading them, Once the macros on the document are enabled the squirrelwaffle loader is executed, and this then allows access to the next payload which is Cobalt Strike.

Recommendations

1. Be cautious of unsolicited and unexpected emails, even those that appear to be from legitimate companies such as file share sites and electronic agreement sites.

2. Do not open an attachment in an email that requires macros to be enabled to view

3. Use a reputable and up to date antivirus solution

Written by A. Turner

© A. Turner 2021 https://www.demystifycyber.com.au/

Provided for general information and education purposes