Cybersecurity Threat Advisory: New Malware Used to Deploy Qakbot and Cobalt Strike

As part of our effort to inform our clients about potential and serious cybersecurity issues, MCP provides advisories about vulnerabilities and exploits that could threaten the operations of their critical communications networks. Sign up to receive these advisories in your inbox as soon as they are released.

This week there is a new critical alert that requires the mission-critical community’s immediate attention.

Advisory Overview

Cyberattackers are using a new malware loader named Squirrelwaffle to gain an initial foothold in target networks and to drop malware, including Qakbot and Cobalt Strike, onto compromised systems and networks.

What Is the Threat?

Having become known this September, the Squirrelwaffle malware loader is delivered via a malicious email campaign. In a strategy similar to those observed in previous threats like Emotet, cyberattackers appear to be utilizing stolen email threads, making their malicious communications appear as replies to existing emails. These emails typically contain hyperlinks to malicious ZIP files that contain malicious Microsoft office files, including Word documents and Excel spreadsheets, which are hosted on attacker-controlled web servers; they initiate the infection process when their content is executed.

Several cyberattackers have been observed using the DocuSign electronic signing platform to trick recipients into enabling macros in their Microsoft Office suite. The malicious code uses string reversal to obfuscate its actions, writes a virtual basic script (VBS) to Microsoft’s ProgramData folder, and then executes it. Squirrelwaffle is fetched from a hardcoded uniform resource locator (URL) and delivered in the form of a dynamic-link library (DLL) file onto the compromised system.

Finally, Squirrelwaffle deploys malware like Qakbot, a banking trojan known to target businesses for the purpose of stealing their login credentials and draining their bank accounts, or the widely abused penetration-testing tool Cobalt Strike, which can be used to establish and maintain a covert unauthorized presence on victim networks.

Why Is It Noteworthy?

Squirrelwaffle has been gaining popularity in recent months as an effective new malware loader for cyberattackers to use in their campaigns. Because it utilizes numerous obfuscation techniques, including blocking Internet Protocol (IP) addresses of noted security research firms and deploying antibot scripts to prevent detection and analysis, Squirrelwaffle has the potential to become a serious threat to any organization that does not employ a comprehensive defense-in-depth strategy to combat against cyberattacks.

What Is The Risk?

The more layers of defense your organization has against cyberattacks, the less at risk it is of falling victim to Squirrelwaffle. Because these attacks require several steps to successfully infect a system, multiple opportunities exist to stop them. For example, an organization that combines email protection with security awareness training and endpoint protection will be far better protected than an organization that uses security awareness training alone. The more layers of security, the better.

What Are The Recommendations?

To secure your organization against Squirrelwaffle, MCP recommends combining the following measures for a comprehensive defense-in-depth strategy:

• Deploy an endpoint protection solution. Endpoint protection can prevent the malware detailed in this advisory from executing in your network.
• Deploy an email protection solution to block malicious emails, like the ones used to spread Squirrelwaffle, and to alert users to potential threats in their inbox.
• Block known Squirrelwaffle indicators of compromise (IOCs), which include these domains and hashes (SHA256), across your network.
• Enforce multi-factor authentication across your organization’s applications and services to ensure that only authorized users access resources.
• Conduct regular security awareness training to keep users armed with the information that they need to combat threats of this nature.

References

For more in-depth information about the recommendations, please visit the following links:

• https://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html
• https://www.bleepingcomputer.com/news/security/spammers-use-squirrelwaffle-malware-to-drop-cobalt-strike/
• https://blog.talosintelligence.com/2019/05/qakbot-levels-up-with-new-obfuscation.html
• https://blog.talosintelligence.com/2020/09/coverage-strikes-back-cobalt-strike-paper.html
• https://www.malwarebytes.com/emotet
• https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/653/original/domains-final.txt?1635247500
• https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/652/original/hashes-final.txt?1635247486

If you are looking for guidance, please reach out. MCP offers a comprehensive cybersecurity solutions suite that is designed specifically for public safety and justice entities and other critical infrastructure organizations, to help them determine their network, data, and application vulnerabilities. We can help you develop a complete cyberattack prevention strategy. Contact us today to learn more.