Squirrelwaffle

SquirrelWaffle, a new malware family, emerged in the threat landscape in September 2021. The infection vector is through spam emails containing malicious Office documents, specifically Microsoft Word and Excel files. The first variant mimics a DocuSign document, prompting the victim to enable editing and content viewing, which triggers embedded VBA macros. These macros download the SquirrelWaffle DLL, initiating the deployment of additional threats. The SquirrelWaffle sample from this campaign was found downloading a CobaltStrike beacon, using ".txt" as an extension. The SquirrelWaffle malware operates as a loader, its primary function being to download and execute additional malware. Notably, it has been linked to the deployment of CobaltStrike and QakBot. CobaltStrike is a security tool often used by attackers for system exploitation, while QakBot is a modular banking trojan and information stealer that has been active since 2007. Once inside a system, these threats can steal personal information, disrupt operations, or hold data hostage for ransom. In conclusion, SquirrelWaffle presents a significant threat due to its ability to deliver potent malware like Cobalt Strike and QakBot. It cleverly uses malicious Office documents as an infection vector, exploiting the victim's interactions to trigger the malware's download. Its main goal is to serve as a gateway for additional, more damaging malware, underscoring the importance of robust cybersecurity measures to prevent such attacks.