Squirrelwaffle

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
SquirrelWaffle, a new malware family, emerged in the threat landscape in September 2021. The infection vector is through spam emails containing malicious Office documents, specifically Microsoft Word and Excel files. The first variant mimics a DocuSign document, prompting the victim to enable editing and content viewing, which triggers embedded VBA macros. These macros download the SquirrelWaffle DLL, initiating the deployment of additional threats. The SquirrelWaffle sample from this campaign was found downloading a CobaltStrike beacon, using ".txt" as an extension. The SquirrelWaffle malware operates as a loader, its primary function being to download and execute additional malware. Notably, it has been linked to the deployment of CobaltStrike and QakBot. CobaltStrike is a security tool often used by attackers for system exploitation, while QakBot is a modular banking trojan and information stealer that has been active since 2007. Once inside a system, these threats can steal personal information, disrupt operations, or hold data hostage for ransom. In conclusion, SquirrelWaffle presents a significant threat due to its ability to deliver potent malware like Cobalt Strike and QakBot. It cleverly uses malicious Office documents as an infection vector, exploiting the victim's interactions to trigger the malware's download. Its main goal is to serve as a gateway for additional, more damaging malware, underscoring the importance of robust cybersecurity measures to prevent such attacks.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Github
Malware Loader
Malware
Windows
Trojan
Cobalt Strike
Payload
Spam
Beacon
Sandbox
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
QakBotUnspecified
1
Qakbot is a potent malware, a malicious software designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it has the potential to steal personal information, disrupt operations, or e
CobaltstrikeUnspecified
1
CobaltStrike is a notorious form of malware that has been used in conjunction with other malicious software including IcedID, Qakbot, BazarLoader, Conti, Gozi, Trickbot, Quantum, Emotet, and Royal Ransomware. This malware is typically delivered through suspicious downloads, emails, or websites, ofte
BazarloaderUnspecified
1
BazarLoader is a form of malware that has been utilized extensively by ITG23, a cybercriminal group. This harmful software infiltrates systems via suspicious downloads, emails, or websites, potentially stealing personal information, disrupting operations, or holding data for ransom. ITG23 has used B
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Squirrelwaffle Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot