SquirrelWaffle is a malware loader that is distributed through malicious spam mail with the purpose of infecting a device with second-stage malware like cracked copies of the red teaming tool Cobalt Strike and QakBot.
Squirrelwaffle, first found in September 2021, the malware loader is being actively used by attackers to gain an initial foothold into a targeted networks and drop malware.
▪ The first stage starts with phishing email with either a malicious MS Word or Excel attachment or embedded link leading to a zip-compressed malicious document.
▪ These maldocs contain VBS macros which execute PowerShell to retrieve and launch the SquirrelWaffle loader.
▪ Squirrelwaffle also features an IP blocklist that is populated with notable security research firms’ addresses to evade detection and analysis.
▪ All communications between SquirrelWaffle and the C2 infrastructure are encrypted (XOR+Base64) and sent via HTTP POST requests.