# SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot **[netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot](https://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot)** Gustavo Palazolo October 7, 2021 [Co-authored by Gustavo Palazolo and Ghanashyam Satpathy](https://www.netskope.com/blog/author/gsatpathy) ## Summary [In September of 2021, a new malware family named SquirrelWaffle joined the threat](https://malpedia.caad.fkie.fraunhofer.de/details/win.squirrelwaffle) [landscape. It spread through malicious Microsoft Office documents attached in spam emails.](https://www.malware-traffic-analysis.net/2021/09/17/index.html) The infection flow starts with a ZIP file that contains the malicious Office document. When the file is opened by the victim, the malicious VBA macros download SquirrelWaffle DLL, which [eventually leads to deploying another threat, such as](https://www.malware-traffic-analysis.net/2021/09/24/index.html) [CobaltStrike or](https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike) [QakBot.](https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot) In this blog post, we will analyze two variants of the malicious Office documents that deliver SquirrelWaffle. We will also analyze the final SquirrelWaffle payload and how the last stage URLs are being protected inside the binary. ## SquirrelWaffle Office Documents We have identified two variants used to deliver SquirrelWaffle, a Microsoft Word document and a Microsoft Excel spreadsheet. ----- SquirrelWaffle malicious documents ### Malicious Word Document The first variant is a malicious Microsoft Word file that mimics a DocuSign document, asking the victim to click “Enable Editing” and “Enable Content” to view the content. SquirrelWaffle malicious Word document The file contains several VBA macros, including junk code. The main routine lies in a function named “eFile”, which is executed by the “AutoOpen” functionality. Malicious VBA function ----- Aside from all the junk added by the developer, we can see two important pieces of data when we open the VBA editor: a PowerShell script and a batch script that executes the PowerShell script. These routines are kept inside the text property of Visual Basic Control instead of in a regular VBA module. The purpose is to evade AV detection. Malicious code inside the Word file Looking at the “eFile” function, we can see that both PowerShell and the batch script are created in the user’s AppData directory, respectively named “www.ps1” and “www.txt”. ----- payloads in disk This behavior can be observed with Procmon. VBA function creating VBA function dropping payloads in disk. Later, the VBA code executes the batch script, using the Windows “cscript.exe” binary. Malicious batch script executed by the malicious document. Looking at those files closely, we can see that the PowerShell script is responsible for downloading SquirrelWaffle DLL using five distinct URLs, likely to add more resilience to the process. The downloaded DLLs are saved into “C:\ProgramData\” and named “www[N].dll” where [N] is a number from 1 to 5. ----- PowerShell script that downloads SquirrelWaffle DLL. And the batch script, which is executed by the malicious document, is responsible for executing the PowerShell script and the SquirrelWaffe payload DLL. Batch script that is executed by the malicious document. Once downloaded, the DLL is executed through “rundll32.exe”, which calls an exported function named “ldr”. ----- Both **cscript.exe and** **rundll32.exe are legitimate files from Windows, used by this sample** to connect to the C&C servers and to download and execute the next stage payloads. This technique is known as Living-off-the-Land (LoL), which consists of using legitimate binaries to perform malicious activities. We have already covered other malware families that employ [this technique, such as BazarLoader.](https://www.netskope.com/blog/bazarloader-using-lolbins-through-office-documents-to-deliver-payloads) Batch script executing SquirrelWaffle DLL. ### Malicious Excel Document The second variant identified by Netskope is a malicious Microsoft Excel file, containing a fake message that also tries to deceive the victim into clicking the “Enable Editing” and “Enable Content” buttons. Malicious Microsoft Excel document, delivering SquirrelWaffle. The file uses Excel 4.0 (XML) macros that are obfuscated and spread across many hidden sheets in the document. ----- Hidden sheets inside the malicious Excel file. The developer also changed the font color to hide the code, which can be revealed when we change the font property as shown below. Hidden code inside the hidden sheet. When the Macros are executed, the obfuscated code is written into seven different cells, containing many calls to Windows APIs. Malicious code inside the malicious Excel document. Simply put, this code contacts three different URLs to download SquirrelWaffle DLL, which is saved into “C:\Datop\test[N].test”, where [N] is null or a number (1 and 2). The DLL is then [executed through Windows “ShellExecuteA” API.](https://docs.microsoft.com/en-us/windows/win32/api/shellapi/nf-shellapi-shellexecutea) ----- ## SquirrelWaffle DLL Regardless of the variants we described, the goal is to download and execute SquirrelWaffle [DLL. In this section, we will analyze a payload identified on September 17, 2021, named](https://www.malware-traffic-analysis.net/2021/09/17/index.html) “www2.dll”. The file uses a custom packer to hide the main payload. The unpacking process is not very complex: The first step the code does is load and execute a shellcode. SquirrelWaffle packer loading a shellcode in memory. [Once running, the shellcode unpacks the payload compressed with aPlib, which is commonly](https://ibsensoftware.com/products_aPLib.html) [used by malware to compress files or configurations. The data is then decompressed into a](https://www.netskope.com/blog/netskope-threat-coverage-blackmatter) new memory location, and the unpacked DLL is eventually executed. SquirrelWaffle payload DLL being decompressed. Once unpacked and decompressed, we can dump the bytes into the disk to analyze the file in a disassembler. The payload is a 32-bit DLL likely compiled on September 17, 2021, although this information can’t be 100% reliable. ----- Unpacked SquirrelWaffle DLL. Looking at the DLL exports, we can see the function (“ldr”) that is called by the batch script we’ve shown earlier in this post. SquirrelWaffle “ldr” export function. The main goal of SquirrelWaffle is to download and execute additional malware. The developers included a feature that hides important strings in the binary, like the C2 server list. By looking at the PE “.rdata” section, we can find the encrypted information, along with the decryption key. SquirrelWaffle encrypted data. To decrypt the data, the malware uses a simple rolling XOR algorithm. SquirrelWaffle data decryption block. We created a simple Python script that is able to decrypt the data from SquirrelWaffle [samples, by implementing the same logic. The script can be found in our Github repository.](https://github.com/netskopeoss/NetskopeThreatLabsIOCs/tree/main/SquirrelWaffle) ----- There are two major blocks of encrypted data. The first one is a large list of IP addresses, as shown below. Part of decrypted data from the analyzed SquirrelWaffle payload. This list is used by the malware as a blocklist, likely to avoid the malware from being [analyzed by sandboxes. The second list contains the payload URLs, which SquirrelWaffle](https://hatching.io/blog/2021-09-23-triage-thursday/) uses to download additional malware. ----- SquirrelWaffle payload URLs. The SquirrelWaffle sample from this campaign was downloading a CobaltStrike beacon, using “.txt” as an extension. CobaltStrike beacon downloaded by SquirrelWaffle. [Aside from CobaltStrike, SquirrelWaffle was also found delivering QakBot, which is a modular](https://www.malware-traffic-analysis.net/2021/09/24/index.html) banking trojan and information stealer, [active since 2007.](https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot) ## Conclusion SquirrelWaffle is a new malware loader that is being used to deliver Cobalt Strike and QakBot. The infection vector occurs through spam emails with malicious Office documents that eventually downloads SquirrelWaffle DLL. Although this malware was spotted delivering Cobalt Strike and QakBot so far, we are continuously monitoring this threat as it can be used by more malware families. Netskope **Advanced Threat Protection provides proactive coverage against zero-day samples** including APT and other malicious Office documents using both our ML and heuristic-based static analysis engines, as well as our cloud sandbox. The following screenshot shows the detection for ``` fb41f8ce9d34f5ceb42b3d59065f63533d4a93557f9353333cbc861e3aff1f09, indicating it ``` was detected by Netskope Advanced Heuristic Analysis. ----- ## Protection Netskope Threat Labs is actively monitoring this campaign and has ensured coverage for all known threat indicators and payloads. **Netskope Threat Protection** VB:Trojan.Valyria.5292 **Netskope Advanced Threat Protection provides proactive coverage against this** threat. Gen.Malware.Detect.By.StHeur indicates a sample that was detected using static analysis Gen.Malware.Detect.By.Sandbox indicates a sample that was detected by our cloud sandbox ## IOCs **SHA256 Hashes** Infected “.doc” fb41f8ce9d34f5ceb42b3d59065f63533d4a93557f9353333cbc861e3aff1f09 Infected “.xls” 2f3371880117f0f8ff9b2778cc9ce57c96ce400afa8af8bfabbf09cb138e8a28 SquirrelWaffle DLL CobaltStrike Beacon 00d045c89934c776a70318a36655dcdd77e1fedae0d33c98e301723f323f234c 3c280f4b81ca4773f89dc4882c1c1e50ab1255e1975372109b37cf782974e96f The full list of IOCs, the script that decrypts SquirrelWaffle configuration, and a Yara rule can [be found in our Github repository.](https://github.com/netskopeoss/NetskopeThreatLabsIOCs/tree/main/SquirrelWaffle) -----