Deep Dives

In-Depth Malware Investigation: Analyzing the Recent SquirrelWaffle Distribution Campaign

by n8n admin

Daniel Osei — SOC Lead & Malware Analyst

Key Takeaways

  • SquirrelWaffle leverages social engineering techniques to deliver malware payloads via malicious email attachments.
  • The malware employs multiple techniques for persistence, including creating startup keys and scheduled tasks.
  • Command and Control (C2) communications exhibit obfuscation via the use of dynamic DNS services to evade detection.

Executive Summary

Our recent investigations into a SquirrelWaffle distribution campaign have unveiled a sophisticated approach employed by threat actors to infiltrate networks through malicious email campaigns. The actors utilized social engineering techniques that tricked users into downloading and executing malware-laden documents. Our analysis revealed that this malware is part of a multistage infection process, often leading to broader compromises, including the deployment of secondary payloads. By diving into the specifics of the SquirrelWaffle implant, we outline the various tactics, techniques, and procedures (TTPs) used to achieve their objectives.

Initial Access

The attack chain commences with an email phishing campaign where victims receive emails containing malicious attachments, typically disguised as legitimate documents. During our investigation, we noted the use of file formats such as .docm, which, when opened, prompts users to enable macros. Once macros are enabled, the embedded Visual Basic for Applications (VBA) scripts execute, downloading the primary payload from remote URLs. This is a classic application of the Phishing technique, specifically related to the T1566 category in MITRE ATT&CK.

Execution & Persistence

The SquirrelWaffle malware, once executed, exhibits a clear strategy for persistence. We observed the creation of registry keys within HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run to ensure the malware is launched upon user login. The specific keys written allow the implant to run a seemingly benign executable. In addition, a scheduled task is crafted, further embedding the threat, which we found under C:\Windows\System32\Tasks. This combination of techniques exemplifies effective use of the Registry Run Keys / Startup Folder technique, categorized under T1547.001.

Command and Control

Our analysis of SquirrelWaffle’s Command and Control (C2) mechanisms revealed several noteworthy characteristics. The malware connects to dynamically generated domains, often utilizing free or compromised services for DNS resolution. During the investigation, we identified patterns where the C2 domains contain random strings that change frequently, allowing actors to evade detection. The use of Domain Generation Algorithms (DGA) was apparent, exemplifying the T1071.001 technique for application layer protocol that leverages HTTP/S for communication. This obfuscation makes it difficult for traditional security systems to catch the traffic intended for malicious operations.

Lateral Movement & Discovery

As the investigation progressed, evidence suggested that SquirrelWaffle does not operate solely as a stand-alone malware but often acts as a precursor to additional payloads, such as ransomware or additional information stealers. We observed lateral movement techniques involving Windows Admin Shares which were used to propagate throughout the network environment. The implant utilizes T1075, T1210, and various PowerShell commands to discover additional systems and prepare for subsequent attacks. Commands executed during this lateral movement were logged, indicating attempts to enumerate users and systems within Active Directory.

Impact & Objectives

The ultimate objective of the SquirrelWaffle campaign appears to be gaining persistent access and deploying secondary payloads that may lead to data exfiltration or further encryption-based extortion tactics. Organizations typically experience significant operational disruptions following successful intrusions, particularly when ransomware is the chosen payload. Our investigation surfaced several incidents where sensitive data was not only accessed but also exfiltrated, with ramifications that include reputational damage, financial losses, and extensive recovery resources required to reverse the impact.

MITRE ATT&CK Mapping

  • T1566 – Phishing: Initial access achieved through phishing emails that deliver malicious macros.
  • T1547.001 – Registry Run Keys / Startup Folder: Persistence achieved through registry entries to run the malware on startup.
  • T1071.001 – Application Layer Protocol: Web Protocols: C2 communications conducted over HTTP/S with dynamic DNS.

Detection Opportunities

  • Monitor for anomalous email attachments, especially those with .docm extensions, in incoming messages.
  • Implement logging and alerts for newly created items in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and anything written to C:\Windows\System32\Tasks.
  • Utilize DNS filtering to identify and block requests to known malicious or suspicious dynamic domains.

Analyst Notes

Based on our thorough analysis of the SquirrelWaffle campaign, it is critical for organizations to bolster their email filtering capabilities and user education regarding phishing schemes. Additionally, the implementation of robust endpoint detection and response (EDR) solutions can significantly mitigate risks associated with lateral movement and persistence tactics. Continuous monitoring and quick response mechanisms are essential in defending against such evolving threats.

Source: Original Report

Related Posts