Skip to content

Latest commit

 

History

History
104 lines (68 loc) · 6.58 KB

0xd - SquirrelWaffle.md

File metadata and controls

104 lines (68 loc) · 6.58 KB

SquirrelWaffle

Background

  • SquirrelWaffle has been around for several years. It serves as a loader for secondary payloads which commonly range from banking trojans (i.e. Dridex) to Cobalt Strike.

  • It usually leverages a macro to launch a Powershell script, which launches shellcode in memory, which then downloads and runs the second stage payload (DLL) which functions as the loader.

  • The most common delivery mechanism is via a .doc or .xls file with embedded macro(s).

References

NetSkope - SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and Qakbot

TrendMicro - SquirrelWaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains

Analysis

Hash Type File Hash
MD5 6be56f977b6692fb6ce5f94e110664e3
SHA1 f4d5ce35c656e0f156a2ced453a964faabef09fb
SHA-256 ae94cd20505f914bba5e612acb80c429c5606a739c0838e3a5f87bfcc7cc8519

We start the analysis of this particular sample using TRiD to analyze the file header(s). This confirms it is indeed a .docx file.

Pasted image 20241113114240

After using olevba and oledump to dump the contents of embedded OLE streams, we can see a multitude of macros embedded in this sample.

Pasted image 20241113145445

After exporting these to a text file, they can be further reviewed.

Pasted image 20241113114755

Most of the macros in this sample are long, but harmless. My suspicious is that this is a simple redirection tactic. If we proceed to the macro named Module3, we can see references to specific Windows directories as well as references to a .ps1 file and a .txt file.

Pasted image 20241113145638

The visual basic code in the above screenshot has been slightly manually de-obfuscated. It's important to note that two specific objects are referenced here - var_Object.ttt1.Text and var_Object.ttt2.Text. Fortunately, our OLE stream extraction tools already pulled these out (see below).

Pasted image 20241113141829

The above shows an obfuscated Powershell script.

Pasted image 20241113141842

If we de-obfuscate and simplify it, we get the above result, which straightforwardly shows web client downloads of at least 5 different DLLs.

If we proceed to ttt2, we can see another Visual Basic macro that uses Powershell, but this one is responsible for executing the DLLs.

Pasted image 20241113141914

It easily de-obfuscates to the below.

# Running the previously identified Powershell script
Powershell Set-ExecutionPolicy Bypass & %AppData%\\www.ps1 

# Executing the DLLs using Windows' built-in DLL launcher.
cmd /c rundll32.exe C:\\ProgramData\\www1.dll
cmd /c rundll32.exe C:\\ProgramData\\www2.dll
cmd /c rundll32.exe C:\\ProgramData\\www3.dll
cmd /c rundll32.exe C:\\ProgramData\\www4.dll
cmd /c rundll32.exe C:\\ProgramData\\www5.dll

Attack Chain

  1. User downloads .doc file and enables macros
  2. Macro named deutsche automatically runs. It sets up an event handler to trigger an action any time the user clicks anywhere in the document with Private Sub UserForm_Click().
  3. Macro named Module3 runs.
  4. Module3 grabs the %USERPROFILE%\%AppData%\Roaming directory, copies text data (Powershell) from the deutsche OLE stream, and translates that to a Powershell script in its newly established staging directory.
  5. Next, Module3 also copies text data (VBA) from the deutsche OLE stream and translates that to a VBA script.
  6. The Powershell script is responsible for downloading 5 DLLs and staging them in the C:\ProgramData\ directory.
  7. The VBA Script is then responsible for launching the DLLs via Powershell by invoking rundll32.exe.

IOCs - Behavioral

IOC Description
Creation of a www.ps1 file in \AppData\Roaming Used for staging the Powershell script to download malicious DLLs.
Creation of a www.txt file in \AppData\Roaming Used for copying contents of malicious visual basic script responsible for launching the DLLs.

IOCs - Network

URL Description
hxxps://ghapan[.]com/Kdg73onC3oQ/090921[.]html Download location for www1.dll
hxxps://gruasingenieria[.]pe/LUS1NTVui6/090921[.]html Download location for www2.dll
hxxps://yoowi[.]net/tDzEJ8uVGwdj/130921[.]html Download location for www3.dll
hxxps://chaturanga[.]groopy.com/7SEZBnhMLW/130921[.]html Download location for www4.dll
hxxps://lotolands[.]com/JtaTAt4Ej/130921[.]html Download location for www5.dll

IOCs - Endpoint

IOC Description
ae94cd20505f914bba5e612acb80c429c5606a739c0838e3a5f87bfcc7cc8519 SHA256 for maldoc (dropper)