2021-09-20 (MONDAY)- SQUIRRELWAFFLE LOADER WITH COBALT STRIKE

REFERENCE:

- https://twitter.com/Unit42_Intel/status/1440027013595766784

INFECTION CHAIN:

malspam --> link --> zip archive --> extracted Word doc --> enable macros --> Squirrelwaffle loader --> Cobalt Strike

NOTES: 

- The term "SQUIRRELWAFFLE loader" was assigned by Proofpoint to identify this malware.

- Squirrelwaffle loader is pushed from one of the botnets that has also pushed Qakbot.

- Squirrelwaffle loader is distributed through email, and these messages are spoofed replies to legitimate email chains like we've seen with Qakbot.

- Last week we saw Word documents used for the infection chain.  Today we saw Excel spreadsheets instead.

ORIGINAL REFERENCES:

- https://twitter.com/ffforward/status/1439924143730868237
- https://twitter.com/drb_ra/status/1438076318638346249
- https://twitter.com/mojoesec/status/1438586267583893509

EXAMPLE OF SQUIRRELWAFFLE LOADER ACTIVITY FROM LAST WEEK:

- https://www.malware-traffic-analysis.net/2021/09/17/index.html

LINK FROM EMAIL:

- hxxp://trezoir.sukmabali[.]com/voluptatem-ut/numquam.zip

ABOVE LINK REDIRECTED TO:

- hxxps://trezoir.sukmabali[.]com/voluptatem-ut/documents.zip

DOWNLOADED ZIP:

- SHA256 hash: 9fc6152471ff2e228b5ce67487b0bc75549d3bd034e9dcf7086677568f7dd518
- File size: 181,593 bytes
- File location: hxxps://trezoir.sukmabali[.]com/voluptatem-ut/documents.zip 
- File description: Downloaded spreadsheet from link in email

EXTRACTED SPREADSHEET:

- SHA256 hash: 5401103614610b1e109c674b2f90732e0a056be81dbdd8886324aa2d41f0cf2a
- File size: 269,312 bytes
- File name: diagram_1196516445.xls
- File description: Excel file with macro for Squirrelwaffle

URLS GENERATED BY ABOVE SPREADSHEET MACRO FOR SQUIRRELWAFFLE:

- 108.167.165[.]249 - hxxps://cortinastelasytrazos[.]com/Yro6Atvj/sec.html
- 108.167.165[.]249 - hxxps://orquideavallenata[.]com/4jmDb0s9sg/sec.html
- 108.167.165[.]249 - hxxps://fundacionverdaderosheroes[.]com/gY0Op5Jkht/sec.html

DOWNLOADED DLL FILES:

- SHA256 hash: 54e526fe059a3f25cdaed954e32f44eadffb3e51548658409468dcf2d63b634c
- File size: 407,802 bytes
- File location: hxxps://cortinastelasytrazos[.]com/Yro6Atvj/sec.html
- File location: C:\Dataop\test.test
- Run method: regsvr32 [filename]

- SHA256 hash: 26cd03696045fb93b415b022fa6bc832098394bf362f4b4c4e897e9550d12618
- File size: 530,817 bytes
- File location: hxxps://orquideavallenata[.]com/4jmDb0s9sg/sec.html
- File location: C:\Dataop\test1.test
- Run method: regsvr32 [filename]

- SHA256 hash: e5efde974017a12a573548f12b5473887601c897e8660eb57803c18523f72815
- File size: 530,853 bytes
- File location: hxxps://fundacionverdaderosheroes[.]com/gY0Op5Jkht/sec.html
- File location: C:\Dataop\test2.test
- Run method: regsvr32 [filename]

SQUIRREL WAFFLE C2 TRAFFIC:

- 209.59.138[.]230 port 80 - megasoftsol[.]com - POST /R26csFnDY/[base64-like string]
- 107.180.3[.]217 port 80 - authentification.scanandrace[.]com - POST /m1xwraBcBFN/[base64-like string]
- 192.3.204[.]194 port 80 - new.actsgeneration[.]org - POST /1vXSPxRR3bR/[base64-like string]

FOLLOW-UP MALWARE - COBALT STRIKE:

- SHA256 hash: 6741b00318988d6bd3185be68756ac92d33f98c0df6c173aaa7a1e092b591305
- File size: 276,992 bytes
- File location: C:\Users\[username]\AppData\Local\Temp\F69AzBlax3C.txt
- File description: Windows EXE for Cobalt Strike

COBALT STRIKE C2 TRAFFIC:

- 213.227.154[.]92 port 443 - systemmentorsec[.]com - HTTPS traffic
- 213.227.154[.]92 port 443 - 213.227.154[.]92 - HTTPS traffic
- 213.227.154[.]92 port 4444 - systemmentorsec[.]com - HTTPS traffic
- 213.227.154[.]92 port 4444 - 213.227.154[.]92:4444 - HTTPS traffic