Security news that informs and inspires

Emerging Loader Delivered Via Hijacked Email Threads


A malware loader has been observed over the past month in attacks that leverage email thread hijacking to lure in victims. Researchers with Cisco Talos said the loader, called Squirrelwaffle, “could become the next big player in the spam space.”

The loader, first observed in mid-September and analyzed by researchers both with Zscaler and Cisco Talos, has since been detected with increasing consistency. The loader gives attackers an initial foothold onto victims’ network environments, which can then be leveraged to deliver additional malware families. It was observed coinciding with installations of the Qakbot banking trojan and Cobalt Strike penetration-testing tool following the initial compromise of the endpoint.

“While this threat is relatively new, the distribution campaigns, infrastructure, and C2 implementations feature several interesting techniques that are similar to those seen from other more established threats,” said Edmund Brumaghin, Mariano Graziano and Nick Mavis with Cisco Talos in a Tuesday analysis. “Organizations should be aware of this threat, as it will likely persist across the threat landscape for the foreseeable future.”

Avinash Kumar, senior security researcher with Zscaler, said the name Squirrelwaffle was first used in Proofpoint’s Emerging Threats rule set to identify traffic from this malware.

The attacks start with an email containing a hyperlink, which takes victims to a ZIP archive. The archive contains either a malicious Microsoft Word document or Microsoft Excel spreadsheet. At the start of the campaign, researchers observed Word being used, with attackers attempting to disguise it as the DocuSign document sharing platform; later, attackers tweaked the campaign to exclusively use Excel spreadsheets. Once macros are enabled, the Squirrelwaffle payload is retrieved and executed. In addition to sending data back to the C2 - including the victim username and the system’s hostname and Workstation configuration - the DLL primarily functions as a malware loader.

Researchers highlighted several characteristics of the attack that follow previous significant threats like Emotet, such as the use of email thread hijacking in the initial correspondence with victims, where attackers use email threads stolen prior to the attack and repurpose them to trick victims into believing the email is from someone they know. Zscaler's Kumar said email thread hijacking can happen in a number of ways, from a credential dump on the internet from a previous breach, to previous phishing campaigns.

“Over time, the distribution infrastructure has become significantly more aggressive at restricting access to the malicious components and is employing techniques, like geographic-based filtering, to prevent analysis and tracking.”

Cisco Talos researchers noted that these stolen email threads are sometimes “inconsistent” - in one attack, for instance, the attackers replied to an extortion email message, in a move “likely ineffective” in convincing victims to click on a hyperlink.

Spam emails are also customized with local languages, as the language targeted by the reply messages typically matches the language used in the original email thread. The majority of the emails - 76 percent - have been written in English, with the remainder in French, German, Dutch and Polish.

The attackers have also taken steps across their infrastructure and attack processes to make the campaigns more difficult to detect and analyze. The URL landing page structure for Squirrelwaffle distribution servers has rotated every few days and is “somewhat tied to the daily campaigns.” When looking at the distribution servers, researchers also found a deployment of ANTIBOT, a set of scripts commonly utilized in phishing kits. ANTIBOT can help attackers evade analysis by blocking the web server content if the HTTP/HTTPS requests originate from IP addresses associated with automated analysis platforms or security research organizations. The final DLL also contains a similar IP blocklist as part of its configuration.

“By limiting the ability for systems to retrieve malicious components, adversaries may more effectively evade large-scale automated analysis,” Cisco Talos researchers said. “Over time, the distribution infrastructure has become significantly more aggressive at restricting access to the malicious components and is employing techniques, like geographic-based filtering, to prevent analysis and tracking.”

Researchers caution that Squirrelwaffle may fill a void left after law enforcement disrupted the Emotet botnet in January, joining other popular first-stage malware loaders such as TrickBot in posing a persistent threat for enterprises.

“While the volume associated with these campaigns is not yet reaching the same level seen previously with threats like Emotet, it appears to be fairly consistent and may increase over time as the adversaries infect more users and increase the size of their botnet,” said researchers with Cisco Talos.

Zscaler’s Kumar said organizations can protect themselves by first and foremost keeping their security services updated. Also, it's important to “provide regular security training to all the staff to keep them aware and to identify phishing scams, malware and social engineering threats,” he said.