New Malware Loader Distributed Through Malspam Campaigns

Security researchers spotted a new strain of malware making the rounds. The new threat is dubbed SquirrelWaffle and is being distributed using malicious spam campaigns, using doctored Microsoft Office documents.

Researchers with security firm Cisco Talos spotted the new threat back in September 2021. SquirrelWaffle is a loader - a type of malware that is used as a delivery vehicle of sorts, dropping and deploying other malicious software on the target system.

The malspam campaign is interesting because it uses hijacked email threads, and then the malware-laden emails are sent as replies to those threads, lending them a more credible look. Cisco researchers also spotted similarities between the current SquirrelWaffle campaign and previous campaigns that were used to spread the Emotet malware. The Talos team also sent a word of warning to businesses and corporations, citing an increased danger of infection of corporate networks.

The bait emails contain links to compressed files hosted on websites controlled by the hackers. Even though the English used in the email text is somewhat questionable, Cisco also noticed some level of tailoring the messages to match the language used previously in the email thread, which means there is some level of tailoring and social engineering involved.

The SquirrelWaffle emails are also distributed in French, German and Polish, which in turn means the campaign is not only targeting English-speaking demographics.

Cisco have been monitoring the on and off activity peaks and drops of the SquirrelWaffle campaign and stated that the new malware is not as widely distributed as Emotet, but it is slowly getting there. The peak of malspam distributing SquirrelWaffle took place in late September, with three more spikes in activity since that didn't have the same large volume.

The archive files used in the phishing email contain MS Office files that, when opened, deliver the final payload. The files are named with meaningful, believable names such as "diagram", "chart" or "specification" in order to further bolster victim confidence.