Squirrelwaffle
Squirrelwaffle is a loader that was first seen in September 2021. It has been used in spam email campaigns to deliver additional malware such as Cobalt Strike and the QakBot banking trojan.[1][2]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1140 | 反混淆/解码文件或信息 |
Squirrelwaffle has decrypted files and payloads using a XOR-based algorithm.[1][2] |
|
| Enterprise | T1059 | .001 | 命令与脚本解释器: PowerShell |
Squirrelwaffle has used PowerShell to execute its payload.[1][2] |
| .003 | 命令与脚本解释器: Windows Command Shell |
Squirrelwaffle has used |
||
| .005 | 命令与脚本解释器: Visual Basic |
Squirrelwaffle has used malicious VBA macros in Microsoft Word documents and Excel spreadsheets that execute an |
||
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
Squirrelwaffle has used HTTP POST requests for C2 communications.[1] |
| Enterprise | T1560 | .003 | 归档收集数据: Archive via Custom Method |
Squirrelwaffle has encrypted collected data using a XOR-based algorithm.[1] |
| Enterprise | T1132 | .001 | 数据编码: Standard Encoding |
Squirrelwaffle has encoded its communications to C2 servers using Base64.[1] |
| Enterprise | T1027 | .002 | 混淆文件或信息: Software Packing |
Squirrelwaffle has been packed with a custom packer to hide payloads.[1][2] |
| .013 | 混淆文件或信息: Encrypted/Encoded File |
Squirrelwaffle has been obfuscated with a XOR-based algorithm.[1][2] |
||
| Enterprise | T1204 | .001 | 用户执行: Malicious Link |
Squirrelwaffle has relied on victims to click on a malicious link send via phishing campaigns.[1] |
| .002 | 用户执行: Malicious File |
Squirrelwaffle has relied on users enabling malicious macros within Microsoft Excel and Word attachments.[1][2] |
||
| Enterprise | T1218 | .010 | 系统二进制代理执行: Regsvr32 |
Squirrelwaffle has been executed using |
| .011 | 系统二进制代理执行: Rundll32 |
Squirrelwaffle has been executed using |
||
| Enterprise | T1082 | 系统信息发现 |
Squirrelwaffle has gathered victim computer information and configurations.[1] |
|
| Enterprise | T1033 | 系统所有者/用户发现 |
Squirrelwaffle can collect the user name from a compromised host.[1] |
|
| Enterprise | T1016 | 系统网络配置发现 |
Squirrelwaffle has collected the victim’s external IP address.[1] |
|
| Enterprise | T1497 | 虚拟化/沙盒规避 |
Squirrelwaffle has contained a hardcoded list of IP addresses to block that belong to sandboxes and analysis platforms.[1][2] |
|
| Enterprise | T1105 | 输入工具传输 |
Squirrelwaffle has downloaded and executed additional encoded payloads.[1][2] |
|
| Enterprise | T1041 | 通过C2信道渗出 |
Squirrelwaffle has exfiltrated victim data using HTTP POST requests to its C2 servers.[1] |
|
| Enterprise | T1566 | .001 | 钓鱼: Spearphishing Attachment |
Squirrelwaffle has been distributed via malicious Microsoft Office documents within spam emails.[2] |
| .002 | 钓鱼: Spearphishing Link |
Squirrelwaffle has been distributed through phishing emails containing a malicious URL.[1] |
||