What is SquirrelWaffle?


Executive Summary

SquirrelWaffle is known as a dropper malware, where it would be used to download additional and potentially more destructive malware onto the system. Extra efforts have been made by the threat actors to keep it hidden and difficult to analyse.

It would spread through the use of malicious attachments of Microsoft Office documents in phishing emails. So far, it appears that macro-enabled Microsoft Word or Excel documents are the preferred methods for delivering this malware.

The dropped payload is a PE DLL that is executed using either rundll32.exe or regsvr32.exe.

The dropper looks to install a second-stage malware, this would usually be Cobalt Strike and Qakbot (Qbot). The infection chain can begin with an email reply chain attack, where the threat actor will look to send the malicious email from a hijacked account belonging to one of the participants. As the attacker has access to the whole thread, their message can be tailored to the context of the conversation, thus making it seem more legitimate and potentially resulting in the recipient downloading the package.

This shares similarities with Emotet, as this campaign also focuses on email reply chain attacks. SquirrelWaffle is the first stage loader, which is often delivered via phishing emails that contain malicious MS Word or Excel documents. These contain macros that execute PowerShell to retrieve and launch the SquirrelWaffle payload. On each execution, the payload written to the disk has a unique hash meaning no two runs of the same malicious document will produce the same SquirrelWaffle payloads.

Once infected, SquirrelWaffle can download a Cobalt Strike payload that has a .txt extension and executes a function called WinExec. The other payload that could be downloaded is Qbot, which if infected, will attempt to extract email data from the host.

The malware will attempt to communicate with a C2 over HTTP POST requests that contain obfuscated data, this is obfuscated by XOR and encoded in Base64. The data sent to the C2 will include:

• %APPDATA% configuration

• The hostname of the system

• The username of the victim

• The Workstation configuration of the system

This data would be retrieved through getenv, GetComputerNameW, GetUserNameW, and NetWkstaGetInfo(), and the C2 server can be used as a channel to deliver secondary payloads.


Educate staff on phishing emails. This is the main attack vector for SquirrelWaffle, so educating staff on phishing emails, their common indicators and what to do with attachments can help in reducing the risk of a breach occurring through this vector.

If there’s not one in place, consider creating a policy on how to handle phishing emails. Specify that all suspicious emails should be reported to the security and/or IT departments.

Disable all macros, except those that are digitally signed. This will display a security notification for macros that were developed by a certified publisher, allowing one to decide whether to enable or disable them.

Patch MS Exchange Servers and keep them up to date. SquirrelWaffle has been known to exploit ProxyShell and ProxyLogon vulnerabilities in Microsoft Exchange Servers, so keeping them up to date can reduce the risk of these vulnerabilities being exploited.

What CSA monitor?

Since the emergence of the threat, CSA have been identifying possible detection rules for SquirrelWaffle activity and have implemented rules to detect the execution of macro-enabled office documents. This allows the initial stages of the infection to be detected where the loader attempts to install the second stage Cobalt Strike or Qakbot payloads. This will also provide coverage against other malicious actors where phishing with malicious documents is commonplace.

In addition to this, CSA's threat intelligence capabilities are regularly updated to detect known domains, IP addresses or file hashes, which may be seen across the environment and alert analysts to the presence of malicious artefacts, network traffic or processes for further investigation.

For customers using on-premise Microsoft Exchange servers, CSA have detections in place to monitor unusual Exchange activity and indicators of both ProxyShell and ProxyLogon exploitation to alert the client to their server being used as a potential distribution method.

On top of this, the proactive threat hunting and research undertaken by CSA analysts seeks to identify and create detection rules for emerging threats to maintain visibility across the threat landscape.