Threat Description
CTM360 has observed increased activity in propagation of SquirrelWaffle, a malware loader that is being actively spread via email campaigns. This new threat is using malicious Microsoft Excel and Word documents to deliver Qakbot malware and Cobalt Strike. It uses a technique called thread hijacking which uses existing email conversations of its victims to spread to new victims. As the email originates from a trusted source, the user is more likely to fall victim to it.
Attack Chain
● User receives email from a known compromised third party (vendor, partner, colleague) with a malicious URL. ● The received email uses stolen email threads to come off as replies in those threads. ● When the user clicks on the URL, a zip file is downloaded which contains the malicious Word or Excel file. ● The user is lured into clicking on “Enable Content” (macros) when the malicious Word or Excel file is opened which then executes the malware. ● Newly registered domains are used to host the payload.
