SYMBOLCOMMON_NAMEaka. SYNONYMS
win.squirrelwaffle (Back to overview)

Squirrelwaffle

aka: DatopLoader

According to Sophos, Squirrelwaffle is a malware loader that is distributed as a malicious Office document in spam campaigns. It provides attackers with an initial foothold in a victim’s environment and a channel to deliver and infect systems with other malware. When a recipient opens a Squirrelwaffle-infected document and enables macros, a visual basic script typically downloads and executes malicious files and scripts, giving further control of the computer to an attacker. Squirrelwaffle operators also use DocuSign to try and trick the user into enabling macros in Office documents.

References
2022-03-16SymantecSymantec Threat Hunter Team
@techreport{team:20220316:ransomware:1c2a72a, author = {Symantec Threat Hunter Team}, title = {{The Ransomware Threat Landscape: What to Expect in 2022}}, date = {2022-03-16}, institution = {Symantec}, url = {https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf}, language = {English}, urldate = {2022-03-22} } The Ransomware Threat Landscape: What to Expect in 2022
AvosLocker BlackCat BlackMatter Conti DarkSide DoppelPaymer Emotet Hive Karma Mespinoza Nemty Squirrelwaffle VegaLocker WastedLocker Yanluowang Zeppelin
2022-02-15SophosMatthew Everts, Stephen McNally
@online{everts:20220215:vulnerable:9c3b451, author = {Matthew Everts and Stephen McNally}, title = {{Vulnerable Exchange server hit by Squirrelwaffle and financial fraud}}, date = {2022-02-15}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/02/15/vulnerable-exchange-server-hit-by-squirrelwaffle-and-financial-fraud/}, language = {English}, urldate = {2022-02-17} } Vulnerable Exchange server hit by Squirrelwaffle and financial fraud
Squirrelwaffle
2022-01-11CybereasonOmri Refaeli, Chen Erlich, Ofir Ozer, Niv Yona, Daichi Shimabukuro
@online{refaeli:20220111:threat:fd22089, author = {Omri Refaeli and Chen Erlich and Ofir Ozer and Niv Yona and Daichi Shimabukuro}, title = {{Threat Analysis Report: DatopLoader Exploits ProxyShell to Deliver QBOT and Cobalt Strike}}, date = {2022-01-11}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike}, language = {English}, urldate = {2022-01-18} } Threat Analysis Report: DatopLoader Exploits ProxyShell to Deliver QBOT and Cobalt Strike
Cobalt Strike QakBot Squirrelwaffle
2021-12-16Red CanaryThe Red Canary Team
@online{team:20211216:intelligence:f7bad55, author = {The Red Canary Team}, title = {{Intelligence Insights: December 2021}}, date = {2021-12-16}, organization = {Red Canary}, url = {https://redcanary.com/blog/intelligence-insights-december-2021}, language = {English}, urldate = {2021-12-31} } Intelligence Insights: December 2021
Cobalt Strike QakBot Squirrelwaffle
2021-11-29CertitudePeter Wagner
@online{wagner:20211129:unpatched:4047c05, author = {Peter Wagner}, title = {{Unpatched Exchange Servers distribute Phishing Links (SquirrelWaffle)}}, date = {2021-11-29}, organization = {Certitude}, url = {https://certitude.consulting/blog/en/unpatched-exchange-servers-distribute-phishing-links-squirrelwaffle/}, language = {English}, urldate = {2021-12-06} } Unpatched Exchange Servers distribute Phishing Links (SquirrelWaffle)
Squirrelwaffle
2021-11-26Twitter (@jhencinski)Jon Hencinski
@online{hencinski:20211126:twitter:ca58fb5, author = {Jon Hencinski}, title = {{Twitter Thread on weelky MDR recap from expel.io}}, date = {2021-11-26}, organization = {Twitter (@jhencinski)}, url = {https://twitter.com/jhencinski/status/1464268732096815105}, language = {English}, urldate = {2021-11-29} } Twitter Thread on weelky MDR recap from expel.io
GootKit Squirrelwaffle
2021-11-19Trend MicroMohamed Fahmy, Sherif Magdy, Abdelrhman Sharshar
@online{fahmy:20211119:squirrelwaffle:1e8fa78, author = {Mohamed Fahmy and Sherif Magdy and Abdelrhman Sharshar}, title = {{Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains}}, date = {2021-11-19}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html}, language = {English}, urldate = {2021-11-25} } Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains
Cobalt Strike QakBot Squirrelwaffle
2021-11-18Red CanaryThe Red Canary Team
@online{team:20211118:intelligence:7b00cb9, author = {The Red Canary Team}, title = {{Intelligence Insights: November 2021}}, date = {2021-11-18}, organization = {Red Canary}, url = {https://redcanary.com/blog/intelligence-insights-november-2021/}, language = {English}, urldate = {2021-11-19} } Intelligence Insights: November 2021
Andromeda Conti LockBit QakBot Squirrelwaffle
2021-11-11BlackberryThe BlackBerry Research & Intelligence Team
@online{team:20211111:threat:7b2544e, author = {The BlackBerry Research & Intelligence Team}, title = {{Threat Thursday: SquirrelWaffle Takes a Bite Out of Victim's Bank Accounts}}, date = {2021-11-11}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2021/11/threat-thursday-squirrelwaffle-loader}, language = {English}, urldate = {2021-11-17} } Threat Thursday: SquirrelWaffle Takes a Bite Out of Victim's Bank Accounts
Squirrelwaffle
2021-11-11SentinelOneNiranjan Jayanand
@online{jayanand:20211111:is:b8f1a8b, author = {Niranjan Jayanand}, title = {{Is SquirrelWaffle the New Emotet? How to Detect the Latest MalSpam Loader}}, date = {2021-11-11}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/is-squirrelwaffle-the-new-emotet-how-to-detect-the-latest-malspam-loader/}, language = {English}, urldate = {2021-11-12} } Is SquirrelWaffle the New Emotet? How to Detect the Latest MalSpam Loader
Squirrelwaffle
2021-11-10McAfeeKiran Raj
@online{raj:20211110:newest:c1f7fd2, author = {Kiran Raj}, title = {{The Newest Malicious Actor: “Squirrelwaffle” Malicious Doc.}}, date = {2021-11-10}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/the-newest-malicious-actor-squirrelwaffle-malicious-doc/}, language = {English}, urldate = {2021-11-12} } The Newest Malicious Actor: “Squirrelwaffle” Malicious Doc.
Squirrelwaffle
2021-11-09MinervaLabsMinerva Labs
@online{labs:20211109:new:411a8fd, author = {Minerva Labs}, title = {{A New DatopLoader Delivers QakBot Trojan}}, date = {2021-11-09}, organization = {MinervaLabs}, url = {https://blog.minerva-labs.com/a-new-datoploader-delivers-qakbot-trojan}, language = {English}, urldate = {2021-11-17} } A New DatopLoader Delivers QakBot Trojan
QakBot Squirrelwaffle
2021-10-26Cisco TalosEdmund Brumaghin, Mariano Graziano, Nick Mavis
@online{brumaghin:20211026:squirrelwaffle:88c5943, author = {Edmund Brumaghin and Mariano Graziano and Nick Mavis}, title = {{SQUIRRELWAFFLE Leverages malspam to deliver Qakbot, Cobalt Strike}}, date = {2021-10-26}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html}, language = {English}, urldate = {2021-11-02} } SQUIRRELWAFFLE Leverages malspam to deliver Qakbot, Cobalt Strike
Cobalt Strike QakBot Squirrelwaffle
2021-10-080ffset BlogChuong Dong
@online{dong:20211008:squirrelwaffle:4549cd1, author = {Chuong Dong}, title = {{SQUIRRELWAFFLE – Analysing The Main Loader}}, date = {2021-10-08}, organization = {0ffset Blog}, url = {https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-main-loader/}, language = {English}, urldate = {2021-10-14} } SQUIRRELWAFFLE – Analysing The Main Loader
Cobalt Strike Squirrelwaffle
2021-10-07NetskopeGustavo Palazolo, Ghanashyam Satpathy
@online{palazolo:20211007:squirrelwaffle:3506816, author = {Gustavo Palazolo and Ghanashyam Satpathy}, title = {{SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot}}, date = {2021-10-07}, organization = {Netskope}, url = {https://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot}, language = {English}, urldate = {2021-10-11} } SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot
Cobalt Strike QakBot Squirrelwaffle
2021-10-03Github (0xjxd)Joel Dönne
@techreport{dnne:20211003:squirrelwaffle:3a35566, author = {Joel Dönne}, title = {{SquirrelWaffle - From Maldoc to Cobalt Strike}}, date = {2021-10-03}, institution = {Github (0xjxd)}, url = {https://github.com/0xjxd/SquirrelWaffle-From-Maldoc-to-Cobalt-Strike/raw/main/2021-10-02%20-%20SquirrelWaffle%20-%20From%20Maldoc%20to%20Cobalt%20Strike.pdf}, language = {English}, urldate = {2021-10-07} } SquirrelWaffle - From Maldoc to Cobalt Strike
Cobalt Strike Squirrelwaffle
2021-10-010ffset BlogChuong Dong
@online{dong:20211001:squirrelwaffle:24c9b06, author = {Chuong Dong}, title = {{SQUIRRELWAFFLE – Analysing the Custom Packer}}, date = {2021-10-01}, organization = {0ffset Blog}, url = {https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-custom-packer/}, language = {English}, urldate = {2021-10-14} } SQUIRRELWAFFLE – Analysing the Custom Packer
Cobalt Strike Squirrelwaffle
2021-09-28ZscalerAvinash Kumar, Brett Stone-Gross
@online{kumar:20210928:squirrelwaffle:9b1cffc, author = {Avinash Kumar and Brett Stone-Gross}, title = {{Squirrelwaffle: New Loader Delivering Cobalt Strike}}, date = {2021-09-28}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/squirrelwaffle-new-loader-delivering-cobalt-strike}, language = {English}, urldate = {2021-10-11} } Squirrelwaffle: New Loader Delivering Cobalt Strike
Cobalt Strike Squirrelwaffle
2021-09-28Twitter (@Max_Mal_)Max Malyutin
@online{malyutin:20210928:how:139921e, author = {Max Malyutin}, title = {{Tweet on how to debug SquirrelWaffle}}, date = {2021-09-28}, organization = {Twitter (@Max_Mal_)}, url = {https://twitter.com/Max_Mal_/status/1442496131410190339}, language = {English}, urldate = {2021-09-28} } Tweet on how to debug SquirrelWaffle
Squirrelwaffle
2021-09-27Youtube (OALabs)Sergei Frankoff
@online{frankoff:20210927:live:83ccb1f, author = {Sergei Frankoff}, title = {{Live Coding A Squirrelwaffle Malware Config Extractor}}, date = {2021-09-27}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=9X2P7aFKSw0}, language = {English}, urldate = {2021-10-05} } Live Coding A Squirrelwaffle Malware Config Extractor
Squirrelwaffle
2021-09-27CynetMax Malyutin
@online{malyutin:20210927:virtual:cd72501, author = {Max Malyutin}, title = {{A Virtual Baffle to Battle Squirrelwaffle}}, date = {2021-09-27}, organization = {Cynet}, url = {https://www.cynet.com/understanding-squirrelwaffle/}, language = {English}, urldate = {2021-09-28} } A Virtual Baffle to Battle Squirrelwaffle
Cobalt Strike Squirrelwaffle
2021-09-21Medium elis531989Eli Salem
@online{salem:20210921:squirrel:1254a9d, author = {Eli Salem}, title = {{The Squirrel Strikes Back: Analysis of the newly emerged cobalt-strike loader “SquirrelWaffle”}}, date = {2021-09-21}, organization = {Medium elis531989}, url = {https://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9}, language = {English}, urldate = {2021-09-22} } The Squirrel Strikes Back: Analysis of the newly emerged cobalt-strike loader “SquirrelWaffle”
Cobalt Strike Squirrelwaffle
2021-09-18Security Soup BlogRyan Campbell
@online{campbell:20210918:squirrelwaffle:5790d40, author = {Ryan Campbell}, title = {{“Squirrelwaffle” Maldoc Analysis}}, date = {2021-09-18}, organization = {Security Soup Blog}, url = {https://security-soup.net/squirrelwaffle-maldoc-analysis/}, language = {English}, urldate = {2021-09-20} } “Squirrelwaffle” Maldoc Analysis
Squirrelwaffle
2021-09-17Malware Traffic AnalysisBrad Duncan
@online{duncan:20210917:20210917:b995435, author = {Brad Duncan}, title = {{2021-09-17 - SQUIRRELWAFFLE Loader with Cobalt Strike}}, date = {2021-09-17}, organization = {Malware Traffic Analysis}, url = {https://www.malware-traffic-analysis.net/2021/09/17/index.html}, language = {English}, urldate = {2021-09-20} } 2021-09-17 - SQUIRRELWAFFLE Loader with Cobalt Strike
Cobalt Strike Squirrelwaffle
Yara Rules
[TLP:WHITE] win_squirrelwaffle_auto (20230125 | Detects win.squirrelwaffle.)
rule win_squirrelwaffle_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.squirrelwaffle."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.squirrelwaffle"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 3bc8 777c 8d040a 895d08 }
            // n = 4, score = 700
            //   3bc8                 | cmp                 ecx, eax
            //   777c                 | ja                  0x7e
            //   8d040a               | lea                 eax, [edx + ecx]
            //   895d08               | mov                 dword ptr [ebp + 8], ebx

        $sequence_1 = { 8b75e8 8b7dd4 3bc8 0f8594000000 8d45ef }
            // n = 5, score = 700
            //   8b75e8               | mov                 esi, dword ptr [ebp - 0x18]
            //   8b7dd4               | mov                 edi, dword ptr [ebp - 0x2c]
            //   3bc8                 | cmp                 ecx, eax
            //   0f8594000000         | jne                 0x9a
            //   8d45ef               | lea                 eax, [ebp - 0x11]

        $sequence_2 = { 50 51 8b4b38 8d45cc 50 8d45f0 }
            // n = 6, score = 700
            //   50                   | push                eax
            //   51                   | push                ecx
            //   8b4b38               | mov                 ecx, dword ptr [ebx + 0x38]
            //   8d45cc               | lea                 eax, [ebp - 0x34]
            //   50                   | push                eax
            //   8d45f0               | lea                 eax, [ebp - 0x10]

        $sequence_3 = { 51 0f434508 8d8d40ffffff 6a02 }
            // n = 4, score = 700
            //   51                   | push                ecx
            //   0f434508             | cmovae              eax, dword ptr [ebp + 8]
            //   8d8d40ffffff         | lea                 ecx, [ebp - 0xc0]
            //   6a02                 | push                2

        $sequence_4 = { 8db5f8fbffff 8d34c6 837e1410 8bc6 7202 8b06 8d8d84f7ffff }
            // n = 7, score = 700
            //   8db5f8fbffff         | lea                 esi, [ebp - 0x408]
            //   8d34c6               | lea                 esi, [esi + eax*8]
            //   837e1410             | cmp                 dword ptr [esi + 0x14], 0x10
            //   8bc6                 | mov                 eax, esi
            //   7202                 | jb                  4
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   8d8d84f7ffff         | lea                 ecx, [ebp - 0x87c]

        $sequence_5 = { e8???????? 83c408 c785f0f6ffff00000000 c785f4f6ffff0f000000 }
            // n = 4, score = 700
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   c785f0f6ffff00000000     | mov    dword ptr [ebp - 0x910], 0
            //   c785f4f6ffff0f000000     | mov    dword ptr [ebp - 0x90c], 0xf

        $sequence_6 = { e8???????? bb3e000000 83ef01 75ae 8bc6 8b4df4 }
            // n = 6, score = 700
            //   e8????????           |                     
            //   bb3e000000           | mov                 ebx, 0x3e
            //   83ef01               | sub                 edi, 1
            //   75ae                 | jne                 0xffffffb0
            //   8bc6                 | mov                 eax, esi
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]

        $sequence_7 = { 0b4510 7507 b804000000 eb02 33c0 51 50 }
            // n = 7, score = 700
            //   0b4510               | or                  eax, dword ptr [ebp + 0x10]
            //   7507                 | jne                 9
            //   b804000000           | mov                 eax, 4
            //   eb02                 | jmp                 4
            //   33c0                 | xor                 eax, eax
            //   51                   | push                ecx
            //   50                   | push                eax

        $sequence_8 = { 8d8d70f9ffff e8???????? 8d4d08 e8???????? }
            // n = 4, score = 700
            //   8d8d70f9ffff         | lea                 ecx, [ebp - 0x690]
            //   e8????????           |                     
            //   8d4d08               | lea                 ecx, [ebp + 8]
            //   e8????????           |                     

        $sequence_9 = { 8b95f4fdfeff 83fa10 722f 8b8de0fdfeff 42 }
            // n = 5, score = 700
            //   8b95f4fdfeff         | mov                 edx, dword ptr [ebp - 0x1020c]
            //   83fa10               | cmp                 edx, 0x10
            //   722f                 | jb                  0x31
            //   8b8de0fdfeff         | mov                 ecx, dword ptr [ebp - 0x10220]
            //   42                   | inc                 edx

    condition:
        7 of them and filesize < 147456
}
Download all Yara Rules