SYMBOLCOMMON_NAMEaka. SYNONYMS
win.squirrelwaffle (Back to overview)

Squirrelwaffle

aka: DatopLoader

According to Sophos, Squirrelwaffle is a malware loader that is distributed as a malicious Office document in spam campaigns. It provides attackers with an initial foothold in a victim’s environment and a channel to deliver and infect systems with other malware. When a recipient opens a Squirrelwaffle-infected document and enables macros, a visual basic script typically downloads and executes malicious files and scripts, giving further control of the computer to an attacker. Squirrelwaffle operators also use DocuSign to try and trick the user into enabling macros in Office documents.

References
2022-03-16SymantecSymantec Threat Hunter Team
@techreport{team:20220316:ransomware:1c2a72a, author = {Symantec Threat Hunter Team}, title = {{The Ransomware Threat Landscape: What to Expect in 2022}}, date = {2022-03-16}, institution = {Symantec}, url = {https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf}, language = {English}, urldate = {2022-03-22} } The Ransomware Threat Landscape: What to Expect in 2022
AvosLocker BlackCat BlackMatter Conti DarkSide DoppelPaymer Emotet Hive Karma Mespinoza Nemty Squirrelwaffle VegaLocker WastedLocker Yanluowang Zeppelin
2022-02-15SophosMatthew Everts, Stephen McNally
@online{everts:20220215:vulnerable:9c3b451, author = {Matthew Everts and Stephen McNally}, title = {{Vulnerable Exchange server hit by Squirrelwaffle and financial fraud}}, date = {2022-02-15}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/02/15/vulnerable-exchange-server-hit-by-squirrelwaffle-and-financial-fraud/}, language = {English}, urldate = {2022-02-17} } Vulnerable Exchange server hit by Squirrelwaffle and financial fraud
Squirrelwaffle
2022-01-11CybereasonOmri Refaeli, Chen Erlich, Ofir Ozer, Niv Yona, Daichi Shimabukuro
@online{refaeli:20220111:threat:fd22089, author = {Omri Refaeli and Chen Erlich and Ofir Ozer and Niv Yona and Daichi Shimabukuro}, title = {{Threat Analysis Report: DatopLoader Exploits ProxyShell to Deliver QBOT and Cobalt Strike}}, date = {2022-01-11}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike}, language = {English}, urldate = {2022-01-18} } Threat Analysis Report: DatopLoader Exploits ProxyShell to Deliver QBOT and Cobalt Strike
Cobalt Strike QakBot Squirrelwaffle
2021-12-16Red CanaryThe Red Canary Team
@online{team:20211216:intelligence:f7bad55, author = {The Red Canary Team}, title = {{Intelligence Insights: December 2021}}, date = {2021-12-16}, organization = {Red Canary}, url = {https://redcanary.com/blog/intelligence-insights-december-2021}, language = {English}, urldate = {2021-12-31} } Intelligence Insights: December 2021
Cobalt Strike QakBot Squirrelwaffle
2021-11-29CertitudePeter Wagner
@online{wagner:20211129:unpatched:4047c05, author = {Peter Wagner}, title = {{Unpatched Exchange Servers distribute Phishing Links (SquirrelWaffle)}}, date = {2021-11-29}, organization = {Certitude}, url = {https://certitude.consulting/blog/en/unpatched-exchange-servers-distribute-phishing-links-squirrelwaffle/}, language = {English}, urldate = {2021-12-06} } Unpatched Exchange Servers distribute Phishing Links (SquirrelWaffle)
Squirrelwaffle
2021-11-26Twitter (@jhencinski)Jon Hencinski
@online{hencinski:20211126:twitter:ca58fb5, author = {Jon Hencinski}, title = {{Twitter Thread on weelky MDR recap from expel.io}}, date = {2021-11-26}, organization = {Twitter (@jhencinski)}, url = {https://twitter.com/jhencinski/status/1464268732096815105}, language = {English}, urldate = {2021-11-29} } Twitter Thread on weelky MDR recap from expel.io
GootKit Squirrelwaffle
2021-11-19Trend MicroMohamed Fahmy, Sherif Magdy, Abdelrhman Sharshar
@online{fahmy:20211119:squirrelwaffle:1e8fa78, author = {Mohamed Fahmy and Sherif Magdy and Abdelrhman Sharshar}, title = {{Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains}}, date = {2021-11-19}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html}, language = {English}, urldate = {2021-11-25} } Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains
Cobalt Strike QakBot Squirrelwaffle
2021-11-18Red CanaryThe Red Canary Team
@online{team:20211118:intelligence:7b00cb9, author = {The Red Canary Team}, title = {{Intelligence Insights: November 2021}}, date = {2021-11-18}, organization = {Red Canary}, url = {https://redcanary.com/blog/intelligence-insights-november-2021/}, language = {English}, urldate = {2021-11-19} } Intelligence Insights: November 2021
Andromeda Conti LockBit QakBot Squirrelwaffle
2021-11-11BlackberryThe BlackBerry Research & Intelligence Team
@online{team:20211111:threat:7b2544e, author = {The BlackBerry Research & Intelligence Team}, title = {{Threat Thursday: SquirrelWaffle Takes a Bite Out of Victim's Bank Accounts}}, date = {2021-11-11}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2021/11/threat-thursday-squirrelwaffle-loader}, language = {English}, urldate = {2021-11-17} } Threat Thursday: SquirrelWaffle Takes a Bite Out of Victim's Bank Accounts
Squirrelwaffle
2021-11-11SentinelOneNiranjan Jayanand
@online{jayanand:20211111:is:b8f1a8b, author = {Niranjan Jayanand}, title = {{Is SquirrelWaffle the New Emotet? How to Detect the Latest MalSpam Loader}}, date = {2021-11-11}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/is-squirrelwaffle-the-new-emotet-how-to-detect-the-latest-malspam-loader/}, language = {English}, urldate = {2021-11-12} } Is SquirrelWaffle the New Emotet? How to Detect the Latest MalSpam Loader
Squirrelwaffle
2021-11-10McAfeeKiran Raj
@online{raj:20211110:newest:c1f7fd2, author = {Kiran Raj}, title = {{The Newest Malicious Actor: “Squirrelwaffle” Malicious Doc.}}, date = {2021-11-10}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/the-newest-malicious-actor-squirrelwaffle-malicious-doc/}, language = {English}, urldate = {2021-11-12} } The Newest Malicious Actor: “Squirrelwaffle” Malicious Doc.
Squirrelwaffle
2021-11-09MinervaLabsMinerva Labs
@online{labs:20211109:new:411a8fd, author = {Minerva Labs}, title = {{A New DatopLoader Delivers QakBot Trojan}}, date = {2021-11-09}, organization = {MinervaLabs}, url = {https://blog.minerva-labs.com/a-new-datoploader-delivers-qakbot-trojan}, language = {English}, urldate = {2021-11-17} } A New DatopLoader Delivers QakBot Trojan
QakBot Squirrelwaffle
2021-10-26Cisco TalosEdmund Brumaghin, Mariano Graziano, Nick Mavis
@online{brumaghin:20211026:squirrelwaffle:88c5943, author = {Edmund Brumaghin and Mariano Graziano and Nick Mavis}, title = {{SQUIRRELWAFFLE Leverages malspam to deliver Qakbot, Cobalt Strike}}, date = {2021-10-26}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html}, language = {English}, urldate = {2021-11-02} } SQUIRRELWAFFLE Leverages malspam to deliver Qakbot, Cobalt Strike
Cobalt Strike QakBot Squirrelwaffle
2021-10-080ffset BlogChuong Dong
@online{dong:20211008:squirrelwaffle:4549cd1, author = {Chuong Dong}, title = {{SQUIRRELWAFFLE – Analysing The Main Loader}}, date = {2021-10-08}, organization = {0ffset Blog}, url = {https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-main-loader/}, language = {English}, urldate = {2021-10-14} } SQUIRRELWAFFLE – Analysing The Main Loader
Cobalt Strike Squirrelwaffle
2021-10-07NetskopeGustavo Palazolo, Ghanashyam Satpathy
@online{palazolo:20211007:squirrelwaffle:3506816, author = {Gustavo Palazolo and Ghanashyam Satpathy}, title = {{SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot}}, date = {2021-10-07}, organization = {Netskope}, url = {https://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot}, language = {English}, urldate = {2021-10-11} } SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot
Cobalt Strike QakBot Squirrelwaffle
2021-10-03Github (0xjxd)Joel Dönne
@techreport{dnne:20211003:squirrelwaffle:3a35566, author = {Joel Dönne}, title = {{SquirrelWaffle - From Maldoc to Cobalt Strike}}, date = {2021-10-03}, institution = {Github (0xjxd)}, url = {https://github.com/0xjxd/SquirrelWaffle-From-Maldoc-to-Cobalt-Strike/raw/main/2021-10-02%20-%20SquirrelWaffle%20-%20From%20Maldoc%20to%20Cobalt%20Strike.pdf}, language = {English}, urldate = {2021-10-07} } SquirrelWaffle - From Maldoc to Cobalt Strike
Cobalt Strike Squirrelwaffle
2021-10-010ffset BlogChuong Dong
@online{dong:20211001:squirrelwaffle:24c9b06, author = {Chuong Dong}, title = {{SQUIRRELWAFFLE – Analysing the Custom Packer}}, date = {2021-10-01}, organization = {0ffset Blog}, url = {https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-custom-packer/}, language = {English}, urldate = {2021-10-14} } SQUIRRELWAFFLE – Analysing the Custom Packer
Cobalt Strike Squirrelwaffle
2021-09-28ZscalerAvinash Kumar, Brett Stone-Gross
@online{kumar:20210928:squirrelwaffle:9b1cffc, author = {Avinash Kumar and Brett Stone-Gross}, title = {{Squirrelwaffle: New Loader Delivering Cobalt Strike}}, date = {2021-09-28}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/squirrelwaffle-new-loader-delivering-cobalt-strike}, language = {English}, urldate = {2021-10-11} } Squirrelwaffle: New Loader Delivering Cobalt Strike
Cobalt Strike Squirrelwaffle
2021-09-28Twitter (@Max_Mal_)Max Malyutin
@online{malyutin:20210928:how:139921e, author = {Max Malyutin}, title = {{Tweet on how to debug SquirrelWaffle}}, date = {2021-09-28}, organization = {Twitter (@Max_Mal_)}, url = {https://twitter.com/Max_Mal_/status/1442496131410190339}, language = {English}, urldate = {2021-09-28} } Tweet on how to debug SquirrelWaffle
Squirrelwaffle
2021-09-27Youtube (OALabs)Sergei Frankoff
@online{frankoff:20210927:live:83ccb1f, author = {Sergei Frankoff}, title = {{Live Coding A Squirrelwaffle Malware Config Extractor}}, date = {2021-09-27}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=9X2P7aFKSw0}, language = {English}, urldate = {2021-10-05} } Live Coding A Squirrelwaffle Malware Config Extractor
Squirrelwaffle
2021-09-27CynetMax Malyutin
@online{malyutin:20210927:virtual:cd72501, author = {Max Malyutin}, title = {{A Virtual Baffle to Battle Squirrelwaffle}}, date = {2021-09-27}, organization = {Cynet}, url = {https://www.cynet.com/understanding-squirrelwaffle/}, language = {English}, urldate = {2021-09-28} } A Virtual Baffle to Battle Squirrelwaffle
Cobalt Strike Squirrelwaffle
2021-09-21Medium elis531989Eli Salem
@online{salem:20210921:squirrel:1254a9d, author = {Eli Salem}, title = {{The Squirrel Strikes Back: Analysis of the newly emerged cobalt-strike loader “SquirrelWaffle”}}, date = {2021-09-21}, organization = {Medium elis531989}, url = {https://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9}, language = {English}, urldate = {2021-09-22} } The Squirrel Strikes Back: Analysis of the newly emerged cobalt-strike loader “SquirrelWaffle”
Cobalt Strike Squirrelwaffle
2021-09-18Security Soup BlogRyan Campbell
@online{campbell:20210918:squirrelwaffle:5790d40, author = {Ryan Campbell}, title = {{“Squirrelwaffle” Maldoc Analysis}}, date = {2021-09-18}, organization = {Security Soup Blog}, url = {https://security-soup.net/squirrelwaffle-maldoc-analysis/}, language = {English}, urldate = {2021-09-20} } “Squirrelwaffle” Maldoc Analysis
Squirrelwaffle
2021-09-17Malware Traffic AnalysisBrad Duncan
@online{duncan:20210917:20210917:b995435, author = {Brad Duncan}, title = {{2021-09-17 - SQUIRRELWAFFLE Loader with Cobalt Strike}}, date = {2021-09-17}, organization = {Malware Traffic Analysis}, url = {https://www.malware-traffic-analysis.net/2021/09/17/index.html}, language = {English}, urldate = {2021-09-20} } 2021-09-17 - SQUIRRELWAFFLE Loader with Cobalt Strike
Cobalt Strike Squirrelwaffle
Yara Rules
[TLP:WHITE] win_squirrelwaffle_auto (20220808 | Detects win.squirrelwaffle.)
rule win_squirrelwaffle_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.squirrelwaffle."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.squirrelwaffle"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 6888020000 c745fc00000000 6a00 c7459088020000 }
            // n = 5, score = 700
            //   e8????????           |                     
            //   6888020000           | push                0x288
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
            //   6a00                 | push                0
            //   c7459088020000       | mov                 dword ptr [ebp - 0x70], 0x288

        $sequence_1 = { 0f435520 8d8d40ffffff e8???????? 83c404 8d8d44ffffff e8???????? 85c0 }
            // n = 7, score = 700
            //   0f435520             | cmovae              edx, dword ptr [ebp + 0x20]
            //   8d8d40ffffff         | lea                 ecx, [ebp - 0xc0]
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   8d8d44ffffff         | lea                 ecx, [ebp - 0xbc]
            //   e8????????           |                     
            //   85c0                 | test                eax, eax

        $sequence_2 = { 83c40c 8b36 ba???????? 85f6 0f853cffffff 8b7d88 }
            // n = 6, score = 700
            //   83c40c               | add                 esp, 0xc
            //   8b36                 | mov                 esi, dword ptr [esi]
            //   ba????????           |                     
            //   85f6                 | test                esi, esi
            //   0f853cffffff         | jne                 0xffffff42
            //   8b7d88               | mov                 edi, dword ptr [ebp - 0x78]

        $sequence_3 = { 8d040a 03c7 50 8b4508 03c2 50 }
            // n = 6, score = 700
            //   8d040a               | lea                 eax, [edx + ecx]
            //   03c7                 | add                 eax, edi
            //   50                   | push                eax
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   03c2                 | add                 eax, edx
            //   50                   | push                eax

        $sequence_4 = { 772c 837b1410 8b7de4 8d0439 894310 }
            // n = 5, score = 700
            //   772c                 | ja                  0x2e
            //   837b1410             | cmp                 dword ptr [ebx + 0x14], 0x10
            //   8b7de4               | mov                 edi, dword ptr [ebp - 0x1c]
            //   8d0439               | lea                 eax, [ecx + edi]
            //   894310               | mov                 dword ptr [ebx + 0x10], eax

        $sequence_5 = { 8b0d???????? 33c0 8945e0 8d5de8 }
            // n = 4, score = 700
            //   8b0d????????         |                     
            //   33c0                 | xor                 eax, eax
            //   8945e0               | mov                 dword ptr [ebp - 0x20], eax
            //   8d5de8               | lea                 ebx, [ebp - 0x18]

        $sequence_6 = { 50 8b4508 50 03c1 }
            // n = 4, score = 700
            //   50                   | push                eax
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   50                   | push                eax
            //   03c1                 | add                 eax, ecx

        $sequence_7 = { 8b3d???????? 660f1f440000 ff734c 0fbe440eff 4e 50 ffd7 }
            // n = 7, score = 700
            //   8b3d????????         |                     
            //   660f1f440000         | nop                 word ptr [eax + eax]
            //   ff734c               | push                dword ptr [ebx + 0x4c]
            //   0fbe440eff           | movsx               eax, byte ptr [esi + ecx - 1]
            //   4e                   | dec                 esi
            //   50                   | push                eax
            //   ffd7                 | call                edi

        $sequence_8 = { 0f4345d4 8b4dd0 2bf1 03f0 85f6 7e24 8b3d???????? }
            // n = 7, score = 700
            //   0f4345d4             | cmovae              eax, dword ptr [ebp - 0x2c]
            //   8b4dd0               | mov                 ecx, dword ptr [ebp - 0x30]
            //   2bf1                 | sub                 esi, ecx
            //   03f0                 | add                 esi, eax
            //   85f6                 | test                esi, esi
            //   7e24                 | jle                 0x26
            //   8b3d????????         |                     

        $sequence_9 = { 8bc7 81fe00100000 7216 8b7ffc }
            // n = 4, score = 700
            //   8bc7                 | mov                 eax, edi
            //   81fe00100000         | cmp                 esi, 0x1000
            //   7216                 | jb                  0x18
            //   8b7ffc               | mov                 edi, dword ptr [edi - 4]

    condition:
        7 of them and filesize < 147456
}
Download all Yara Rules