SquirrelWaffle Malware Loader Causes Storm In Office365 Spam

SqurrelWaffle, a new malware loader, is firing out malware-loaded Microsoft Office documents to deliver Qakbot malware and the penetration-testing tool Cobalt Strike. Cisco Talos researchers said in a post last week they learned of the campaign in mid-September, when they spotted SquirrelWaffle in the initial stage of the infection chain.

The SquirrelWaffle campaign uses stolen email threads to appear as replies within those threads – A tactic identical to how Emotet malware spreads.

“The campaigns themselves feature several similar characteristics to the campaigns previously seen associated with established threats like Emotet,” Cisco Talos researchers explained.

“Due to the prevalence of these campaigns, organizations should be aware of SQUIRRELWAFFLE and the way it could be used by attackers to further compromise corporate networks,” they advised.

The SquirrelWaffle emails contain hyperlinks to malicious ZIP archives hosting the infected files on hacker-controlled web servers.

Most of the messages – 76 percent – are written in English. But the language used in the reply message shifts to match what was used in the original email thread, “demonstrating that there is some localization taking place dynamically,” Cisco Talos said. Besides English, the top five languages being used also include French, German, Dutch and Polish.

SquirrelWaffle isn’t quite as prolific as Emotet, at least not yet. However, the campaign has been growing steadily, as seen in the graph from Cisco Talos below.

“While the volume associated with these campaigns is not yet reaching the same level seen previously with threats like Emotet, it appears to be fairly consistent and may increase over time as the adversaries infect more users and increase the size of their botnet,” Cisco Talos predicted.

Researches noted that the malicious documents were crafted using some kind of automated builder. For example, in the recent campaigns, “the Microsoft Excel spreadsheets were crafted to make static analysis with tools like XLMDeobfuscator less effective,” they said.

The earliest files were submitted to public malware repositories on Sept. 10. Three days later, the campaign volume began to ramp up and “has been characterized by daily spam runs observed since then,” according to the writeup.

There are more signs that automation plays a part in the campaign.

“The URL structure of the SQUIRRELWAFFLE distribution servers appears somewhat tied to the daily campaigns, and rotates every few days,” according to the analysis.

Cisco Talos gave the example of the table, shown below, which depicts variance in the URL landing pages seen over a period of several days.


“This rotation is also reflected in the maldoc macros themselves, with the macro function names and hashes rotating at the same time,” the researchers added.

When a target falls for one of the emails and follows through on the link, they may download one of the loaded Office files – which have been split between Word and Excel files.

After opening whichever they receive, the SquirrelWaffle payload will be deployed.

In all of the SquirrelWaffle campaigns seen so far, the rigged links used to host the ZIP archives contain Latin words and follow a URL structure similar to this one:


But in many cases, the campaign includes separate ZIP archives being hosted in different directories on the same domain. Inside of the ZIP archives, the malicious Office files often follow a naming convention similar to these examples:

  • chart-1187900052.xls
  • diagram-127.doc
  • diagram_1017101088.xls
  • Specification-1001661454.xls

It is believed the attack servers live on compromised WordPress sites.

The malware distribution campaigns are apparently jumping on previously compromised web servers: primarily those running versions of WordPress, with the most prevalent compromised version being WordPress 5.8.1.

Cisco Talos said that while the SquirrelWaffle threat is relatively new, the workings – including the distribution campaigns, infrastructure and command-and-control (C2) implementations – have a lot in common with those seen from other, more established threat actors.

“Organizations should continue to employ comprehensive defense-in-depth security controls to ensure that they can prevent, detect, or respond to SQUIRRELWAFFLE campaigns that may be encountered in their environments,” they recommended.

Protection Against SquirrelWaffle

SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories

Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.