Many spam emails are acting as a channel for an unknown malware loader. The malware loader is undocumented, and it allows attackers to access enterprise networks and plant malicious payloads on compromised systems. The spam email drive began in the second half of September 2021 through Microsoft Office document. The affected document, when opened, triggers an infection chain that infects the machines with malware labeled SQUIRRELWAFFLE.
These infections are also used to facilitate the delivery of additional malware such as Qakbot and Cobalt Strike, two of the most common threats regularly observed targeting organizations around the world,” said researchers with Cisco Talos in a technical write-up.
Following the pattern that other phishing attacks have, the latest attack uses stolen email thread to its advantage for wrapping the email with legitimacy and beguiling users into opening attachments.
The language used in reply messages is similar to the language used in the original email thread. The top five languages used to deliver the loader are English (76%), followed by French (10%), German (7%), Dutch (4%), and Polish (3%).
Earlier the affected webservers had versions of the WordPress content management system [CMS], which was a conduit for malware distribution. But an intriguing method is the use of “anti-bot” scripts to prevent web requests that have their source not from victim’s I.P addresses but rather automated analysis platforms and security research organizations.
“After the Emotet botnet takedown earlier this year, criminal threat actors are filling that void,” Zscaler noted in an analysis of the same malware last month. “SQUIRRELWAFFLE appears to be a new loader taking advantage of this gap. It is not yet clear if SQUIRRELWAFFLE is developed and distributed by a known threat actor or a new group. However, similar distribution techniques were previously used by Emotet.”