Authored By Kiran Raj
As a result of their widespread use, Workplace Paperwork are generally utilized by Malicious actors as a approach to distribute their malware. McAfee Labs have noticed a brand new risk “Squirrelwaffle” which is one such rising malware that was noticed utilizing workplace paperwork in mid-September that infects methods with CobaltStrike.
On this Weblog, we can have a fast have a look at the SquirrelWaffle malicious doc and perceive the Preliminary an infection vector.
Geolocation primarily based stats of Squirrelwaffle malicious doc noticed by McAfee from September 2021

An infection Chain
- The preliminary assault vector is a phishing electronic mail with a malicious hyperlink internet hosting malicious docs
- On clicking the URL, a ZIP archived malicious doc is downloaded
- The malicious doc is weaponized with AutoOpen VBA operate. Upon opening the malicious doc, it drops a VBS file containing obfuscated powershell
- The dropped VBS script is invoked by way of exe to obtain malicious DLLs
- Thedownloaded DLLs are executed by way of exe with an argument of export operate “ldr”

Malicious Doc Evaluation
Right here is how the face of the doc seems after we open the doc (determine 3). Usually, the macros are disabled to run by default by Microsoft Workplace. The malware authors are conscious of this and therefore current a lure picture to trick the victims guiding them into enabling the macros.

UserForms and VBA
The VBA Userform Label parts current within the Phrase doc (Determine-4) is used to retailer all of the content material required for the VBS file. In Determine-3, we are able to see the userform’s Labelbox “t2” has VBS code in its caption.
Sub routine “eFile()” retrieves the LabelBox captions and writes it to a C:ProgramdataPin.vbs and executes it utilizing cscript.exe
Cmd line: cmd /c cscript.exe C:ProgramdataPin.vbs

VBS Script Evaluation
The dropped VBS Script is obfuscated (Determine-5) and incorporates 5 URLs that host payloads. The script runs in a loop to obtain payloads utilizing powershell and writes to C:Programdata location within the format /www-[1-5].dll/. As soon as the payloads are downloaded, it’s executed utilizing rundll32.exe with export operate identify as parameter “ldr”

De-obfuscated VBS script
VBS script after de-obfuscating (Determine-6)

MITRE ATT&CK
Completely different strategies & techniques are utilized by the malware and we mapped these with the MITRE ATT&CK platform.
- Command and Scripting Interpreter (T-1059)
Malicious doc VBA drops and invokes VBS script.
CMD: cscript.exe C:ProgramDatapin.vbs
- Signed Binary Proxy Execution (T1218)
Rundll32.exe is used to execute the dropped payload
CMD: rundll32.exe C:ProgramDatawww1.dll,ldr
IOC
Sort | Worth | Scanner | Detection Title |
Primary Phrase Doc | 195eba46828b9dfde47ffecdf61d9672db1a8bf13cd9ff03b71074db458b6cdf | ENS,
WSS
|
W97M/Downloader.dsl
|
Downloaded DLL
|
85d0b72fe822fd6c22827b4da1917d2c1f2d9faa838e003e78e533384ea80939 | ENS,
WSS |
RDN/Squirrelwaffle |
URLs to obtain DLL | · priyacareers.com
· bussiness-z.ml · cablingpoint.com · bonus.corporatebusinessmachines.co.in · perfectdemos.com |
WebAdvisor | Blocked |