Thursday, February 6, 2025
HomeCyber SecurityThe Latest Malicious Actor: “Squirrelwaffle” Malicious Doc.

The Latest Malicious Actor: “Squirrelwaffle” Malicious Doc.


Authored By Kiran Raj

As a result of their widespread use, Workplace Paperwork are generally utilized by Malicious actors as a approach to distribute their malware. McAfee Labs have noticed a brand new risk “Squirrelwaffle” which is one such rising malware that was noticed utilizing workplace paperwork in mid-September that infects methods with CobaltStrike.

On this Weblog, we can have a fast have a look at the SquirrelWaffle malicious doc and perceive the Preliminary an infection vector.

Geolocation primarily based stats of Squirrelwaffle malicious doc noticed by McAfee from September 2021

 

Figure1- Geo based stats of SquirrelWaffle Malicious Doc
Figure1- Geo-based stats of SquirrelWaffle Malicious Doc

 

An infection Chain

  1. The preliminary assault vector is a phishing electronic mail with a malicious hyperlink internet hosting malicious docs
  2. On clicking the URL, a ZIP archived malicious doc is downloaded
  3. The malicious doc is weaponized with AutoOpen VBA operate. Upon opening the malicious doc, it drops a VBS file containing obfuscated powershell
  4. The dropped VBS script is invoked by way of exe to obtain malicious DLLs
  5. Thedownloaded DLLs are executed by way of exe with an argument of export operate “ldr
Figure-2: Infection Chain
Determine-2: An infection Chain

Malicious Doc Evaluation

Right here is how the face of the doc seems after we open the doc (determine 3). Usually, the macros are disabled to run by default by Microsoft Workplace. The malware authors are conscious of this and therefore current a lure picture to trick the victims guiding them into enabling the macros.

Figure-3: Image of Word Document Face
Determine-3: Picture of Phrase Doc Face

UserForms and VBA

The VBA Userform Label parts current within the Phrase doc (Determine-4) is used to retailer all of the content material required for the VBS file. In Determine-3, we are able to see the userform’s Labelbox “t2” has VBS code in its caption.

Sub routine “eFile()” retrieves the LabelBox captions and writes it to a C:ProgramdataPin.vbs and executes it utilizing cscript.exe

Cmd line: cmd /c cscript.exe C:ProgramdataPin.vbs

Figure-4: Image of Userforms and VBA
Determine-4: Picture of Userforms and VBA

VBS Script Evaluation

The dropped VBS Script is obfuscated (Determine-5) and incorporates 5 URLs that host payloads. The script runs in a loop to obtain payloads utilizing powershell and writes to C:Programdata location within the format /www-[1-5].dll/. As soon as the payloads are downloaded, it’s executed utilizing rundll32.exe with export operate identify as parameter “ldr

Figure-5: Obfuscated VBS script
Determine-5: Obfuscated VBS script

De-obfuscated VBS script

VBS script after de-obfuscating (Determine-6)

Figure-6: De-obfuscated VBS script
Determine-6: De-obfuscated VBS script

MITRE ATT&CK

Completely different strategies & techniques are utilized by the malware and we mapped these with the MITRE ATT&CK platform.

  • Command and Scripting Interpreter (T-1059)

Malicious doc VBA drops and invokes VBS script.

CMD: cscript.exe C:ProgramDatapin.vbs

 

  • Signed Binary Proxy Execution (T1218)

Rundll32.exe is used to execute the dropped payload

CMD: rundll32.exe C:ProgramDatawww1.dll,ldr

IOC

Sort Worth Scanner Detection Title
Primary Phrase Doc 195eba46828b9dfde47ffecdf61d9672db1a8bf13cd9ff03b71074db458b6cdf ENS,

WSS

 

W97M/Downloader.dsl

 

Downloaded DLL

 

85d0b72fe822fd6c22827b4da1917d2c1f2d9faa838e003e78e533384ea80939 ENS,

WSS

RDN/Squirrelwaffle
URLs to obtain DLL ·       priyacareers.com

·       bussiness-z.ml

·       cablingpoint.com

·       bonus.corporatebusinessmachines.co.in

·       perfectdemos.com

WebAdvisor Blocked

 

 



RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Recent Comments