{"id":7031,"date":"2021-09-29T15:53:25","date_gmt":"2021-09-29T22:53:25","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=7031"},"modified":"2024-08-07T12:18:54","modified_gmt":"2024-08-07T19:18:54","slug":"reply-chain-threadjacking-campaign-delivers-squirrelwaffle-loader-and-cobalt-strike","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/reply-chain-threadjacking-campaign-delivers-squirrelwaffle-loader-and-cobalt-strike\/","title":{"rendered":"Reply-Chain Threadjacking Campaign Delivers Squirrelwaffle Loader and Cobalt Strike"},"content":{"rendered":"

Author: Seth Williams<\/strong><\/h3>\n

 <\/p>\n

1. Overview<\/h3>\n

On 13 September, security researchers discovered a malicious phishing campaign that uses reply-chain threadjacking to distribute a downloader known as Squirrelwaffle: an emerging threat that is delivered on the TR botnet and has the same infrastructure as that of the QakBot banking trojan.1<\/sup><\/p>\n

2. Customer impact<\/h3>\n

Squirrelwaffle downloads the commercial penetration-testing product Cobalt Strike and uses it to deploy Beacon:2<\/sup> a program that lets attackers carry out command execution, key logging, file transfer, privilege escalation, port scanning, lateral movement, and other post-exploitation functions.3<\/sup><\/p>\n

3. Campaign analysis<\/h3>\n

This campaign uses reply-chain threadjacking, where the malspam spoofs a legitimate user and impersonates a reply to an existing email. The same technique has been used in Emotet and QakBot campaigns.4<\/sup> The body of the email contains a URL that, when clicked, downloads a ZIP archive containing a malicious Microsoft Excel or Word document named as diagram-{number}<\/i>, where number<\/i> is a set of random digits.<\/p>\n

4. Attack chain<\/h3>\n

After extracting and opening the downloaded file, the victim is prompted to enable content. If the victim complies, the content runs a macro, which executes a VBS file via cscript.exe. This VBS file contains an obfuscated PowerShell script, which attempts to connect to one of several command and control (C&C) sites. Upon connecting, the script downloads Squirrelwaffle in the form of a DLL file: a loader that attempts to download Cobalt Strike.5<\/sup><\/p>\n

\"\"<\/a><\/p>\n

5. Vulnerabilities and mitigation<\/h3>\n

Malspam campaigns are a common distribution method for malware. Infoblox recommends the following precautions:<\/p>\n