Skip to content

S1030 Squirrelwaffle

Squirrelwaffle is a loader that was first seen in September 2021. It has been used in spam email campaigns to deliver additional malware such as Cobalt Strike and the QakBot banking trojan.12

Item Value
ID S1030
Associated Names
Type MALWARE
Version 1.0
Created 09 August 2022
Last Modified 26 August 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Squirrelwaffle has used HTTP POST requests for C2 communications.1
enterprise T1560 Archive Collected Data -
enterprise T1560.003 Archive via Custom Method Squirrelwaffle has encrypted collected data using a XOR-based algorithm.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Squirrelwaffle has used PowerShell to execute its payload.12
enterprise T1059.003 Windows Command Shell Squirrelwaffle has used cmd.exe for execution.2
enterprise T1059.005 Visual Basic Squirrelwaffle has used malicious VBA macros in Microsoft Word documents and Excel spreadsheets that execute an AutoOpen subroutine.12
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding Squirrelwaffle has encoded its communications to C2 servers using Base64.1
enterprise T1140 Deobfuscate/Decode Files or Information Squirrelwaffle has decrypted files and payloads using a XOR-based algorithm.12
enterprise T1041 Exfiltration Over C2 Channel Squirrelwaffle has exfiltrated victim data using HTTP POST requests to its C2 servers.1
enterprise T1105 Ingress Tool Transfer Squirrelwaffle has downloaded and executed additional encoded payloads.12
enterprise T1027 Obfuscated Files or Information Squirrelwaffle has been obfuscated with a XOR-based algorithm.12
enterprise T1027.002 Software Packing Squirrelwaffle has been packed with a custom packer to hide payloads.12
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Squirrelwaffle has been distributed via malicious Microsoft Office documents within spam emails.2
enterprise T1566.002 Spearphishing Link Squirrelwaffle has been distributed through phishing emails containing a malicious URL.1
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.010 Regsvr32 Squirrelwaffle has been executed using regsvr32.exe.1
enterprise T1218.011 Rundll32 Squirrelwaffle has been executed using rundll32.exe.12
enterprise T1082 System Information Discovery Squirrelwaffle has gathered victim computer information and configurations.1
enterprise T1016 System Network Configuration Discovery Squirrelwaffle has collected the victim’s external IP address.1
enterprise T1033 System Owner/User Discovery Squirrelwaffle can collect the user name from a compromised host.1
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link Squirrelwaffle has relied on victims to click on a malicious link send via phishing campaigns.1
enterprise T1204.002 Malicious File Squirrelwaffle has relied on users enabling malicious macros within Microsoft Excel and Word attachments.12
enterprise T1497 Virtualization/Sandbox Evasion Squirrelwaffle has contained a hardcoded list of IP addresses to block that belong to sandboxes and analysis platforms.12

References

  1. Kumar, A., Stone-Gross, Brett. (2021, September 28). Squirrelwaffle: New Loader Delivering Cobalt Strike. Retrieved August 9, 2022. 

  2. Palazolo, G. (2021, October 7). SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot. Retrieved August 9, 2022.