Squirrelwaffle Malware Used to Drop Cobalt Strike

Penetration testers prefer Cobalt Strike when trying to replicate how cybercriminal tools would look when assaulting an organization’s network.

Unfortunately, hackers adapted to it, and Cobalt became a popular second-stage payload for a variety of malware families.

Squirrelwaffle, a new threat that provides supporting actors with an initial footing and a mechanism to spread malware onto compromised devices and networks, has been discovered in the wild.

The new virus spreads through spam campaigns, with the most recent efforts releasing Qakbot and Cobalt Strike.

Squirrelwaffle is one of the technologies that surfaced as an Emotet substitute immediately after the widely used botnet was disrupted by law enforcement.

The New Threat Surfaced in September 2021

While the spam campaign predominantly leverages English-language stolen reply-chain email campaigns, the threat actors also use emails in French, German, Dutch, and Polish.

These emails usually contain links to malicious ZIP packages located on attacker-controlled web domains, as well as a malicious.doc or.xls attachment that, when viewed, executes malware-retrieving code.

As explained by BleepingComputer, the perpetrators utilize the DocuSign signature tool as bait to lure recipients into activating macros in their MS Office suite on various papers tested and evaluated by Talos researchers.

Source

This activity

Read More: https://heimdalsecurity.com/blog/squirrelwaffle-malware-used-to-drop-cobalt-strike/