SASE Week 2023 bajo demanda! Explorar sesiones.

  • Servicio de seguridad Productos Edge

    Protéjase contra las amenazas avanzadas y en la nube y salvaguarde los datos en todos los vectores.

  • Borderless SD-WAN

    Proporcione con confianza un acceso seguro y de alto rendimiento a cada usuario remoto, dispositivo, sitio y nube.

La plataforma del futuro es Netskope

Intelligent Security Service Edge (SSE), Cloud Access Security Broker (CASB), Cloud Firewall, Next Generation Secure Web Gateway (SWG) y Private Access for ZTNA integrados de forma nativa en una única solución para ayudar a todas las empresas en su camino hacia el Servicio de acceso seguro Arquitectura perimetral (SASE).

Todos los productos
Vídeo de Netskope
Next Gen SASE Branch es híbrida: conectada, segura y automatizada

Netskope Next Gen SASE Branch converge Context-Aware SASE Fabric, Zero-Trust Hybrid Security y SkopeAI-Powered Cloud Orchestrator en una oferta de nube unificada, marcando el comienzo de una experiencia de sucursal completamente modernizada para la empresa sin fronteras.

Obtenga más información sobre Next Gen SASE Branch
People at the open space office
Adopte una arquitectura de borde de servicio de acceso seguro (SASE)

Netskope NewEdge es la nube privada de seguridad más grande y de mayor rendimiento del mundo y ofrece a los clientes una cobertura de servicio, un rendimiento y una resiliencia incomparables.

Más información sobre NewEdge
NewEdge
Tu red del mañana

Planifique su camino hacia una red más rápida, más segura y más resistente diseñada para las aplicaciones y los usuarios a los que da soporte.

Obtenga el whitepaper
Tu red del mañana
Netskope Cloud Exchange

Cloud Exchange (CE) de Netskope ofrece a sus clientes herramientas de integración eficaces para que saquen partido a su inversión en estrategias de seguridad.

Más información sobre Cloud Exchange
Vídeo de Netskope
Cambie a los servicios de seguridad en la nube líderes del mercado con una latencia mínima y una alta fiabilidad.

Más información sobre NewEdge
Lighted highway through mountainside switchbacks
Habilite de forma segura el uso de aplicaciones de IA generativa con control de acceso a aplicaciones, capacitación de usuarios en tiempo real y la mejor protección de datos de su clase.

Descubra cómo aseguramos el uso generativo de IA
Habilite de forma segura ChatGPT y IA generativa
Soluciones de confianza cero para implementaciones de SSE y SASE

Más información sobre Confianza Cero
Boat driving through open sea
Netskope hace posible un proceso seguro, rápido y con inteligencia cloud para la adopción de los servicios en la nube, las aplicaciones y la infraestructura de nube pública.

Más información sobre soluciones industriales
Wind turbines along cliffside
  • Recursos

    Obtenga más información sobre cómo Netskope puede ayudarle a proteger su viaje hacia la nube.

  • Blog

    Descubra cómo Netskope permite la transformación de la seguridad y las redes a través del servicio de seguridad (SSE).

  • Eventos & Workshops

    Manténgase a la vanguardia de las últimas tendencias de seguridad y conéctese con sus pares.

  • Seguridad definida

    Todo lo que necesitas saber en nuestra enciclopedia de ciberseguridad.

Podcast Security Visionaries

Predicciones 2024
La presentadora Emily Wearmouth se sienta a conversar con Sherron Burgess, vicepresidente sénior y CISO de BCD Travel, y Shamla Naidoo, directora de estrategia e innovación en la nube de Netskope, para hablar sobre los temas candentes que verán durante el próximo año.

Reproducir el pódcast
Predicciones 2024
Últimos blogs

Cómo Netskope puede habilitar el viaje de Zero Trust y SASE a través de las capacidades del borde del servicio de seguridad (SSE).

Lea el blog
Sunrise and cloudy sky
SASE Week 2023: ¡Su viaje SASE comienza ahora!

Sesiones de repetición de la cuarta SASE Week.

Explorar sesiones
SASE Week 2023
¿Qué es Security Service Edge (SSE)?

Explore el lado de la seguridad de SASE, el futuro de la red y la protección en la nube.

Más información sobre el servicio de seguridad perimetral
Four-way roundabout
  • Nuestros clientes

    Netskope da servicio a más de 2.000 clientes en todo el mundo, entre los que se encuentran más de 25 de las 100 empresas de Fortune

  • Soluciones para clientes

    Le apoyamos en cada paso del camino, garantizando su éxito con Netskope.

  • Comunidad de Netskope

    Aprenda de otros profesionales de redes, datos y seguridad.

  • Formación y certificación

    La formación de Netskope le ayudará a convertirse en un experto en seguridad en la nube.

Ayudamos a nuestros clientes a estar preparados para cualquier situación

Ver nuestros clientes
Woman smiling with glasses looking out window
El talentoso y experimentado equipo de servicios profesionales de Netskope proporciona un enfoque prescriptivo para su exitosa implementación.

Más información sobre servicios profesionales
Servicios profesionales de Netskope
La comunidad de Netskope puede ayudarlo a usted y a su equipo a obtener más valor de los productos y las prácticas.

Acceder a la Netskope Community
La comunidad de Netskope
Asegure su viaje de transformación digital y aproveche al máximo sus aplicaciones en la nube, web y privadas con la capacitación de Netskope.

Infórmese sobre Capacitaciones y Certificaciones
Group of young professionals working
  • Empresa

    Le ayudamos a mantenerse a la vanguardia de los desafíos de seguridad de la nube, los datos y la red.

  • Por qué Netskope

    La transformación de la nube y el trabajo desde cualquier lugar han cambiado la forma en que debe funcionar la seguridad.

  • Liderazgo

    Nuestro equipo de liderazgo está firmemente comprometido a hacer todo lo necesario para que nuestros clientes tengan éxito.

  • Partners

    Nos asociamos con líderes en seguridad para ayudarlo a asegurar su viaje a la nube.

Apoyar la sostenibilidad a través de la seguridad de los datos

Netskope se enorgullece de participar en Vision 2045: una iniciativa destinada a crear conciencia sobre el papel de la industria privada en la sostenibilidad.

Descubra más
Apoyando la sustentabilidad a través de la seguridad de los datos
La más Alta en Ejecución. Más Avanzada en Visión.

Netskope ha sido reconocido como Líder en el Gartner® Magic Quadrant™ de 2023 en SSE.

Obtenga el informe
Netskope ha sido reconocido como Líder en el Gartner® Magic Quadrant™ de 2023 en SSE.
Pensadores, constructores, soñadores, innovadores. Juntos, ofrecemos soluciones de seguridad en la nube de vanguardia para ayudar a nuestros clientes a proteger sus datos y usuarios.

Conozca a nuestro equipo
Group of hikers scaling a snowy mountain
La estrategia de venta centrada en el partner de Netskope permite a nuestros canales maximizar su expansión y rentabilidad y, al mismo tiempo, transformar la seguridad de su empresa.

Más información sobre los socios de Netskope
Group of diverse young professionals smiling

SquirrelWaffle: Nuevo cargador de malware que ofrece Cobalt Strike y QakBot

Oct 07 2021

Co-authored by Gustavo Palazolo and Ghanashyam Satpathy

Resumen

In September of 2021, a new malware family named SquirrelWaffle joined the threat landscape. It spread through malicious Microsoft Office documents attached in spam emails

The infection flow starts with a ZIP file that contains the malicious Office document. When the file is opened by the victim, the malicious VBA macros download SquirrelWaffle DLL, which eventually leads to deploying another threat, such as CobaltStrike or QakBot.

In this blog post, we will analyze two variants of the malicious Office documents that deliver SquirrelWaffle. We will also analyze the final SquirrelWaffle payload and how the last stage URLs are being protected inside the binary.

SquirrelWaffle Office Documents

We have identified two variants used to deliver SquirrelWaffle, a Microsoft Word document and a Microsoft Excel spreadsheet. 

Screenshot of SquirrelWaffle infected documents
SquirrelWaffle malicious documents

Malicious Word Document

The first variant is a malicious Microsoft Word file that mimics a DocuSign document, asking the victim to click “Enable Editing” and “Enable Content” to view the content. 

Example of a SquirrelWaffle infected Word document
SquirrelWaffle malicious Word document

The file contains several VBA macros, including junk code. The main routine lies in a function named “eFile”, which is executed by the “AutoOpen” functionality.

Window showing Malicious VBA function
Malicious VBA function

Aside from all the junk added by the developer, we can see two important pieces of data when we open the VBA editor: a PowerShell script and a batch script that executes the PowerShell script. 

These routines are kept inside the text property of Visual Basic Control instead of in a regular VBA module. The purpose is to evade AV detection.

Screenshots of Malicious code inside the Word file
Malicious code inside the Word file

Looking at the “eFile” function, we can see that both PowerShell and the batch script are created in the user’s AppData directory, respectively named “www.ps1” and “www.txt”.

Screenshot showing VBA function creating payloads in disk
VBA function creating payloads in disk

This behavior can be observed with Procmon.

Screenshot of VBA function dropping payloads in disk.
VBA function dropping payloads in disk.

Later, the VBA code executes the batch script, using the Windows “cscript.exe” binary.

Screenshot showing Malicious batch script executed by the infected document.
Malicious batch script executed by the malicious document.

Looking at those files closely, we can see that the PowerShell script is responsible for downloading SquirrelWaffle DLL using five distinct URLs, likely to add more resilience to the process. 

The downloaded DLLs are saved into “C:\ProgramData\” and named “www[N].dll” where [N] is a number from 1 to 5.

Screenshot of PowerShell script that downloads SquirrelWaffle DLL.
PowerShell script that downloads SquirrelWaffle DLL.

And the batch script, which is executed by the malicious document, is responsible for executing the PowerShell script and the SquirrelWaffe payload DLL.

Screenshot of Batch script that is executed by the infected document.
Batch script that is executed by the malicious document.

Once downloaded, the DLL is executed through “rundll32.exe”, which calls an exported function named “ldr”.

Both “cscript.exe” and “rundll32.exe” are legitimate files from Windows, used by this sample to connect to the C&C servers and to download and execute the next stage payloads. This technique is known as Living-off-the-Land (LoL), which consists of using legitimate binaries to perform malicious activities. We have already covered other malware families that employ this technique, such as BazarLoader.

Screenshot of Batch script executing SquirrelWaffle DLL.
Batch script executing SquirrelWaffle DLL.

Malicious Excel Document

The second variant identified by Netskope is a malicious Microsoft Excel file, containing a fake message that also tries to deceive the victim into clicking the “Enable Editing” and “Enable Content” buttons.

Example of Infected Microsoft Excel document, delivering SquirrelWaffle.
Malicious Microsoft Excel document, delivering SquirrelWaffle.

The file uses Excel 4.0 (XML) macros that are obfuscated and spread across many hidden sheets in the document.

Screenshot of Hidden sheets inside the infected Excel file.
Hidden sheets inside the malicious Excel file.

The developer also changed the font color to hide the code, which can be revealed when we change the font property as shown below.

Showing Hidden code inside the hidden sheet.
Hidden code inside the hidden sheet.

When the Macros are executed, the obfuscated code is written into seven different cells, containing many calls to Windows APIs.

Example showing Malicious code inside the infected Excel document.
Malicious code inside the malicious Excel document.

Simply put, this code contacts three different URLs to download SquirrelWaffle DLL, which is saved into “C:\Datop\test[N].test”, where [N] is null or a number (1 and 2). The DLL is then executed through Windows “ShellExecuteA” API.

SquirrelWaffle DLL

Regardless of the variants we described, the goal is to download and execute SquirrelWaffle DLL. In this section, we will analyze a payload identified on September 17, 2021, named “www2.dll”.

The file uses a custom packer to hide the main payload. The unpacking process is not very complex: The first step the code does is load and execute a shellcode.

Example showing SquirrelWaffle packer loading a shellcode in memory.
SquirrelWaffle packer loading a shellcode in memory.

Once running, the shellcode unpacks the payload compressed with aPlib, which is commonly used by malware to compress files or configurations. The data is then decompressed into a new memory location, and the unpacked DLL is eventually executed.

Example of SquirrelWaffle payload DLL being decompressed.
SquirrelWaffle payload DLL being decompressed.

Once unpacked and decompressed, we can dump the bytes into the disk to analyze the file in a disassembler. The payload is a 32-bit DLL likely compiled on September 17, 2021, although this information can’t be 100% reliable.

Screenshot of Unpacked SquirrelWaffle DLL
Unpacked SquirrelWaffle DLL.

Looking at the DLL exports, we can see the function (“ldr”) that is called by the batch script we’ve shown earlier in this post.

Screenshot of SquirrelWaffle “ldr” export function.
SquirrelWaffle “ldr” export function.

The main goal of SquirrelWaffle is to download and execute additional malware. The developers included a feature that hides important strings in the binary, like the C2 server list. 

By looking at the PE “.rdata” section, we can find the encrypted information, along with the decryption key.

Screenshot of SquirrelWaffle encrypted data.
SquirrelWaffle encrypted data.

To decrypt the data, the malware uses a simple rolling XOR algorithm.

Screenshot of SquirrelWaffle data decryption block.
SquirrelWaffle data decryption block.

We created a simple Python script that is able to decrypt the data from SquirrelWaffle samples, by implementing the same logic. The script can be found in our Github repository.

There are two major blocks of encrypted data. The first one is a large list of IP addresses, as shown below.

Screenshot of part of decrypted data from the analyzed SquirrelWaffle payload.
Part of decrypted data from the analyzed SquirrelWaffle payload.

This list is used by the malware as a blocklist, likely to avoid the malware from being analyzed by sandboxes. The second list contains the payload URLs, which SquirrelWaffle uses to download additional malware.

Screenshot of SquirrelWaffle payload URLs.
SquirrelWaffle payload URLs.

The SquirrelWaffle sample from this campaign was downloading a CobaltStrike beacon, using “.txt” as an extension.

Screenshot of CobaltStrike beacon downloaded by SquirrelWaffle.
CobaltStrike beacon downloaded by SquirrelWaffle.

Aside from CobaltStrike, SquirrelWaffle was also found delivering QakBot, which is a modular banking trojan and information stealer, active since 2007.

Conclusión

SquirrelWaffle is a new malware loader that is being used to deliver Cobalt Strike and QakBot. The infection vector occurs through spam emails with malicious Office documents that eventually downloads SquirrelWaffle DLL.
Although this malware was spotted delivering Cobalt Strike and QakBot so far, we are continuously monitoring this threat as it can be used by more malware families. Netskope Advanced Threat Protection provides proactive coverage against zero-day samples including APT and other malicious Office documents using both our ML and heuristic-based static analysis engines, as well as our cloud sandbox. The following screenshot shows the detection for fb41f8ce9d34f5ceb42b3d59065f63533d4a93557f9353333cbc861e3aff1f09, indicating it was detected by Netskope Advanced Heuristic Analysis.

Protección

Netskope Threat Labs is actively monitoring this campaign and has ensured coverage for all known threat indicators and payloads. 

  • Netskope Threat Protection
    • VB:Trojan.Valyria.5292
  • Netskope Advanced Threat Protection provides proactive coverage against this threat.
    • Gen.Malware.Detect.By.StHeur indicates a sample that was detected using static analysis
    • Gen.Malware.Detect.By.Sandbox indicates a sample that was detected by our cloud sandbox

IOCs

SHA256 Hashes

Infected “.doc”fb41f8ce9d34f5ceb42b3d59065f63533d4a93557f9353333cbc861e3aff1f09
Infected “.xls”2f3371880117f0f8ff9b2778cc9ce57c96ce400afa8af8bfabbf09cb138e8a28
SquirrelWaffle DLL00d045c89934c776a70318a36655dcdd77e1fedae0d33c98e301723f323f234c
CobaltStrike Beacon3c280f4b81ca4773f89dc4882c1c1e50ab1255e1975372109b37cf782974e96f

The full list of IOCs, the script that decrypts SquirrelWaffle configuration, and a Yara rule can be found in our Github repository.

author image
Gustavo Palazolo
Gustavo Palazolo is an expert in malware analysis, reverse engineering and security research, working many years in projects related to electronic fraud protection. He is currently working on the Netskope Research Team, discovering and analyzing new malware threats.

Stay informed!

Subscribe for the latest from the Netskope Blog