Co-authored by Gustavo Palazolo and Ghanashyam Satpathy
Summary
In September of 2021, a new malware family named SquirrelWaffle joined the threat landscape. It spread through malicious Microsoft Office documents attached in spam emails.
The infection flow starts with a ZIP file that contains the malicious Office document. When the file is opened by the victim, the malicious VBA macros download SquirrelWaffle DLL, which eventually leads to deploying another threat, such as CobaltStrike or QakBot.
In this blog post, we will analyze two variants of the malicious Office documents that deliver SquirrelWaffle. We will also analyze the final SquirrelWaffle payload and how the last stage URLs are being protected inside the binary.
SquirrelWaffle Office Documents
We have identified two variants used to deliver SquirrelWaffle, a Microsoft Word document and a Microsoft Excel spreadsheet.
Malicious Word Document
The first variant is a malicious Microsoft Word file that mimics a DocuSign document, asking the victim to click “Enable Editing” and “Enable Content” to view the content.
The file contains several VBA macros, including junk code. The main routine lies in a function named “eFile”, which is executed by the “AutoOpen” functionality.
Aside from all the junk added by the developer, we can see two important pieces of data when we open the VBA editor: a PowerShell script and a batch script that executes the PowerShell script.
These routines are kept inside the text property of Visual Basic Control instead of in a regular VBA module. The purpose is to evade AV detection.
Looking at the “eFile” function, we can see that both PowerShell and the batch script are created in the user’s AppData directory, respectively named “www.ps1” and “www.txt”.
This behavior can be observed with Procmon.
Later, the VBA code executes the batch script, using the Windows “cscript.exe” binary.
Looking at those files closely, we can see that the PowerShell script is responsible for downloading SquirrelWaffle DLL using five distinct URLs, likely to add more resilience to the process.
The downloaded DLLs are saved into “C:\ProgramData\” and named “www[N].dll” where [N] is a number from 1 to 5.
And the batch script, which is executed by the malicious document, is responsible for executing the PowerShell script and the SquirrelWaffe payload DLL.
Once downloaded, the DLL is executed through “rundll32.exe”, which calls an exported function named “ldr”.
Both “cscript.exe” and “rundll32.exe” are legitimate files from Windows, used by this sample to connect to the C&C servers and to download and execute the next stage payloads. This technique is known as Living-off-the-Land (LoL), which consists of using legitimate binaries to perform malicious activities. We have already covered other malware families that employ this technique, such as BazarLoader.
Malicious Excel Document
The second variant identified by Netskope is a malicious Microsoft Excel file, containing a fake message that also tries to deceive the victim into clicking the “Enable Editing” and “Enable Content” buttons.
The file uses Excel 4.0 (XML) macros that are obfuscated and spread across many hidden sheets in the document.
The developer also changed the font color to hide the code, which can be revealed when we change the font property as shown below.