Malware loaders, in which remote access Trojans seize malicious executables or payloads from an attacker-controlled server, continue to evolve and pose a significant threat.
Defending against loader-type malware is crucial to avoid a potential ransomware incident, given the fact that is the foothold of the attack kill-chain related to ransomware tactics, techniques and procedures (TTPs).
Two of the most recent malware loaders to emerge are SquirrelWaffle and MirrorBlast. While SquirrelWaffle delivers Cobalt Strike payloads to victims, MirrorBlast uses novel techniques to gather intelligence and drop malicious payloads onto devices. In this blog post, we outline the TTPs of these new types of malware, the risks they pose and the steps organisations should take to mitigate them.
What is SquirrelWaffle?
Since the fall of the Emotet botnet in January 2021, malware authors have been jostling to fill the gap in the market. Catering to the ransomware market as initial access brokers has become a lucrative endeavour for many actors who are content to sell on access and take a cut of the ransom demanded. SquirrelWaffle, which has been in operation since early September 2021, appears to be attempting to secure a piece of this market.
As stated by Brad Duncan from Malware Traffic Analysis, the SquirrelWaffle moniker was taken from tagging applied by Proofpoint systems to inbound emails, as part of their Emerging Threats Service. The Redscan/Kroll threat intelligence team can ascertain that the new malware loader is being distributed by the ‘TR’ botnet associated with the QakBot family of malware. It has been detected delivering Cobalt Strike payloads to victims. This recent campaign also coincides with renewed QakBot activity.
How does SquirrelWaffle work?
The SquirrelWaffle infection chain relies on malicious documents delivered via a link inside an email. The documents download a .zip archive, to be opened by the victim. At present, these delivery mechanisms are highly geofenced, allowing only victims in targeted countries to download the infected documents.
Malicious documents or spreadsheets contained within a .zip archive are designed to deceive inline defensive technology and to deliver the infected files to the victim without ‘the mark of the web’ being present in the document metadata, enabling them to be opened without protected view. Once a victim clicks ‘enable macros’ inside the document, the macros will launch a VBS script to run a separate PowerShell script which will download the SquirrelWaffle malware as a .dll to ‘C:/ProgramData’ and execute with rundll32.
The SquirrelWaffle loader has also been seen dropping Cobalt Strike Beacons on some devices.
It is being distributed on an increasing scale in the wild via spam campaigns. SquirrelWaffle’s infection chain relies on the use of malicious documents and the samples analysed are packed and highly obfuscated to disguise their malicious intentions. This also makes it difficult for the malware to be reverse engineered by malware analysis teams and security researchers.
Combined with the use of Antibot (a tool that can help actors evade analysis) that has been found to be used on their command and control sites, this adds an additional level of complexity for security researchers that need to analyse and track the malware. The Antibot feature prevents the second stage of the payload downloading, if it detects the host belongs to a security company, sandboxing service, researcher or virtualised device. This was observed and confirmed by the Redscan Threat Intelligence team when analysing samples from runs of SquirrelWaffle and could not achieve automated sandboxed execution.
Once SquirrelWaffle has infected the targeted device it has been known to drop and execute further malware such as Cobalt Strike beacons and Qakbot, both tools known to be a common tactic of ransomware operators to gain initial footholds in corporate environments.
In the campaigns seen by Redscan, Endpoint Detection and Response (EDR) and Next-Generation Anti-Virus (NGAV) tools were able to detect and stop the threat, before the delivery of SquirrelWaffle loader payloads. Upon further analysis these campaigns would have deployed QakBot, if defences had not been in place. The Redscan Threat Intelligence team is continuing to monitor this new malware closely and will update when more information is available.
How to mitigate against SquirrelWaffle
- Employ Endpoint Detection and Response (EDR) and Next Generation Anti-Virus (NGAV) on all hosts to enhance detection of any malicious activity taking place within the environment.
- Train all staff to be vigilant about opening emails or messages originating from outside of the organisation which may contain malicious links, malware attachments or be fraudulent.
What is MirrorBlast?
A second, new malware loader dubbed ‘MirrorBlast’ has been observed operating since September 2021, although it has now been widely reported. MirrorBlast is a loader-type malware, similar in capability to BazarLoader or Emotet. Like SquirrelWaffle, it fills the gap in the initial access market created by the disruption of the Emotet botnet.
How does MirrorBlast work?
While delivery mechanisms and objectives remain similar to other loader malware, MirrorBlast uses novel techniques to gather intelligence and drop malicious payloads onto victim devices, by leveraging REBOL.
As a very lightweight cross-platform programming language, it is extremely easy to deploy and execute a REBOL package to a victim’s environment. The MirrorBlast operators leverage this in a novel way by using a phishing lure combined with malicious macros to download and execute an .msi file. The macro also performs some simple sandbox evasion techniques, not executing on hosts where the username is ‘admin’ or ‘administrator’.
The method of launching the REBOL scripts has varied by campaign, however it remains the case that the REBOL script will add the process to the AUTOSTART registry and connect to a command and control (C2) server with a .php endpoint every three seconds. This .php file can then contain commands that will be interpreted and executed by the REBOL/View deployment.
This method is then used to collect system information and send it base64 encoded to the server, where it will then download additional malware to the victims’ machines, whilst allowing command over many infected machines from a single C2 endpoint.
So far, MirrorBlast campaigns have been underreported and have impacted fewer organisations then other malspam campaigns, such as QakBot. However, it appears the threat actors behind this malware are still in the development phase, hence the various deployment mechanisms we have observed from samples uploaded to Any.Run or VirusTotal.
The modus operandi of the threat actors behind MirrorBlast and the use of the GraceWire trojan show similarities with past activity from TA505, an advanced, financially motivated cybercrime group, linked with Conti and Pysa ransomware threat groups. A MirrorBlast infection, therefore, is a likely precursor to a ransomware event and should be treated as a high priority incident.
How to mitigate against MirrorBlast
- Consider blocking REBOL use in your environment, if not used for BAU activity.
- Employ Endpoint Detection and Response (EDR) and Next Generation Antivirus (NGAV) to all devices within your environments to allow for early detection.
We will provide updates as new insight about these and other types of malware loaders emerges.
This information was first shared as part of our weekly threat intelligence reporting provided to customers as part of ThreatDetect™, our outcome-focused Managed Detection & Response (MDR) service. ThreatDetect supplies the people, technology and cyberoffensive intelligence required to continuously hunt for threats across networks and endpoints and help shut them down before they cause damage and disruption.