A brand new spam e mail marketing campaign has emerged as a conduit for a beforehand undocumented malware loader that permits the attackers to achieve an preliminary foothold into enterprise networks and drop malicious payloads on compromised methods.
“These infections are additionally used to facilitate the supply of extra malware reminiscent of Qakbot and Cobalt Strike, two of the most typical threats often noticed focusing on organizations around the globe,” mentioned researchers with Cisco Talos in a technical write-up.
The malspam marketing campaign is believed to have commenced in mid-September 2021 by way of laced Microsoft Workplace paperwork that, when opened, triggers an an infection chain that results in the machines getting contaminated with a malware dubbed SQUIRRELWAFFLE.
Mirroring a way that is in line with different phishing assaults of this sort, the newest operation leverages stolen e mail threads to provide it a veil of legitimacy and trick unsuspecting customers into opening the attachments.
What’s extra, the language employed within the reply messages matches the language used within the unique e mail thread, demonstrating a case of dynamic localization put in place to extend the chance of success of the marketing campaign. The highest 5 languages used to ship the loader are English (76%), adopted by French (10%), German (7%), Dutch (4%), and Polish (3%).
E-mail distribution volumes capitalizing on the brand new risk peaked round September 26, primarily based on knowledge compiled by the cybersecurity agency.
Whereas beforehand compromised net servers, primarily working variations of the WordPress content material administration system (CMS), perform because the malware distribution infrastructure, an attention-grabbing method noticed is the usage of “antibot” scripts to dam net requests that originate from IP addresses not belonging to victims however reasonably automated evaluation platforms and safety analysis organizations.
The malware loader, moreover deploying Qakbot and the notorious penetration testing software Cobalt Strike on the contaminated endpoints, additionally establishes communications with a distant attacker-controlled server to retrieve secondary payloads, making it a potent multi-purpose utility.
“After the Emotet botnet takedown earlier this yr, prison risk actors are filling that void,” Zscaler famous in an evaluation of the identical malware final month. “SQUIRRELWAFFLE seems to be a brand new loader benefiting from this hole. It’s not but clear if SQUIRRELWAFFLE is developed and distributed by a identified risk actor or a brand new group. Nonetheless, related distribution strategies had been beforehand utilized by Emotet.”