Squirrelwaffle uses malspam to deliver Cobalt Strike and QakBot

A recent spam email campaign has been spreading the new Squirrelwaffle loader to deploy Cobalt Strike and QakBot. The campaign, which appears to have begun in mid-September, delivers its malware using malicious Microsoft Office documents.

The spam campaign is utilizing stolen email chains to add an air of legitimacy to the messages, which helps to trick victims into opening and interacting with the infected documents. The attackers are even customizing the messages and attachments to match the original language of the email thread, which means they can attack a wider range of targets.

The email attachments pull the malware down primarily from infected WordPress-based websites, and use techniques to block the download of the malware from IP addresses not belonging to victims. The malware downloaded is the legitimate penetration testing tool Cobalt Strike, and the QakBot banking trojan.

Acronis Cyber Protect Cloud uses advanced behavioral detection to identify and block Squirrelwaffle — and other trojans — based on the malicious behaviors they exhibit. With the optional Advanced Email Security pack, you can enable further protection through features — like the ability to scan all incoming emails for malicious links and email attachments, and keep these from ever reaching your users' inboxes.