A new malware campaign dubbed SQUIRRELWAFFLE by Cisco Talos is being spread through malicious spam that makes use of stolen email messages to add authenticity.

Malicious spam (malspam) is unsolicited email that seeks to deliver a malicious payload either through a Microsoft Office attachment or by tricking the user into clicking a link in the email.  By using stolen email messages as the basis for the spam, the recipient is more likely to think the email is legitimate because it appears to come from a known contact and may even be a part of a message thread that the recipient was originally a part of.

Cisco Talos’ new report on SquirrelWaffle explains that the campaign is being used to deliver Cobalt Strike or Qakbot payloads in order to gain a foothold in the target network.  The threat actors behind this campaign are customising their spam messages to match the language of the intended target, although English is by far the dominant language accounting for 76% of the traffic.  The campaign appears to have started in September 2021 and is steadily growing in the volume of malspam it is generating.

In most cases, the email contains a hyperlink to a malicious Excel or Word file hosted on a server controlled by the threat actors which is used to deliver the payload to the victim.  They have also been observed using email crafted to look like document deliveries from services such as DocuSign in an attempt to get the victim to click the link.

The servers that host the malicious payloads use techniques to prevent security firms from analysing and tracking the malware, such as blocking the IP addresses of known cyber security firms from accessing the threat actor’s servers.

The ingenuity and novel techniques used by this campaign highlight the risks of relying on a purely technical defence against malspam – it is important for security managers to ensure all staff benefit from Security Awareness Training regularly to prepare them for the new techniques being deployed against them.