Due to their widespread use, Office Documents are commonly used by Malicious actors as a way to distribute their malware. McAfee Labs have observed a new threat “Squirrelwaffle” which is one such emerging malware that was observed using office documents in mid-September that infects systems with CobaltStrike.
In this Blog, we will have a quick look at the SquirrelWaffle malicious doc and understand the Initial infection vector.
Geolocation based stats of Squirrelwaffle malicious doc observed by McAfee from September 2021
Figure1- Geo-based stats of SquirrelWaffle Malicious Doc
- The initial attack vector is a phishing email with a malicious link hosting malicious docs
- On clicking the URL, a ZIP archived malicious doc is downloaded
- The malicious doc is weaponized with AutoOpen VBA function. Upon opening the malicious doc, it drops a VBS file containing obfuscated powershell
- The dropped VBS script is invoked via exe to download malicious DLLs
- Thedownloaded DLLs are executed via exe with an argument of export function “ldr”
Figure-2: Infection Chain
Malicious Doc Analysis
Here is how the face of the document looks when we open the document (figure 3). Normally, the macros are disabled to run by default by Microsoft Office. The malware authors are aware of this and hence present a lure image to trick the victims guiding them into enabling the macros.
Figure-3: Image of Word Document Face
UserForms and VBA
The VBA Userform Label components present in the Word document (Figure-4) is used to store all the content required for the VBS file. In Figure-3, we can see the userform’s Labelbox “t2” has VBS code in its caption.
Sub routine “eFile()” retrieves the LabelBox captions and writes it to a C:ProgramdataPin.vbs and executes it using cscript.exe
Cmd line: cmd /c cscript.exe C:ProgramdataPin.vbs
Figure-4: Image of Userforms and VBA
VBS Script Analysis
The dropped VBS Script is obfuscated (Figure-5) and contains 5 URLs that host payloads. The script runs in a loop to download payloads using powershell and writes to C:Programdata location in the format /www-[1-5].dll/. Once the payloads are downloaded, it is executed using rundll32.exe with export function name as parameter “ldr”
Figure-5: Obfuscated VBS script
De-obfuscated VBS script
VBS script after de-obfuscating (Figure-6)
Figure-6: De-obfuscated VBS script
Different techniques & tactics are used by the malware and we mapped these with the MITRE ATT&CK platform.
- Command and Scripting Interpreter (T-1059)
Malicious doc VBA drops and invokes VBS script.
CMD: cscript.exe C:ProgramDatapin.vbs
- Signed Binary Proxy Execution (T1218)
Rundll32.exe is used to execute the dropped payload
CMD: rundll32.exe C:ProgramDatawww1.dll,ldr
|Main Word Document||195eba46828b9dfde47ffecdf61d9672db1a8bf13cd9ff03b71074db458b6cdf||ENS,|
|URLs to download DLL||· priyacareers.com|
source: McAfee Labs