Security News > 2021 > October > Hackers Using Squirrelwaffle Loader to Deploy Qakbot and Cobalt Strike
A new spam email campaign has emerged as a conduit for a previously undocumented malware loader that enables the attackers to gain an initial foothold into enterprise networks and drop malicious payloads on compromised systems.
"These infections are also used to facilitate the delivery of additional malware such as Qakbot and Cobalt Strike, two of the most common threats regularly observed targeting organizations around the world," said researchers with Cisco Talos in a technical write-up.
The top five languages used to deliver the loader are English, followed by French, German, Dutch, and Polish.
While previously compromised web servers, primarily running versions of the WordPress content management system, function as the malware distribution infrastructure, an interesting technique observed is the use of "Antibot" scripts to block web requests that originate from IP addresses not belonging to victims but rather automated analysis platforms and security research organizations.
The malware loader, besides deploying Qakbot and the infamous penetration testing tool Cobalt Strike on the infected endpoints, also establishes communications with a remote attacker-controlled server to retrieve secondary payloads, making it a potent multi-purpose utility.
"SQUIRRELWAFFLE appears to be a new loader taking advantage of this gap. It is not yet clear if SQUIRRELWAFFLE is developed and distributed by a known threat actor or a new group. However, similar distribution techniques were previously used by Emotet."