2021-09-20 (MONDAY) - SQUIRRELWAFFLE LOADER WITH COBALT STRIKE

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2021-09-20-IOCs-for-Squirrelwaffle-Loader-with-Cobalt-Strike.txt.zip   2.0 kB   (1,973 bytes)
• 2021-09-20-Squirrelwaffle-Loader-with-Cobalt-Strike.pcap.zip   7.7 MB   (7,661,556 bytes)
• 2021-09-20-Squirrelwaffle-Loader-and-Cobalt-Strike-malware-and-artifacts.zip   1.2 MB   (1,224,472 bytes)

 

NOTES:

• I was originally tipped off to this activity from this tweet sent by @ffforward.
• Based on that info, I captured an infection and pushed out the IOCs through @Unit42_Intel in this tweet.

 

IMAGES

Shown above:  Screenshot of tweet from @ffforward.

 

Shown above:  Screenshot of tweet from @Unit42_Intel.

 

Shown above:  Flow chart from the @Unit42_Intel tweet.

 

Shown above:  Using link from @ffforward's tweet to download the initial zip archive.

 

Shown above:  Downloaded zip archive and extracted Excel file.

 

Shown above:  Traffic from the infection filtered in Wireshark.

 

Click here to return to the main page.