Emerging Threats

ThreatLabZ October 2021 Report: new Squirrelwaffle loader, expanded Trickbot attack vectors, and double-extortion AtomSilo ransomware

Oct 19, 2021
ThreatLabZ October 2021 Report

In the past month, the Zscaler ThreatLabZ team has identified a campaign involving new malware loader dubbed Squirrelwaffle, documented active attack vectors for the Trickbot and BazarLoader banking Trojans, and deconstructed a new double-extortion ransomware variant called AtomSilo.

New Squirrelwaffle campaign resembles Emotet, Qakbot predecessors

Since September, we've seen an increase in attack campaigns employing the Cobalt Strike penetration testing tool for nefarious ends and identified a new malware loader called “Squirrelwaffle” being used in its deployment.

Though it hasn’t been attributed to a specific threat group, the broader Squirrelwaffle-related campaign appears to emanate from the same source infrastructure as the Qakbot banking Trojan. The ThreatLabZ team deconstructed the relatively complex attack chain that can be seen below:

Figure 1. Squirrelwaffle Attack Chain

The campaign begins with spam emails with embedded URLs that use an email-thread hijacking technique similar to one seen in earlier Emotet and Qakbot campaigns. Victims trigger a macro that 1) downloads a malicious VBS file that 2) downloads the SquirrelWaffle loader which then 3) downloads another loader which 4) downloads Cobalt Strike. From there, the malware begins command-and-control (CnC) activity with a remote attacker-controlled server.

Zscaler Zero Trust Exchange Coverage: Advanced Threat Protection, SSL Inspection, Cloud Sandbox.

Read more ThreatLabZ technical analysis of the Squirrelwaffle campaign here.

Trickbot and new BazarLoader campaigns expand to multiple attack vectors

Since 2016, Trickbot has been one of the most active banking Trojan targeted at financial services victims. ThreatLabZ reported attack vectors used in recent Trickbot activity, as well as new campaigns deploying BazarLoader, a Trickbot spinoff.

The two Trojan families tend to focus on cryptojacking and data exfiltration, with latter efforts aiming to steal banking information, personally-identifying information (PII), or user credentials. More concerning, in these campaigns, hackers are employing new methods to deliver payloads. Specifically, they’re using new techniques to obscure malicious activities on victimized systems.

In the past, Trickbot payloads were delivered via malicious attachments to Microsoft Office files. But now -- with both Trickbot and BazarLoader campaigns -- we’re seeing an expansion of that approach to different file types, including an increase in the use of JavaScript files:

Figure 2. Recent Trickbot and BazarLoader delivery vectors by file type

In summary, ThreatLabZ analysis of the Trickbot and BazarLoader campaigns show:

1. The use of Script and LNK file attachments represents a new evasion technique.

2. Multilayer obfuscation is used to preclude analysis of JS and LNK files.

3. When activated on a victimized system, an Office attachment drops an HTA file with snippets of HTML and javascript functions.

4. Newly-registered domains (NRD) are used to deliver the final payload.

Zscaler Zero Trust Exchange Coverage: Advanced Threat Protection, SSL Inspection, Cloud Sandbox, Advanced Cloud Firewall.

The ThreatLabZ team has prepared a detailed technical breakdown of how the Trickbot/BazarLoader campaign attack chain is now employing multiple attack vectors. Read more here.

New AtomSilo ransomware doubles down on extortion

AtomSilo is a new ransomware variant that the ThreatLabZ team first identified in September 2021. AtomSilo exemplifies a sinister new trend of “double-extortion” ransomware: First, it locks seized data and demands a ransom for data recovery. It also threatens them with the subsequent public release of stolen digital intellectual property if the ransom is not paid.

The AtomSilo campaign exploits a recently-discovered vulnerability in Atlassian’s Confluence collaboration software. The threat group behind AtomSilo planted a backdoor using legitimate software via a DLL side-loading technique. The backdoor enables remote code execution, which the threat actors exploited via the use of compromised administrative credentials.

Cynically, the threat group behind AtomSilo claims it will not attack hospitals, critical infrastructure facilities, oil-and-gas industry companies, educational organizations, or non-profits. Victims gain access to the AtomSilo ransomware data site:

The AtomSilo payload is 64-bit and packed with a modified UPX packer. Once executed, it enumerates each drive and drops a ransom note in each folder (with some exceptions). The ransom note is named “README-FILE-{COMPUTER_Name}-{DateTime}.hta”.

Zscaler Zero Trust Exchange Coverage: Advanced Threat Protection, SSL Inspection, Cloud Sandbox.

Read more ThreatLabZ AtomSilo technical analysis here.

About ThreatLabZ

ThreatLabZ is the embedded research team at Zscaler. This global team includes security experts, researchers, and network engineers responsible for analyzing and eliminating threats across the Zscaler security cloud and investigating the global threat landscape. The team shares its research and cloud data with the industry at large to help promote a safer internet.

The Zscaler Zero Trust Exchange

Zscaler manages the world’s largest security cloud. Each day, Zscaler blocks more than 150 million threats to its 4000+ customers. Over the last six months, Zscaler monitored and secured over one trillion cloud application transactions. The Zscaler ThreatLabZ security research team uses state-of-the-art AI and machine-learning technology to analyze Zscaler Zero Trust Exchange traffic and share its findings.

What to read next:

ThreatLabZ September 2021 Report: Fake Olympics streaming, new CloudFall campaign, and heightened skimmer activity signal busy fall cybersecurity season

ThreatLabZ June 2021 report: Deconstructing Kaseya supply-chain attack and the Minebridge RAT campaign

ThreatLabZ Research: 2020 State of Encrypted Attacks