SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Could SquirrelWaffle fill the spam void left behind by Emotet?
Description: Recently, a new threat, referred to as "SQUIRRELWAFFLE" is being spread more widely via spam campaigns, infecting systems with a new malware loader. This is a malware family that's been spread with increasing regularity and could become the next big player in the spam space. SQUIRRELWAFFLE provides threat actors with an initial foothold onto systems and their network environments that can then be used to facilitate further compromise or additional malware infections depending on how adversaries choose to attempt to monetize their access. In many cases, these infections are also being used to deliver and infect systems with other malware like Qakbot and the penetration-testing tool Cobalt Strike. Let's take a look at how this new threat operates and the volume and characteristics of the malicious email campaigns associated with it. Organizations should be aware of this threat, as it will likely persist across the threat landscape for the foreseeable future.
ClamAV signatures: Doc.Downloader.SquirrelWaffle09210-9895192-0, Xls.Downloader.SquirrelWaffle20921-9895790-0, Xls.Downloader.SquirrelWaffle1021-9903731-0
Title: Malicious campaign uses a barrage of commodity RATs to target Afghanistan and India
Description: Cisco Talos has observed a new campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver a variety of commodity malware to victims. The campaign consists of two phases: A reconnaissance phase that involves a custom file enumerator and infector to the victims and an attack phase that deploys a variety of commodity RATs, such as DcRAT and QuasarRAT. The threat actor registered multiple domains with political and government themes. These domains hosted malware payloads that were distributed to their victims. Their malicious lures also contained themes related to Afghan entities, specifically diplomatic and humanitarian efforts.
Snort SIDs: 58356 - 58361