Over the past few hours, we’ve observed malicious phishing emails associated with the delivery affiliate TR in multiple customer environments. The infection scheme was consistent, executing in the following pattern: OneDrive phishing page -> ZIP download -> malicious XLSB -> Qbot The ZIP file and XLSB had formats similar to `123 (1).zip/123.xlsb`. The Excel macros downloaded a Qbot binary with an OCX file extension to the TR-specific folder “C:\Watdan” and executed it with the command `regsvr32 C:\Watdan\tle1.ocx`

SQUIRRELWAFFLE is a malware loader that first emerged in September 2021 and is often a delivery mechanism for Qbot. We’ve seen it rapidly deliver Cobalt Strike and Bloodhound, which we frequently observe preceding impactful threats like ransomware. 1/4 This activity is novel due to its speed. SQUIRRELWAFFLE can lead to Cobalt Strike and Bloodhound within 90 minutes of the initial infection. The adversary is using a legitimate NVIDIA binary to load a malicious Cobalt Strike DLL, making the threat potentially evasive. 2/4

We sat down with @likethecoins, director of intelligence at Red Canary, to chat about the Microsoft Exchange activity happening and share what we’re seeing. Check out what she had to say in the thread. #RCintel Q1: What do we know about the adversaries exploiting the recent Exchange vulnerabilities? #RCintel

We’ve detected suspicious activity in multiple environments today, and, while we haven’t yet observed a payload, we’re concerned the activity may be the result of Exchange Server compromise. 1/7 #RCintel What we’re observing is consistent with DLTminer precursor activity uncovered by @vmw_carbonblack in 2019, specifically its use of scheduled tasks to execute PowerShell and make external network connections. carbonblack.com/blog/cb-tau-te… 2/7