Good afternoon, Talos readers.

Most people know about chicken and waffles. But what about squirrel and waffles? They may not be the most appetizing brunch, but they are teaming up for one heck of a spam campaign.

We have new research out detailing this threat and examining whether it could be the next big player in the spam space.

Also, everyone will be excited to know that the 2022 Snort Calendar has arrived! This year’s theme is “Hoofstock ‘22 — 12 epic months of music legends.” To get your copy of the 2022 Snort Calendar, fill out our short survey here. Calendars will begin shipping in November 2021. U.S. shipping only, available while supplies last.

Do you have a particular threat, IOC, malware family or actor you want us to be covering in the Threat Source newsletter? Let us know at

Cybersecurity week in review

  • A trove of insider documents from Facebook has been unveiled after journalists spent weeks pouring over the information from a noted whistleblower. The so-called "Facebook Papers" detail how the social media site is still grabbing with misinformation around the COVID-19 vaccine and gaps in support for non-English-speaking users.
  • Frances Haugen, the former employee who provided the documents to journalists, also testified before British parliament this week. She detailed how Facebook's algorithm prioritizes engagement, which can sometimes lead to the promotion of fake news articles.
  • Security researchers from multiple countries teamed up to take down the REvil ransomware group last week. The group's major victims in the past include the Colonial Pipeline in the U.S. and meatpacker JBS.
  • A new first-hand account from a journalist details the dangers of the widespread Pegasus spyware. And even after searching for answers about an initial infection vector with the help of security researcher, the journalist is still left with many questions.
  • Tesco, one of the largest grocery store chains in the U.K., is still experiencing outages with its website and app after an attempted cyber attack. Users reported being unable to place orders online, a practice that's become increasingly popular during the COVID-19 pandemic.
  • Workers at Sinclair Broadcast Group are still reporting difficulties with returning to normal operations after a ransomware attack last week. The outage kept some stations from airing local NFL games Sunday, which is some of the most-watched programming anywhere on TV.
  • Many websites belonging to high-profile non-profit groups contain many ad trackers that monitor users' actions. This raises questions about who those organizations sell that data to, and how much they profit off it.
  • A Dutch government-backed forensics lab says it has decrypted Tesla's driving data storage system. This potentially opens the door for drivers to find out what their cars are tracking about them should they get into an accident.
  • The U.S.'s largest manufacturer of candy corn — a divisive Halloween staple — was hit with a ransomware attack over the weekend. The company says it is experiencing production disruptions as a result.

Notable recent security issues

Could SquirrelWaffle fill the spam void left behind by Emotet?

Recently, a new threat referred to as "SQUIRRELWAFFLE" is being spread more widely via spam campaigns, infecting systems with a new malware loader. This is a malware family that's been spread with increasing regularity and could become the next big player in the spam space. SQUIRRELWAFFLE provides threat actors with an initial foothold onto systems and their network environments that can then be used to facilitate further compromise or additional malware infections depending on how adversaries choose to attempt to monetize their access. In many cases, these infections are also being used to deliver and infect systems with other malware like Qakbot and the penetration-testing tool Cobalt Strike. Organizations should be aware of this threat, as it will likely persist across the threat landscape for the foreseeable future.

Snort SIDs: 58277 – 58281

ClamAV signatures: Doc.Downloader.SquirrelWaffle09210-9895192-0, Xls.Downloader.SquirrelWaffle20921-9895790-0, Xls.Downloader.SquirrelWaffle1021-9903731-0

Malicious campaign uses a barrage of commodity RATs to target Afghanistan and India

A recently discovered vulnerability in Apache HTTP Server (CVE-2021-41733) is being actively exploited in the wild. This vulnerability is a path traversal and file disclosure vulnerability that could allow an attacker to map URLs outside of the document root. It could also result in the exposure of the source of interpreted files like CGI scripts. The exploitation of this vulnerability is of very low complexity and poses a critical threat to all users of this open-source software. This vulnerability was introduced in a recent version of Apache (2.4.49). Users running older versions of Apache are not currently affected. The fix for CVE-2021-41733 in 2.4.50 was found to be insufficient, leading to a second, new vulnerability (CVE-2021-42013) that Apache is now reporting. As a result, version 2.4.51 was released to fully address the issue. Users are recommended to upgrade to 2.4.51 as soon as possible.

Snort SID: 58356 - 58361

Most prevalent malware files this week

SHA 256: 3993aa1a1cf9ba37316db59a6ef67b15ef0f49fcd79cf2420989b9e4a19ffc2a

MD5: 3c3046f640f7825c720849aaa809c963

Typical Filename: app.exe

Claimed Product: N/A

Detection Name: Auto.3993AA.242356.in02

SHA 256: e5044d5ac2f8ea3090c2460a5f7d92a5a49e7fa040bf26659ec2f7c442dda762

MD5: 6ea750c9d69b7db6532d90ac0960e212


Typical Filename:

Claimed Product: N/A

Detection Name: Auto.E5044D5AC2.242358.in07.Talos

SHA 256: d339e195ca0b74746b02a4ee1a5820fa3074f43bec2988737005d2562a90cd34

MD5: 3f75eb823cd1a73e4c89185fca77cb38

Typical Filename: signup.png

Claimed Product: N/A

Detection Name: Win.Dropper.Generic::231945.in02

SHA 256: 8639fd3ef8d55c45808f2fa8a5b398b0de18e5dd57af00265e42c822fb6938e2

MD5: fe3659119e683e1aa07b2346c1f215af

Typical Filename: SqlBase.exe

Claimed Product: SqlServerWorks.Runner

Detection Name: W32.8639FD3EF8-95.SBX.TG

SHA 256: 1487f122c92f3bade35e03b6b0554a80b1563f2c167d9064263845653d912ec6

MD5: ee62e8f42ed70e717b2571c372e9de9a

Typical Filename: lHe

Claimed Product: N/A

Detection Name: W32.Gen:MinerDM.24ls.1201

Keep up with all things Talos by following us on Twitter. Snort, and ClamAV also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.