Search This Blog

Powered by Blogger.

Blog Archive

Labels

SquirrelWaffle Adds a Spin of Fraud to Exchange Server Malspamming

SquirrelWaffle attackers now use typosquatting to keep sending spam, even after Exchange servers are patched for ProxyLogon/ProxyShell.

 

Squirrelwaffle, ProxyLogon, and ProxyShell are being utilized against Microsoft Exchange Servers to conduct financial fraud via email hijacking. Sophos researchers revealed that a Microsoft Exchange Server that had not been fixed to safeguard it against a set of serious vulnerabilities identified last year was used to hijack email threads and disseminate malspam. 

On March 2, 2021, Microsoft released emergency updates to address zero-day vulnerabilities that could be exploited to take over servers. At the time, Hafnium, an advanced persistent threat (APT) group, was constantly exploiting the bugs, and other APTs swiftly followed suit. Despite the fact that the ProxyLogon/ProxyShell flaws are now widely known, some servers remain unpatched and vulnerable to assaults. 

Sophos has described an instance that combined Microsoft Exchange Server vulnerabilities with Squirrelwaffle, a malware loader that was first discovered in malicious spam operations last year. Malicious Microsoft Office documents or DocuSign content tacked on to phishing emails are frequently used to spread the loader. Squirrelwaffle is frequently used to fetch and execute CobaltStrike beacons via a VBS script if an intended victim has permitted macros in the compromised documents. 

According to Sophos, the loader was used in the recent campaign once the Microsoft Exchange Server had been compromised. By hijacking existing email threads between employees, the server of an undisclosed organisation was utilised to "mass distribute" Squirrelwaffle to internal and external email addresses. 

Email Hijacking can take a variety of forms. Social engineering and impersonation, such as an attacker posing as an executive to dupe accounting departments into signing off on a fraudulent transaction, or sending email blasts with links to malware payloads, can disrupt communication channels. The spam campaign was utilized to disseminate Squirrelwaffle in this example, but attackers also extracted an email thread and used the internal knowledge contained within to execute financial fraud. Customer information was obtained, and a victim organization was chosen. The attackers generated email accounts using a domain to reply to the email thread outside of the server, using a technique known as typo-squatting to register a domain with a name that was very similar to the victim. 

Sophos explained, "To add further legitimacy to the conversation, the attackers copied additional email addresses to give the impression that they were requesting support from an internal department. In fact, the additional addresses were also created by the attacker under the typo-squatted domain." 

The attackers attempted for six days to divert a legitimate financial transaction to a bank account they owned. The money was about to be processed, and the victim escaped the attack only because a bank involved in the transaction realized the transfer was most likely fake. 

Matthew Everts, Sophos researcher commented, "This is a good reminder that patching alone isn't always enough for protection. In the case of vulnerable Exchange servers, for example, you also need to check the attackers haven't left behind a web shell to maintain access. And when it comes to sophisticated social engineering attacks such as those used in email thread hijacking, educating employees about what to look out for and how to report it is critical for detection."
Share it:

Cyber Fraud

Email Hijacking

Exploits

Fraudsters

malspam

Microsoft Exchange Server

Spam

spammers

Vulnerabilities