Squirrelwaffle almost triumphs in Microsoft Exchange Server scam scheme

An organization nearly fell victim to an attack campaign that used Squirrelwaffle malware as well as ProxyLogon and Proxy Shell exploits to target a Microsoft Exchange server. Sophos researchers have looked into the attack and broken down the methods of the malicious actors who went after the anonymous victim organization.

Despite its funny name, Squirrelwaffle is a dangerous type of malware that is spread through spam campaigns. The attackers hijacked a thread and replied to messages with what appeared to be innocent attachments. Instead, they were documents that allowed macros to give control of a system to attackers.

A hijacked thread could be quite convincing. For example, a message can pretend to be from someone who was looped into a pre-existing thread to share more information. As part of the campaign investigated by Sophos, attackers used a typo-squatted domain that resembled the domain in which a thread began. This maneuver swung the wire to another less secure area.

In this specific attack, threat actors copied multiple email addresses to appear legitimate.

“This is very understandable, I will await your updates. The finance department is CC’d in this email and will provide updated bank details shortly,” the attackers’ first message said.

A subsequent email pressured the victim to make a payment.

Source: Sophos

The attack almost succeeded. According to Sophos, the anonymous organization transferred money to the attackers, but the payment was reported and stopped by a financial institution.

While fixing a Microsoft Exchange server is important, more is needed to secure an organization.

“It’s a good reminder that patches alone aren’t always enough for protection,” Sophos researcher Matthew Everts told ZDNet. “In the case of vulnerable Exchange servers, for example, you should also verify that attackers have not left behind a web shell to maintain access. And when it comes to sophisticated social engineering attacks such as those used in the hacking of email threads, employees on what to watch out for and how to report it is critical for detection.”

The recently researched attack was an evolution of Squirrelwaffle’s previous attacks. In this case, the threat actors added the typo-squatting element to the campaign, which made it harder to defend against.

Comments are closed.