Sophos recently published research detailing an incident when the Squirrelwaffle malware loader was used in conjunction with the ProxyLogon and ProxyShell exploits to target an unpatched Microsoft Exchange server and
mass distribute Squirrelwaffle to internal and external recipients by inserting malicious replies onto employees’ existing email threads.
The researchers discovered that while the malicious spam campaign was being implemented, the same vulnerable server was used for a financial fraud attack with knowledge extracted from a stolen email thread and “typo-squatting” to convince an employee to redirect a legitimate customer transaction to the attackers. The fraud almost succeeded. The transfer of funds to the malicious recipient was authorized, but luckily a bank became suspicious and prevented the transaction from going through.
Matthew Everts, an analyst at Sophos Rapid Response and one of the researchers, said: “In a typical Squirrelwaffle attack leveraging a vulnerable Exchange server, the attack ends when defenders detect and remediate the breach by patching the vulnerabilities, removing the attacker’s ability to send emails through the server. However, in the incident investigated by Sophos Rapid Response, such remediation wouldn’t have stopped the financial fraud attack because the attackers had exported an email thread about customer payments from the victim’s Exchange server. It is a good reminder that patching alone isn’t always enough protection. For example, in the case of vulnerable Exchange servers, you need to check that the attackers haven’t left behind a web shell to maintain access. When it comes to sophisticated social engineering attacks such as those used in email thread hijacking, educating employees about what to look out for and how to report it is critical for detection.”
Alongside the new research, Sophos has published a Squirrelwaffle Incident Guide that provides step-by-step guidance on investigating, analyzing, and responding to incidents involving this increasingly popular malware loader, which is distributed as a malicious office document in spam campaigns and provides attackers with an initial foothold in a victim’s environment and a channel to deliver and infect systems with other malware.
The guide is part of a series of Incident Guides by the Sophos Rapid Response team to help incident responders and security operations teams identify and remediate widely seen threat tools, techniques, and behaviors.