Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains

Researchers observed evidence of the exploits on the vulnerabilities CVE-2021-26855, CVE-2021-34473, and CVE-2021-34523 in the IIS Logs on three of the Exchange servers that were compromised in different intrusions.
The same CVEs were used in ProxyLogon (CVE-2021-26855) and ProxyShell (CVE-2021-34473 and CVE-2021-34523) intrusions.
From analysis of the IIS log, analysts saw that the threat actor uses a publicly available exploit in its attack.
This exploit gives a threat actor the ability to get users SID and emails. They can even search for and download a target’s emails.

ProxyShell vulnerability abuses the URL normalization of the explicit Logon URL, wherein the logon email is removed from the URL if the suffix is autodiscover/autodiscover.json.
This grants arbitrary backend URL the same access as the Exchange machine account (NT AUTHORITYSYSTEM).

Exchange has a PowerShell remoting feature that can be used to read and send emails.
It can’t be used by NT AUTHORITYSYSTEM as it does not have a mailbox. However, in cases where it is accessed directly via the previous vulnerability, the backend/PowerShell can be provided with X-Rps-CAT query string parameter.
The backen/PowerShell will be deserialized and used to restore user identity.
It can therefore be used to impersonate a local administrator to run PowerShell commands.
With this, the attackers would be able to hijack legitimate email chains and send their malicious spam as replies to the said chains.

In one of the observed intrusions, all the internal users in the affected network received emails, where the spam emails have been sent as legitimate replies to existing email threads.
All of the observed emails were written in English for this spam campaign in the Middle East.
While other languages were used in different regions, most were written in English.
More notably, true account names from the victim’s domain were used as sender and recipient, which raises the chance that a recipient will click the link and open the malicious Microsoft Excel spreadsheets.

In the same intrusion, teams analyzed the email headers for the received malicious emails, the mail path was internal (between the three internal exchange servers’ mailboxes), indicating that the emails did not originate from an external sender, open mail relay, or any message transfer agent (MTA).
Delivering the malicious spam using this technique to reach all the internal domain users will decrease the possibility of detecting or stopping the attack, as the mail getaways will not be able to filter or quarantine any of these internal emails.
The attacker also did not drop or use tools for lateral movement after gaining access to the vulnerable Exchange servers, so that no suspicious network activities will be detected.
Additionally, no malware was executed on the Exchange servers that will trigger any alerts before the malicious email is spread across the environment.

The attacker exploited the Exchange servers to deliver internal mails.
This was all done to catch users off-guard, making them more likely to click the link and open the dropped Microsoft Excel or Word file.

Both links used in the malicious emails (aayomsolutions[.]co[.]in/etiste/quasnam[]-4966787 and aparnashealthfoundation[.]aayom.com/quasisuscipit/totamet[-]4966787 ) drop a ZIP file in the machine.
The ZIP file contains, in this case, a malicious Microsoft Excel sheet that downloads and executes a malicious DLL related to Qbot.
These sheets contain malicious Excel 4.0 macros that is responsible for downloading and executing the malicious DLL.

Sign Up For Threat Alerts

Threats Icon

Nov 29, 2021

IKEA email systems hit by ongoing cyberattack

IKEA is battling an ongoing cyberattack where threat actors are targeting employees in internal phishing...

Threats Icon

Nov 28, 2021

Tardigrade Malware targets Biomanufacturing Facilities

An advanced persistent threat (APT) has been linked to cyberattacks on two biomanufacturing companies that...

Threats Icon

Nov 25, 2021

RATDispenser – Stealthy JavaScript Loader Dispensing RATs

Attackers are using an evasive JavaScript loader, RATDispenser, to distribute remote access Trojans (RATs) and...

Threats Icon

Nov 24, 2021

Memento Team uses password-protected archives to bypass...

Calling themselves "Memento team", actors use Python-based ransomware that they reconfigured after setbacks. This was...

Threats Icon

Nov 22, 2021

Emotet Returns

Back in January 2021, law enforcement and judicial authorities worldwide took down the Emotet botnet....

Threats Icon

Nov 18, 2021

Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft...

The Iranian government-sponsored APT actors are actively targeting a broad range of victims across multiple...

Threats Icon

Nov 17, 2021

Web compromises in the Middle East with...

ESET researchers have discovered strategic web compromise (aka watering hole) attacks against high-profile websites in...

Threats Icon

Nov 16, 2021

MosesStaff techniques: Ideology over Money

Hacker group MosesStaff began targeting Israeli organizations, joining a wave of attacks which was started...

Threats Icon

Nov 15, 2021

Lyceum mass backdoor attacks

Lyceum backdoors appear to have targeted ISPs and telecommunication operators in Israel, Morocco, Tunisia, and...

Threats Icon

Nov 14, 2021

New Golang malware (BotenaGo) targeting millions of...

Analysts have found new malware written in the open source programming language Golang. Deployed with...

Threats Icon

Nov 11, 2021

Fresh Variant of Snake Keylogger Malware

Snake Keylogger is a malware developed using .NET. It first appeared in late 2020 and...

Threats Icon

Nov 10, 2021

Mekotio Banker – Improved Stealth and Ancient...

A banking Trojan called "Mekotio" that targeted Latin America countries in the past, now making...

Threats Icon

Nov 09, 2021

Targeted Attack Campaign Against ManageEngine ADSelfService Plus...

US Cybersecurity and Infrastructure Security Agency (CISA) released an alert warning that advanced persistent threat...

Threats Icon

Nov 08, 2021

SquirrelWaffle Leverages malspam to deliver Qakbot

Recently, a new threat, referred to as "SquirrelWaffle" is being spread more widely via spam...

Threats Icon

Nov 08, 2021

ProxyShell exploitation leads to Babuk ransomware

A new threat actor is exploiting ProxyShell flaws in attacks aimed at Microsoft Exchange servers...