Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains

Researchers observed evidence of the exploits on the vulnerabilities CVE-2021-26855, CVE-2021-34473, and CVE-2021-34523 in the IIS Logs on three of the Exchange servers that were compromised in different intrusions.
The same CVEs were used in ProxyLogon (CVE-2021-26855) and ProxyShell (CVE-2021-34473 and CVE-2021-34523) intrusions.
From analysis of the IIS log, analysts saw that the threat actor uses a publicly available exploit in its attack.
This exploit gives a threat actor the ability to get users SID and emails. They can even search for and download a target’s emails.

ProxyShell vulnerability abuses the URL normalization of the explicit Logon URL, wherein the logon email is removed from the URL if the suffix is autodiscover/autodiscover.json.
This grants arbitrary backend URL the same access as the Exchange machine account (NT AUTHORITYSYSTEM).

Exchange has a PowerShell remoting feature that can be used to read and send emails.
It can’t be used by NT AUTHORITYSYSTEM as it does not have a mailbox. However, in cases where it is accessed directly via the previous vulnerability, the backend/PowerShell can be provided with X-Rps-CAT query string parameter.
The backen/PowerShell will be deserialized and used to restore user identity.
It can therefore be used to impersonate a local administrator to run PowerShell commands.
With this, the attackers would be able to hijack legitimate email chains and send their malicious spam as replies to the said chains.

In one of the observed intrusions, all the internal users in the affected network received emails, where the spam emails have been sent as legitimate replies to existing email threads.
All of the observed emails were written in English for this spam campaign in the Middle East.
While other languages were used in different regions, most were written in English.
More notably, true account names from the victim’s domain were used as sender and recipient, which raises the chance that a recipient will click the link and open the malicious Microsoft Excel spreadsheets.

In the same intrusion, teams analyzed the email headers for the received malicious emails, the mail path was internal (between the three internal exchange servers’ mailboxes), indicating that the emails did not originate from an external sender, open mail relay, or any message transfer agent (MTA).
Delivering the malicious spam using this technique to reach all the internal domain users will decrease the possibility of detecting or stopping the attack, as the mail getaways will not be able to filter or quarantine any of these internal emails.
The attacker also did not drop or use tools for lateral movement after gaining access to the vulnerable Exchange servers, so that no suspicious network activities will be detected.
Additionally, no malware was executed on the Exchange servers that will trigger any alerts before the malicious email is spread across the environment.

The attacker exploited the Exchange servers to deliver internal mails.
This was all done to catch users off-guard, making them more likely to click the link and open the dropped Microsoft Excel or Word file.

Both links used in the malicious emails (aayomsolutions[.]co[.]in/etiste/quasnam[]-4966787 and aparnashealthfoundation[.]aayom.com/quasisuscipit/totamet[-]4966787 ) drop a ZIP file in the machine.
The ZIP file contains, in this case, a malicious Microsoft Excel sheet that downloads and executes a malicious DLL related to Qbot.
These sheets contain malicious Excel 4.0 macros that is responsible for downloading and executing the malicious DLL.