Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains

Researchers observed evidence of the exploits on the vulnerabilities CVE-2021-26855, CVE-2021-34473, and CVE-2021-34523 in the IIS Logs on three of the Exchange servers that were compromised in different intrusions.
The same CVEs were used in ProxyLogon (CVE-2021-26855) and ProxyShell (CVE-2021-34473 and CVE-2021-34523) intrusions.
From analysis of the IIS log, analysts saw that the threat actor uses a publicly available exploit in its attack.
This exploit gives a threat actor the ability to get users SID and emails. They can even search for and download a target’s emails.

ProxyShell vulnerability abuses the URL normalization of the explicit Logon URL, wherein the logon email is removed from the URL if the suffix is autodiscover/autodiscover.json.
This grants arbitrary backend URL the same access as the Exchange machine account (NT AUTHORITYSYSTEM).

Exchange has a PowerShell remoting feature that can be used to read and send emails.
It can’t be used by NT AUTHORITYSYSTEM as it does not have a mailbox. However, in cases where it is accessed directly via the previous vulnerability, the backend/PowerShell can be provided with X-Rps-CAT query string parameter.
The backen/PowerShell will be deserialized and used to restore user identity.
It can therefore be used to impersonate a local administrator to run PowerShell commands.
With this, the attackers would be able to hijack legitimate email chains and send their malicious spam as replies to the said chains.

In one of the observed intrusions, all the internal users in the affected network received emails, where the spam emails have been sent as legitimate replies to existing email threads.
All of the observed emails were written in English for this spam campaign in the Middle East.
While other languages were used in different regions, most were written in English.
More notably, true account names from the victim’s domain were used as sender and recipient, which raises the chance that a recipient will click the link and open the malicious Microsoft Excel spreadsheets.

In the same intrusion, teams analyzed the email headers for the received malicious emails, the mail path was internal (between the three internal exchange servers’ mailboxes), indicating that the emails did not originate from an external sender, open mail relay, or any message transfer agent (MTA).
Delivering the malicious spam using this technique to reach all the internal domain users will decrease the possibility of detecting or stopping the attack, as the mail getaways will not be able to filter or quarantine any of these internal emails.
The attacker also did not drop or use tools for lateral movement after gaining access to the vulnerable Exchange servers, so that no suspicious network activities will be detected.
Additionally, no malware was executed on the Exchange servers that will trigger any alerts before the malicious email is spread across the environment.

The attacker exploited the Exchange servers to deliver internal mails.
This was all done to catch users off-guard, making them more likely to click the link and open the dropped Microsoft Excel or Word file.

Both links used in the malicious emails (aayomsolutions[.]co[.]in/etiste/quasnam[]-4966787 and aparnashealthfoundation[.]aayom.com/quasisuscipit/totamet[-]4966787 ) drop a ZIP file in the machine.
The ZIP file contains, in this case, a malicious Microsoft Excel sheet that downloads and executes a malicious DLL related to Qbot.
These sheets contain malicious Excel 4.0 macros that is responsible for downloading and executing the malicious DLL.

Sign Up For Threat Alerts

Loading...
Threats Icon

Jul 04, 2023

Rhysida Ransomware RaaS Crawls Out of Crimeware...

The Rhysida ransomware-as-a-service (RaaS) group has gone from a dubious newcomer to a fully-fledged ransomware...

Threats Icon

Jun 26, 2023

Operation Magalenha – Long-Running Campaign Pursues Portuguese...

The attackers can steal credentials and exfiltrate users' data and personal information, which can be...

Threats Icon

Apr 24, 2023

Lazarus Group Adds Linux Malware to Arsenal...

Researchers have discovered a new campaign conducted by Lazarus, known as "Operation DreamJob," which targets...

Threats Icon

Apr 23, 2023

Additional IOCs for 3cx breach

Recently an unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp was observed.

Threats Icon

Apr 23, 2023

Ex-Conti and FIN7 Actors Collaborate with New...

IBM Security X-Force recently discovered a new malware family Analysts have called "Domino," which Analysts...

Threats Icon

Apr 20, 2023

AuKill EDR killer malware abuses Process Explorer...

The AuKill tool abuses an outdated version of the driver used by version 16.32 of...

Threats Icon

Apr 20, 2023

Fake Chrome updates spread malware

A campaign running since the end of last year is using hacked sites to push...

Threats Icon

Apr 20, 2023

QBot using new attack vector in its...

QBot, also known as QakBot, previously operated as a banking trojan and has since transformed...

Threats Icon

Apr 20, 2023

CrossLock Ransomware Emerges: New Golang – Based...

The CrossLock ransomware employs the double extortion technique to increase the likelihood of payment from...

Threats Icon

Apr 20, 2023

Windows Zero-Day Vulnerability CVE-2023-28252 Exploited by Nokoyawa...

A zero-day vulnerability in the Microsoft Windows system, which also affects Windows 11, has been...

Threats Icon

Apr 18, 2023

Additional IOcs for 3cx breach

Recently an unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp was observed. As...

Threats Icon

Apr 18, 2023

Additional IOcs for 3cx breach

Recently an unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp was observed. As...

Threats Icon

Apr 18, 2023

APT36 Expands Interest Within Indian Education Sector

Symantec described UPS in 2016 report as Buckeye (also known as APT3 Gothic Panda UPS...

Threats Icon

Apr 17, 2023

ChinaZ DDoS Bot Malware Distributed To Linux...

The ChinaZ DDoS bot malware was discovered targeting Linux systems while a version for Microsoft...

Threats Icon

Apr 16, 2023

Resurgence Of The Mexals Cryptojacking Campaign

The Mexals crypto jacking campaign has been in operation since at least 2021 and continues...