Exploiting Microsoft Exchange ProxyLogon & ProxyShell vulnerabilities, attackers are mal-spamming replies in existing threads & slipping past malicious-email filters.
Attackers are zeroing-in on the ProxyLogon & ProxyShell vulnerabilities in Microsoft Exchange Server to hijack email chains, by mal-spamming replies to ongoing email threads, researchers say.
What’s still under discussion: whether the offensive is delivering Squirrel Waffle, the new email loader that showed up in Sept., or whether Squirrel Waffle is just 1 piece of malware among several that the campaigns are dropping.
Cisco Talos researchers 1st got wind of the Squirrel Waffle malspam campaigns beginning in mid-Sept., when they saw ‘booby-trapped’ Microsoft Office documents delivering Qakbot malware & the penetration-testing tool Cobalt Strike – 2 of the most common threats regularly observed targeting organisations around the world.
The Office documents infected systems with Squirrel Waffle in the initial stage of the infection chain.
Squirrel Waffle campaigns are known for using stolen email threads to increase the chances that a victim will click on malicious links. Those rigged links are tucked into an email reply, similar to how the virulent Emotet malware – typically spread via malicious emails or text messages – has been known to work.
Under People’s Noses
In a report posted on Fri., Trend Micro researchers Mohamed Fahmy, Sherif Magdy & Abdelrhman Sharshar stated that hijacking email replies for malspam is a good way to slip past both people’s spam suspicions & to avoid getting flagged or quarantined by email gateways.
“Delivering the malicious spam using this technique to reach all the internal domain users will decrease the possibility of detecting or stopping the attack, as the mail gateways will not be able to filter or quarantine any of these internal emails,” they wrote.
The attacker also didn’t drop, or use, tools for lateral movement after gaining access to the vulnerable Exchange servers, Trend Micro explained.
Thus, they left no tracks, as “no suspicious network activities will be detected. Additionally, no malware was executed on the Exchange servers that will trigger any alerts before the malicious email is spread across the environment.”
Middle East Campaign
Trend Micro’s Incident Response team had decided to look into what researchers believe are Squirrel Waffle-related intrusions in the Middle East, to work out whether the attacks involved the notorious Exchange server vulnerabilities.
They shared a screen capture, that’s representative of the malicious email replies that showed up in all of the user inboxes of 1 affected network, all sent as legitimate replies to existing threads, all written in English.
They found that other languages were used in different regions outside of the Middle East attack they examined. Still, in the intrusions they analysed that were outside of the Middle East, most of the malicious emails were written in English, according to the report.
“With this, the attackers would be able to hijack legitimate email chains and send their malicious spam as replies to the said chains,” the researchers wrote.
Who’s Behind This?
Cryptolaemus researcher The Analyst disagreed with Trend Micro on its belief that Squirrel Waffle is actually acting as a malware ‘dropper’ for Qbot or other malwares. Rather, The Analyst asserted on Fri. that the threat player is releasing both Squirrel Waffle & Qbot as discrete payloads, & the most recent confirmed Squirrel Waffle drop it has seen was actually on Oct. 26.
it makes it easy for us who tracks them to identify them. A TTP they always come back to is links to maldocs in stolen reply chains. They are known to deliver a multitude of malware like #QakBot #Gozi #IcedID #CobaltStrike and maybe others. >
— TheAnalyst (@ffforward) November 19, 2021
Easy to Track
With regards to who’s behind the activity, The Analyst suggested that the player/activity is tracked as tr01/TR (its QakBot affiliate ID) TA577 by Proofpoint, & as ChaserLdr by Cryptolaemus & that the activity goes back to at least 2020. The players are easy to track, The Analyst observed, given small ‘tweaks’ to their tactics, techniques & procedures (TTPs).
One such TTP that tr01 favours is adding links to malicious documents included in stolen reply chains, The Analyst noted. The threat player is known to deliver “a multitude of malware,” they explained, such as QakBot, Gozi, IcedID, Cobalt Strike & potentially more.
‘Open Me’ Excel Attachment Trick
The malicious emails carried links (aayomsolutions[.]co[.]in/etiste/quasnam-4966787 & aparnashealthfoundation[.]aayom.com/quasisuscipit/totamet[-]4966787) that dropped a .ZIP file containing a malicious Microsoft Excel sheet that downloads & executes a malicious DLL related to the Qbot banking trojan.
What’s particularly notable, Trend Micro observed, is that real account names from the victim’s domain were used as sender & recipient, “which raises the chance that a recipient will click the link & open the malicious Microsoft Excel spreadsheets,” according to the report.
As shown below, the Excel attachment does what malicious Excel documents do: It prompts targets to choose “Enable Content” to view a protected file.
The Exchange Tell-Tales
The researchers believe that the actors are pulling it off by targeting users who are relying on Microsoft Exchange servers that haven’t yet been patched for the notorious, oft-picked-apart ProxyLogon & ProxyShell vulnerabilities.
Trend Micro found evidence in the IIS logs of 3 compromised Exchange servers, each compromised in a separate intrusion, all having been exploited via the vulnerabilities CVE-2021-26855, CVE-2021-34473 and CVE-2021-34523 – the same CVEs used in ProxyLogon (CVE-2021-26855) & ProxyShell (CVE-2021-34473 & CVE-2021-34523) intrusions, according to Trend Micro.
The IIS log also showed that the threat player is using a publicly available exploit in its attack. “This exploit gives a threat actor the ability to get users SID & emails,” the researchers explained. “They can even search for & download a target’s emails.”
Those who’ve applied the May or July updates are protected from all of these. Microsoft has reiterated that those who’ve applied the ProxyLogon patch released in March aren’t protected from ProxyShell vulnerabilities & should install the more recent security updates.
Resist ProxyLogon/ProxyShell Attacks
Exploiting ProxyLogon & ProxyShell enabled the attackers to avoid checks for malicious email, which “highlights how users play an important part in the success or failure of an attack,” Trend Micro observed. These campaigns “should make users wary of the different tactics used to mask malicious emails & files,” the researchers wrote.
In other words, just because email comes from a trusted contact is no guarantee that any attachment or link it contains can be trusted, they outlined.
Patching is the no.1 way to stay safe, but Trend Micro gave these additional tips if that’s not possible:
- Enable virtual patching modules on all Exchange servers to provide critical level protection for servers that have not yet been patched for these vulnerabilities.
- Use endpoint detection & response (EDR) solutions in critical servers, as it provides visibility to machine internals & detects any suspicious behaviour running on servers.
- Use endpoint protection design for servers.
- Apply sandbox technology on email, network & web to detect similar URLs and samples.