There is a new malware loader spreading through spam campaigns, dubbed Squirrelwaffle, that sends its malicious emails as replies to already existing email chains, a tactic that lures a victim into trusting the malicious spam.

According to researchers at Trend Micro, Squirrelwaffle is able to pull this off, using a chain of both ProxyLogon and ProxyShell exploits, vulnerabilities which were earlier patched this May on Microsoft Exchange Servers.

The vulnerabilities enable attackers to bypass ACL controls, with elevated privileges on Exchange PowerShell backend, which permits the attacker to perform remote code execution.

How Hackers exploit ProxyLogon and ProxyShell vulnerabilities in Spam Campaigns?



The server-side request forgery (SSRF) vulnerability allow an attacker access by sending a maliciously crafted web request to an Exchange Server which contains an XML payload targeted at the Exchange Web Services (EWS) API endpoint.



This exploit gives an attacker the ability to get users SID and emails, and bypasses authentication using specially crafted cookies which allows an unauthenticated threat actor to execute EWS requests encoded in the XML payload and ultimately perform operations on victims’ mailboxes.

In one of the Trend Micro team's observed intrusions, all users in the affected network received the spam emails which have been sent as legitimate replies to existing email threads. And the emails were written in English even though this spam campaign targeted the Middle East. Albeit, other languages were used for different regions, but most were in English.

Interestingly, the real account names of the victim’s domain were used as recipient and sender, which increases the possibility that a recipient will click the link to open the malicious files.

How to Mitigate against Squirrelwaffle Attack?



Squirrelwaffle campaigns again reiterates the different tactics used by hackers to lure victims into clicking malicious emails and files. And it also shows that emails from trusted contacts may not be enough indicator that thelink or file in the email is safe.

Therefore, it is important to ensure that the released patches for Microsoft Exchange Server vulnerabilities, ProxyShell and ProxyLogon (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) have been applied and Microsoft recommends that users install more recent (May or July) security updates.

Hackers hijack Email Chains for sending Malicious Spam replies

There is a new malware loader spreading through spam campaigns, dubbed Squirrelwaffle, that sends its malicious emails as replies to already existing email chains, a tactic that lures a victim into trusting the malicious spam.

According to researchers at Trend Micro, Squirrelwaffle is able to pull this off, using a chain of both ProxyLogon and ProxyShell exploits, vulnerabilities which were earlier patched this May on Microsoft Exchange Servers.

The vulnerabilities enable attackers to bypass ACL controls, with elevated privileges on Exchange PowerShell backend, which permits the attacker to perform remote code execution.

How Hackers exploit ProxyLogon and ProxyShell vulnerabilities in Spam Campaigns?



The server-side request forgery (SSRF) vulnerability allow an attacker access by sending a maliciously crafted web request to an Exchange Server which contains an XML payload targeted at the Exchange Web Services (EWS) API endpoint.



This exploit gives an attacker the ability to get users SID and emails, and bypasses authentication using specially crafted cookies which allows an unauthenticated threat actor to execute EWS requests encoded in the XML payload and ultimately perform operations on victims’ mailboxes.

In one of the Trend Micro team's observed intrusions, all users in the affected network received the spam emails which have been sent as legitimate replies to existing email threads. And the emails were written in English even though this spam campaign targeted the Middle East. Albeit, other languages were used for different regions, but most were in English.

Interestingly, the real account names of the victim’s domain were used as recipient and sender, which increases the possibility that a recipient will click the link to open the malicious files.

How to Mitigate against Squirrelwaffle Attack?



Squirrelwaffle campaigns again reiterates the different tactics used by hackers to lure victims into clicking malicious emails and files. And it also shows that emails from trusted contacts may not be enough indicator that thelink or file in the email is safe.

Therefore, it is important to ensure that the released patches for Microsoft Exchange Server vulnerabilities, ProxyShell and ProxyLogon (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) have been applied and Microsoft recommends that users install more recent (May or July) security updates.

No comments