Posted on Leave a comment

Squirrelwaffle Phishing Campaign Using Vulnerabilities Like ProxyShell and ProxyLogon

Trend Micro’s analyses are the result of an investigation into a number of intrusions in the Middle East, which culminated in the distribution of a never-before-seen loader dubbed SQUIRRELWAFFLE. The attacks, which were first publicly documented by Cisco Talos are thought to have begun in mid-September 2021 through laced Microsoft Office documents.

Researchers Mohamed Fahmy, Sherif Magdy, and Abdelrhman Sharshar wrote in a report last week. “We believe it involved the use of a chain of both ProxyLogon and ProxyShell exploits to pull this off.” “It is known for sending its malicious emails as replies to pre-existing email chains, a tactic that lowers a victim’s guard against malicious activities”.

ProxyLogon and ProxyShell refer to a group of flaws in Microsoft Exchange Servers that could allow a threat actor to escalate privileges and remotely execute arbitrary code, effectively granting control of the vulnerable machines. While the ProxyLogon flaws were fixed in March, the ProxyShell flaws were fixed in a series of updates released in May and July.

List out the best  security practises to think about:

  • Enable virtual patching modules on all Exchange servers to provide critical level security for servers that have not yet been patched for these vulnerabilities.
  • Endpoint detection and response (EDR) solutions should be used in critical servers because they provide visibility into machine internals and detect any suspicious behaviour on servers.
  • For servers, use an endpoint protection design.
  • To detect similar URLs and samples, it is critical to use sandbox technology on email, network, and web.

Trend Micro discovered the use of public exploits for CVE-2021-26855 (ProxyLogon), CVE-2021-34473, and CVE-2021-34523 (ProxyShell) on three Exchange servers compromised in separate intrusions, with the access used to hijack legitimate email threads and send malicious spam messages as replies, increasing the likelihood that unsuspecting recipients will open the emails.

The development represents a new escalation in phishing campaigns in which a threat actor has breached corporate Microsoft Exchange email servers in order to gain unauthorised access to internal mail systems and distribute malicious emails in an effort to infect users with malware.

Finally the researchers concluded that “SQUIRRELWAFFLE campaigns should make users cautious of the various tactics used to mask malicious emails and files.” “Emails from trusted contacts may not be a sufficient indicator that the link or file included in the email is safe.”

Indicator Of Compromise

SHA-256

Hash                                                                                                                                 Detection name                                    File name

4bcef200fb69f976240e7bc43ab3783dc195eac8b350e610ed2942a78c2ba568               Trojan.X97M.QAKBOT.YXBKIZ     keep-39492709.xls

4cf403ac9297eeda584e8f3789bebbdc615a021de9f69c32113a7d0817ff3ddb                                                                           good.good

784047cef1ef8150e31a64f23fbb4db0b286117103e076382ff20832db039c0a               TrojanSpy.Win32.QAKBOT.YMBJS grand-153928705.xls

8163c4746d970efe150d30919298de7be67365c935a35bc2107569fba7a33407            Trojan.XF.DLOADR.AL                    miss-2003805568.xls

89281a47a404bfae5b61348fb57757dfe6890239ea0a41de46f18422383db092               Trojan.Win32.SQUIRRELWAFFLE.B             Test2.test

b80bf513afcf562570431d9fb5e33189a9b654ab5cef1a9bf71e0cc0f0580655               Trojan.Win32.SQUIRRELWAFFLE.B             Test1.test

cd770e4c6ba54ec00cf038aa50b838758b8c4162ca53d1ee1198789e3cbc310a               Trojan.Win32.SQUIRRELWAFFLE.B             test.test

———————————————

Domain

aayomsolutions.co.in/etiste/quasnam[]-4966787

aparnashealthfoundation.aayom.com/quasisuscipit/totamet-4966787

———————————————

URL

hxxps://headlinepost.net/3AkrPbRj/x.html

hxxps://dongarza.com/gJW5ma382Z/x.html

hxxps://taketuitions.com/dTEOdMByori/j.html

hxxps://constructorachg.cl/eFSLb6eV/j.html,;

hxxps://oel.tg/MSOFjh0EXRR8/j.html

hxxps://imprimija.com.br/BIt2Zlm3/y5.html

hxxp://stunningmax.com/JR3xNs7W7Wm1/y1.html

hxxps: //decinfo.com.br/s4hfZyv7NFEM/y9.html

hxxps: //omoaye.com.br/Z0U7Ivtd04b/r.html

hxxps://mcdreamconcept.ng/9jFVONntA9x/r.html

hxxps://agoryum.com/lPLd50ViH4X9/r.html

hxxps://arancal.com/HgLCgCS3m/be.html

hxxps://iperdesk.com/JWqj8R2nt/be.html

hxxps://grandthum.co.in/9Z6DH5h5g/be.html

———————————————

IP Address

hxxp://24.229.150.54:995/t4

108.179.193.34

69.192.185.238

108.179.192.18

23.111.163.242

———————————————

Host Indicator

C:\Datop\

C:\Datop\test.test

C:\Datop\test1.test

C:\Datop\test2.test

C:\Datop\good.good

C:\Datop\good1.good

C:\Datop\good2.good

%windir%\system32\Tasks\aocrimn

Scheduled task: aocrimn /tr regsvr32.exe -s “%WorkingDir%\test.test.dll” /SC ONCE /Z /ST 06:25 /ET

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Leave a Reply