Trend Micro’s analyses are the result of an investigation into a number of intrusions in the Middle East, which culminated in the distribution of a never-before-seen loader dubbed SQUIRRELWAFFLE. The attacks, which were first publicly documented by Cisco Talos are thought to have begun in mid-September 2021 through laced Microsoft Office documents.
Researchers Mohamed Fahmy, Sherif Magdy, and Abdelrhman Sharshar wrote in a report last week. “We believe it involved the use of a chain of both ProxyLogon and ProxyShell exploits to pull this off.” “It is known for sending its malicious emails as replies to pre-existing email chains, a tactic that lowers a victim’s guard against malicious activities”.
ProxyLogon and ProxyShell refer to a group of flaws in Microsoft Exchange Servers that could allow a threat actor to escalate privileges and remotely execute arbitrary code, effectively granting control of the vulnerable machines. While the ProxyLogon flaws were fixed in March, the ProxyShell flaws were fixed in a series of updates released in May and July.
List out the best security practises to think about:
- Enable virtual patching modules on all Exchange servers to provide critical level security for servers that have not yet been patched for these vulnerabilities.
- Endpoint detection and response (EDR) solutions should be used in critical servers because they provide visibility into machine internals and detect any suspicious behaviour on servers.
- For servers, use an endpoint protection design.
- To detect similar URLs and samples, it is critical to use sandbox technology on email, network, and web.
Trend Micro discovered the use of public exploits for CVE-2021-26855 (ProxyLogon), CVE-2021-34473, and CVE-2021-34523 (ProxyShell) on three Exchange servers compromised in separate intrusions, with the access used to hijack legitimate email threads and send malicious spam messages as replies, increasing the likelihood that unsuspecting recipients will open the emails.
The development represents a new escalation in phishing campaigns in which a threat actor has breached corporate Microsoft Exchange email servers in order to gain unauthorised access to internal mail systems and distribute malicious emails in an effort to infect users with malware.
Finally the researchers concluded that “SQUIRRELWAFFLE campaigns should make users cautious of the various tactics used to mask malicious emails and files.” “Emails from trusted contacts may not be a sufficient indicator that the link or file included in the email is safe.”
Indicator Of Compromise
Hash Detection name File name
4bcef200fb69f976240e7bc43ab3783dc195eac8b350e610ed2942a78c2ba568 Trojan.X97M.QAKBOT.YXBKIZ keep-39492709.xls
784047cef1ef8150e31a64f23fbb4db0b286117103e076382ff20832db039c0a TrojanSpy.Win32.QAKBOT.YMBJS grand-153928705.xls
8163c4746d970efe150d30919298de7be67365c935a35bc2107569fba7a33407 Trojan.XF.DLOADR.AL miss-2003805568.xls
89281a47a404bfae5b61348fb57757dfe6890239ea0a41de46f18422383db092 Trojan.Win32.SQUIRRELWAFFLE.B Test2.test
b80bf513afcf562570431d9fb5e33189a9b654ab5cef1a9bf71e0cc0f0580655 Trojan.Win32.SQUIRRELWAFFLE.B Test1.test
cd770e4c6ba54ec00cf038aa50b838758b8c4162ca53d1ee1198789e3cbc310a Trojan.Win32.SQUIRRELWAFFLE.B test.test
Scheduled task: aocrimn /tr regsvr32.exe -s “%WorkingDir%\test.test.dll” /SC ONCE /Z /ST 06:25 /ET