SophosLabs is investigating the use of the Squirrelwaffle malware "distribution station" in combination with social engineering. There was a double attack: malware droppers and financial fraud ran through the same vulnerable Exchange Server. An incident guide for security teams at organizations impacted by Squirrelwaffle.
In a In a recent article, the Sophos Rapid Response Team describes a case in which Squirrelwaffle malware exploited a vulnerable Exchange server to distribute malicious spam via hijacked email threads. At the same time, an email thread was stolen by the attackers in order to trick unsuspecting users into transferring money.
Combination of Squirrelwaffle, ProxyLogon and ProxyShell
The combination of Squirrelwaffle, ProxyLogon and ProxyShell used here has been observed several times by the Sophos Rapid Response Team in recent months. However, this case is the first to show that attackers have used typo-squatting to maintain the ability to send spam even after the Exchange server has been patched. In doing so, the cyber criminals lead users who make a typo when typing a website name to a malicious site controlled by them.
Squirrelwaffle malware and social engineering in dual attack
The current attack could be used to mass distribute Squirrelwaffle to internal and external recipients by inserting manipulated replies into existing email threads of company employees. Sophos researchers discovered that while the malicious spam campaign was running, the same vulnerable server was also being used for a financial scam. Using the knowledge that the criminals gained from a stolen e-mail thread, they used typo-squatting to try to convince employees of the affected company to redirect a money transaction intended for a customer to the attackers. And the perfidious fraud almost succeeded: the transfer to the cybercriminals was already approved, but luckily a bank became suspicious and stopped the transaction at the last moment.
Patching alone is not enough
A comment from Matthew Everts, analyst at Sophos Rapid Response and one of the authors of the study, says:
“In a typical Squirrelwaffle attack through a vulnerable Exchange server, the attack ends when the defenders discover the vulnerability and fix it by patching the vulnerabilities and removing the attacker's ability to send email through the server. However, in the incident we investigated, such a measure would not have prevented the financial fraud, since the attackers had exported an email thread about customer payments from the victim's Exchange server. This is a good reminder that patches alone are not always enough to provide protection. For example, vulnerable Exchange servers also need to ensure that the attackers haven't left behind a web shell to maintain access. And when it comes to sophisticated social engineering attacks, like those used in email thread hijacking, educating employees on what to look for and how to report it is critical to detection.”
Help for affected companies: the Squirrelwaffle Incident Guide
Accompanying the current article, Sophos has also published a Squirrelwaffle Incident Guide, which provides step-by-step instructions on how to investigate, analyze and respond to incidents involving this increasingly popular malware loader. It is distributed as a malicious Office document in spam campaigns and allows cyber criminals to gain a first foothold in a victim's environment and create a channel to proliferate and infect systems with other malware.
The guide is part of a series of incident guides being produced by the Sophos Rapid Response team to help incident responders and security operations teams identify and remediate common threat tools, techniques and behaviors. It can be downloaded for free.
More at Sophos.com
About Sophos More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.