IT is called “Squirrelwaffle” and it is a malware loader of such notoriety because of its ability to replicate itself using unpatched Microsoft Exchange servers and mass distribute to internal and external recipients by inserting malicious replies onto employees’ existing email threads.
Researchers from Sophos discovered that while the malicious spam campaign was being implemented, the same vulnerable server was used for a financial fraud attack with knowledge extracted from a stolen email thread and “typo-squatting” to convince an employee to redirect a legitimate customer transaction to the attackers. The fraud almost succeeded. The transfer of funds to the malicious recipient was authorized, but luckily a bank became suspicious and prevented the transaction from going through.
“In a typical Squirrelwaffle attack leveraging a vulnerable Exchange server, the attack ends when defenders detect and remediate the breach by patching the vulnerabilities, removing the attacker’s ability to send emails through the server. However, in the incident investigated by Sophos Rapid Response, such remediation wouldn’t have stopped the financial fraud attack because the attackers had exported an email thread about customer payments from the victim’s Exchange server,” Matthew Everts, an analyst at Sophos Rapid Response and one of the researchers explained.
Sophos has published a Squirrelwaffle Incident Guide that provides step-by-step guidance on investigating, analyzing, and responding to incidents involving this increasingly popular malware loader, which is distributed as a malicious office document in spam campaigns, in conjunction with the ProxyLogon and ProxyShell exploit. This ‘collaboration’ provides attackers with an initial foothold in a victim’s environment and a channel to deliver and infect systems with other malware.
“It is a good reminder that patching alone isn’t always enough protection. For example, in the case of vulnerable Exchange servers, you need to check that the attackers haven’t left behind a web shell to maintain access. When it comes to sophisticated social engineering attacks such as those used in email thread hijacking, educating employees about what to look out for and how to report it is critical for detection,” Everts shared.