Double Trouble: Malware dropper and financial fraud over the same vulnerable Exchange Server

In a recent article, the Sophos Rapid Response Team describes a case where Squirrelwaffle malware exploited a vulnerable Exchange server to distribute malicious spam via hijacked email threads. At the same time, an email thread was stolen by the attackers in order to trick unsuspecting users into transferring money.


The combination of Squirrelwaffle, ProxyLogon and ProxyShell used here has been observed several times by the Sophos Rapid Response Team in recent months. However, this case is the first to show that attackers have used typo-squatting to maintain the ability to send spam even after the Exchange server has been patched. In doing so, the cyber criminals lead users who make a typo when typing a website name to a malicious site controlled by them.


Squirrelwaffle malware and social engineering in dual attack


The current attack could be used to mass distribute Squirrelwaffle to internal and external recipients by inserting manipulated replies into existing email threads of company employees. Sophos researchers discovered that while the malicious spam campaign was running, the same vulnerable server was also being used for a financial scam. Using the knowledge that the criminals gained from a stolen e-mail thread, they used typo-squatting to try to convince employees of the affected company to redirect a money transaction intended for a customer to the attackers. And the perfidious fraud almost succeeded: the transfer to the cybercriminals was already approved, but luckily a bank became suspicious and stopped the transaction at the last moment.




Almost finished!

Please confirm your email address!

Click on the link in the email we just sent you. Also check your spam folder and whitelist us.

More information about the newsletter.

Patching alone is not enough


Matthew Everts, analyst at Sophos Rapid Response and one of the authors of the study, says:


“In a typical Squirrelwaffle attack through a vulnerable Exchange server, the attack ends when the defenders discover the vulnerability and fix it by patching the vulnerabilities and removing the attacker’s ability to send email through the server. However, in the incident we investigated, such a measure would not have prevented the financial fraud, as the attackers had exported an email thread about customer payments from the victim’s Exchange server. This is a good reminder that patches alone are not always enough to provide protection. For example, vulnerable Exchange servers also need to ensure that the attackers haven’t left behind a web shell to maintain access. And when it comes to sophisticated social engineering attacks, like those used in email thread hijacking, educating employees on what to look for and how to report it is critical to detection.”


Help for affected companies: the Squirrelwaffle Incident Guide


Accompanying the current article, Sophos has also released a Squirrelwaffle Incident Guide, which provides step-by-step instructions on how to investigate, analyze and respond to incidents involving this increasingly popular malware loader.


It is distributed as a malicious Office document in spam campaigns and allows cyber criminals to gain a first foothold in a victim’s environment and create a channel to proliferate and infect systems with other malware.


The guide is part of a series of incident guides being produced by the Sophos Rapid Response team to help incident responders and security operations teams identify and remediate common threat tools, techniques and behaviors.


Further information:


The report on the incident described is available here.


The detailed guide to Squirrelwaffle malware incidents can be found here.


www.sophos.com