SquirrelWaffle Adds a Twist of Fraud to Exchange Server Malspamming

SquirrelWaffle – the newish malware loader that first showed up in September – once again got its scrabbly little claws into an unpatched Microsoft Exchange server to spread malspam with its tried-and-true trick of hijacking email threads.

That’s the same-old, same-old, as in, a SquirrelWaffle campaign will hijack an email thread to increase the chances that a victim will click on malicious links. Those rigged links are tucked into an email reply, similar to how the virulent Emotet malware – typically spread via malicious emails or text messages – has operated.

But this time, the operators added a twist: They sucked knowledge out of an email thread and used it to trick the target into a money transfer.

They almost pulled it off. The targeted organization initiated a money transfer to an attacker-controlled account, but thankfully, one of the financial institutions involved in the transaction smelled a rat and flagged the deal as fraudulent.

In a Tuesday post, Sophos analysts Matthew Everts and Stephen McNally said that typically, in SquirrelWaffle attacks – which typically entail the threat actors walking through holes left by unpatched, notorious, oft-picked-apart ProxyLogon and ProxyShell Exchange server vulnerabilities – the attack ends when those holes finally get patched, removing the attacker’s ability to send emails through the server.

But in this recent engagement, the Sophos Rapid Response team found that while a SquirrelWaffle malspam campaign was wreaking havoc on an unpatched server, that same vulnerable server was being used by the attackers to siphon off knowledge from a stolen email thread and to launch a financial fraud attack.

“The combination of Squirrelwaffle, ProxyLogon, and ProxyShell has been encountered by the Sophos Rapid Response team multiple times in the last few months, but this is the first time we have seen attackers use typo-squatting to maintain the ability to send spam once the Exchange server has been remediated,” the analysts wrote.

Too Late to Patch That Leaky Exchange Roof

In this case, patching Exchange wouldn’t have clipped SquirrelWaffle’s tail, the analysts said, given that the attackers had already spirited away an email thread about customer payments from the victim’s Exchange server.

Besides which, as the analysts noted and as Sophos detailed last March, patching isn’t the end-all, be-all for remediating vulnerable Exchange servers. For one thing, you also need to determine whether attackers have pulled off any other mischief, such as installing webshells.

Typosquatting Their Way Into Inboxes

The double-up attack on the vulnerable Exchange server started with the attackers registering a typosquat domain. In other words, they registered a domain name that resembled the victim’s legitimate domain but with a small typo, then used email addresses from the look-alike domain to reply to the email thread.

“Moving the conversation out of the victim’s email infrastructure gave the attackers operational control over what happened next,” Everts and McNally explained.

What happened next was that the attackers tried to divert the victim’s customer’s payments to accounts they controlled. In their hunt for legitimacy, they went so far as to copy more email addresses, to make it look like they were requesting support from an internal department. But these additional email addresses were just as bogus, being sent with the same almost, not-quite, look-alike typosquat domain.

Next, they started using “this transaction’s ready to go!” language, as in the screen capture Sophos provided below.

Next came some foot-tappingly stern language to ratchet up the urgency, as shown in the next screen grab. “I appreciate how busy you are,” the crooks crooned, among other things that sounded like legitimate accounting blah-blah-blah, “but wondered if you could give me an update regarding the renewal?”

The attackers’ fake accountant faux-relaxed after the SquirrelWaffle operators received an email indicating that the illegitimate payment was being processed, assuring their mark that they’d get them an invoice ASAP.

How to Cage This Twitchy Rodent

Sophos offered advice on how to protect against malicious email attacks such as the SquirrelWaffle campaign, the first of which is a head-desk-bang-bang cliché: Namely, patch those servers.

“The single biggest step defenders can take to prevent the compromise and abuse of on premises Microsoft Exchange servers is to ensure that they have been patched with the most recent updates from Microsoft,” according to the post.

Also:

• Implement industry standards for email authentication, such as SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain Message Authentication Reporting and Conformance, in order to make it easier for other organizations to figure out if emails are legitimate. “Using these standards can make it harder for an attacker to send spoofed emails impersonating your domain,” Sophos said.
• Consider email security products that integrate artificial intelligence to help fend off increasingly sophisticated social engineering attacks, phishing lures and impersonation messages.
• Protect the recipients of such emails and ensure that users in your organization can spot phishing attempts and know how to report and respond to them.

Sophos also provided tips on what to do if your organization has already been attacked. In fact, it’s put together a Squirrelwaffle Incident Guide to help victims investigate, analyze and respond.

Join Threatpost on Wed. Feb 23 at 2 PM ET for a LIVE roundtable discussion “The Secret to Keeping Secrets,” sponsored by Keeper Security, focused on how to locate and lock down your organization’s most sensitive data. Zane Bond with Keeper Security will join Threatpost’s Becky Bracken to offer concrete steps to protect your organization’s critical information in the cloud, in transit and in storage. REGISTER NOW and please Tweet us your questions ahead of time @Threatpost so they can be included in the discussion.