SquirrelWaffle Malware Exploits Microsoft Exchange Vulnerabilities Via Email

Microsoft Exchange Server

Security experts have discovered that the Squirrelwaffle malware uses a new trick to trigger so-called chain infections in networks. The victims have the impression that they are receiving an e-mail from their network, but the Trojan is only well hidden.

That comes from a report from Trend Micro. Threat actors hack Microsoft Exchange servers with the help of ProxyShell and ProxyLogon exploits that have been known for months. The aim is to distribute various malware and bypass the detection of tampering through stolen internal reply chain emails. What is meant by this is that the hackers use reply e-mails, i.e. “join” in an existing conversation. It is therefore even more difficult for the victims to realize that they are being attacked.

Excel attachments are minipulated

Squirrelwaffle is there to smuggle in various other malware. Vulnerabilities in the Exchange server are exploited for this purpose. The infection with malware then takes place via manipulated Microsoft Excel attachments. There are always warnings against such attachments, but the fact that Squirrelwaffle now attaches itself to existing e-mail flows makes the victims much more reckless when downloading and opening the malicious attachments.

The threat actors use compromised Exchange servers to reply to the company’s internal email in response to chain attacks that contain links to malicious documents that install various malware.

During the same intrusion, we analyzed the email headers of the malicious emails we received. The email path was internal (between the three internal Exchange server mailboxes), which suggests that the emails weren’t from an external sender, an open mail relay, or a message transfer agent (MTA), “said Trend Micro report. Once the hackers have penetrated the network, they can use Squirrelwaffle to download and install any malware.

Because these emails come from the same internal network and appear to be the continuation of a previous discussion between two employees, there is greater confidence in the legality and security of the email.

Trend Micro researchers recently discovered this interesting new tactic and are now concerned about a new wave of hacks.