SquirrelWaffle Adds a Twist of Fraud to Exchange Server Malspamming

SquirrelWaffle – the newish malware loader that very first showed up in September – when yet again got its scrabbly small claws into an unpatched Microsoft Exchange server to unfold malspam with its tried-and-true trick of hijacking email threads.

Which is the very same-old, identical-aged, as in, a SquirrelWaffle marketing campaign will hijack an email thread to increase the odds that a sufferer will click on on destructive back links. Individuals rigged links are tucked into an email reply, very similar to how the virulent Emotet malware – commonly unfold via destructive e-mails or text messages – has operated.

But this time, the operators additional a twist: They sucked expertise out of an email thread and employed it to trick the goal into a money transfer.

They just about pulled it off. The focused organization initiated a money transfer to an attacker-managed account, but fortunately, one of the economical institutions concerned in the transaction smelled a rat and flagged the deal as fraudulent.

In a Tuesday put up, Sophos analysts Matthew Everts and Stephen McNally said that generally, in SquirrelWaffle attacks – which ordinarily entail the menace actors walking by holes still left by unpatched, notorious, oft-picked-aside ProxyLogon and ProxyShell Exchange server vulnerabilities – the attack ends when these holes at last get patched, eradicating the attacker’s skill to deliver e-mails as a result of the server.

But in this the latest engagement, the Sophos Fast Reaction staff found that whilst a SquirrelWaffle malspam marketing campaign was wreaking havoc on an unpatched server, that similar vulnerable server was being made use of by the attackers to siphon off expertise from a stolen email thread and to start a money fraud attack.

“The mixture of Squirrelwaffle, ProxyLogon, and ProxyShell has been encountered by the Sophos Speedy Reaction group numerous times in the previous number of months, but this is the first time we have witnessed attackers use typo-squatting to manage the potential to send out spam at the time the Exchange server has been remediated,” the analysts wrote.

As well Late to Patch That Leaky Trade Roof

In this circumstance, patching Trade wouldn’t have clipped SquirrelWaffle’s tail, the analysts explained, presented that the attackers experienced by now spirited away an email thread about customer payments from the victim’s Exchange server.

Other than which, as the analysts observed and as Sophos comprehensive previous March, patching is not the end-all, be-all for remediating vulnerable Exchange servers. For a person issue, you also need to determine regardless of whether attackers have pulled off any other mischief, these types of as installing webshells.

Typosquatting Their Way Into Inboxes

The double-up attack on the vulnerable Trade server started out with the attackers registering a typosquat domain. In other phrases, they registered a domain title that resembled the victim’s authentic area but with a tiny typo, then used email addresses from the look-alike domain to reply to the email thread.

“Moving the discussion out of the victim’s email infrastructure gave the attackers operational manage above what happened upcoming,” Everts and McNally stated.

What occurred upcoming was that the attackers tried to divert the victim’s customer’s payments to accounts they managed. In their hunt for legitimacy, they went so much as to copy more email addresses, to make it seem like they ended up requesting guidance from an internal office. But these additional email addresses were just as bogus, staying sent with the exact same virtually, not-really, seem-alike typosquat area.

Upcoming, they started off making use of “this transaction’s ready to go!” language, as in the monitor capture Sophos provided beneath.

Following came some foot-tappingly stern language to ratchet up the urgency, as revealed in the next display grab. “I respect how chaotic you are,” the crooks crooned, among other issues that sounded like respectable accounting blah-blah-blah, “but questioned if you could give me an update with regards to the renewal?”

The attackers’ faux accountant fake-peaceful right after the SquirrelWaffle operators been given an email indicating that the illegitimate payment was currently being processed, assuring their mark that they’d get them an invoice ASAP.

How to Cage This Twitchy Rodent

Sophos presented tips on how to defend versus malicious email attacks such as the SquirrelWaffle campaign, the to start with of which is a head-desk-bang-bang cliché: Particularly, patch individuals servers.

“The one greatest step defenders can acquire to protect against the compromise and abuse of on premises Microsoft Exchange servers is to assure that they have been patched with the most the latest updates from Microsoft,” in accordance to the submit.

Also:

• Carry out field expectations for email authentication, this kind of as SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain Information Authentication Reporting and Conformance, in order to make it less complicated for other corporations to figure out if email messages are genuine. “Using these standards can make it more durable for an attacker to deliver spoofed e-mails impersonating your domain,” Sophos claimed.
• Contemplate email security solutions that integrate artificial intelligence to assist fend off ever more refined social engineering attacks, phishing lures and impersonation messages.
• Shield the recipients of these kinds of emails and ensure that end users in your firm can location phishing makes an attempt and know how to report and react to them.

Sophos also furnished strategies on what to do if your corporation has presently been attacked. In truth, it is set jointly a Squirrelwaffle Incident Information to support victims look into, review and react.

Join Threatpost on Wed. Feb 23 at 2 PM ET for a Are living roundtable discussion “The Solution to Keeping Secrets,” sponsored by Keeper Security, targeted on how to find and lock down your organization’s most sensitive info. Zane Bond with Keeper Security will be a part of Threatpost’s Becky Bracken to offer you concrete methods to protect your organization’s critical information and facts in the cloud, in transit and in storage. Sign-up NOW and you should Tweet us your inquiries ahead of time @Threatpost so they can be bundled in the dialogue.