As part of an ongoing spam campaign that uses stolen email chains to bypass security protection and implant malware on vulnerable systems, threat actors are exploiting ProxyLogon and ProxyShell exploits in unpatched Microsoft Exchange Servers. Trend Micro's discoveries are the result of an investigation into a series of Middle Eastern intrusions that resulted in the dissemination of a never-before-seen loader known as SQUIRRELWAFFLE. The attacks, which were first publicly disclosed by Cisco Talos in mid-September 2021, are thought to have started with laced Microsoft Office documents.
"It is known for sending its malicious emails as replies to pre-existing email chains, a tactic that lowers a victim's guard against malicious activities," researchers Mohamed Fahmy, Sherif Magdy, Abdelrhman Sharshar said in a report published last week. "To be able to pull this off, we believe it involved the use of a chain of both ProxyLogon and ProxyShell exploits."
According to Trend Micro, public exploits for CVE-2021-26855 (ProxyLogon), CVE-2021-34473, and CVE-2021-34523 (ProxyShell) were used on three of the Exchange servers that were compromised in separate intrusions, with the access being used to hijack legitimate email threads and send malicious spam messages as replies, increasing the likelihood that unsuspecting recipients will open the emails.
Rogue email messages with a link that, when opened, drops a Microsoft Excel or Word file are part of the assault chain. When the recipient opens the document, the victim is prompted to allow macros, which leads to the download and execution of the SQUIRRELWAFFLE malware loader, which serves as a conduit for the final-stage payloads like Cobalt Strike and Qbot.
Trend Micro's claim that SquirrelWaffle is operating as a malware dropper for Qbot or other malwares was disputed by Cryptolaemus researcher TheAnalyst. Rather, according to TheAnalyst on Friday, the threat actor is delivering both SquirrelWaffle and Qbot as separate payloads, with the most recent confirmed SquirrelWaffle drop occurring on Oct. 26.
The actor/activity is recorded as tr01/TR (its QakBot affiliate ID) TA577 by Proofpoint and as ChaserLdr by Cryptolaemus, according to TheAnalyst, and the activity dates back to at least 2020. The actors are simple to follow, according to TheAnalyst, with minor adjustments to their tactics, techniques, and procedures (TTPs). According to TheAnalyst, one of tr01's favorite TTPs is including links to malicious documents in stolen reply chains. They stated the threat actor is notorious for delivering "a variety of malware," including QakBot, Gozi, IcedID, Cobalt Strike, and possibly more.
