Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains

Trend Micro -

Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains

Exploits & Vulnerabilities

Squirrelwaffle is known for using the tactic of sending malicious spam as replies to existing email chains. We look into how by investigating its exploit of Microsoft Exchange Server vulnerabilities, ProxyLogon and ProxyShell.

By: Mohamed Fahmy, Sherif Magdy, Abdelrhman Sharshar November 19, 2021 Read time:  ( words)

In September, Squirrelwaffle emerged as a new loader that is spread through spam campaigns. It is known for sending its malicious emails as replies to preexisting email chains, a tactic that lowers a victim’s guard against malicious activities. To be able to pull this off, we believe it involved the use of a chain of both ProxyLogon and ProxyShell exploits.

The Trend Micro Incident Response team looked into several intrusions related to Squirrelwaffle, that happened in the Middle East. This led to a deeper investigation into the initial access of these attacks. We wanted to see if the attacks involved the said exploits.

This comes from the fact that all of the intrusions we observed originated from on-premise Microsoft Exchange Servers

Read More: https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html