Trend Micro -
Exploits & Vulnerabilities
Squirrelwaffle is known for using the tactic of sending malicious spam as replies to existing email chains. We look into how by investigating its exploit of Microsoft Exchange Server vulnerabilities, ProxyLogon and ProxyShell.
In September, Squirrelwaffle emerged as a new loader that is spread through spam campaigns. It is known for sending its malicious emails as replies to preexisting email chains, a tactic that lowers a victim’s guard against malicious activities. To be able to pull this off, we believe it involved the use of a chain of both ProxyLogon and ProxyShell exploits.
The Trend Micro Incident Response team looked into several intrusions related to Squirrelwaffle, that happened in the Middle East. This led to a deeper investigation into the initial access of these attacks. We wanted to see if the attacks involved the said exploits.
This comes from the fact that all of the intrusions we observed originated from on-premise Microsoft Exchange Servers