SquirrelWaffle is a relatively new malware loader that appeared in September.
SquirrelWaffle works by hijacking an email thread in order to maximize the likelihood that a victim would click on malicious links, so they are hiding inside an email response, in a manner similar to how the highly contagious Emotet virus, which is often distributed by malicious emails or text messages, has functioned.
Analysts Matthew Everts and Stephen McNally of Sophos wrote in a recent blog post that, in most cases, SquirrelWaffle attacks end when the holes are finally patched, removing the attacker’s ability to send emails through the server.
The Sophos Rapid Response discovered that a SquirrelWaffle malspam campaign was wreaking havoc on an unpatched server allowing the attackers to use the same vulnerable server to siphon information from a stolen email thread and launch a financial fraud attack using the information they had obtained.
The combination of Squirrelwaffle, ProxyLogon, and ProxyShell has been encountered by the Sophos Rapid Response team multiple times in the last few months, but this is the first time we have seen attackers use typo-squatting to maintain the ability to send spam once the Exchange server has been remediated.