SquirrelWaffle Adds a Twist of Fraud to Exchange Server Malspamming

Researchers have never before seen SquirrelWaffle attackers use typosquatting to keep sending spam once a targeted Exchange server has been patched for ProxyLogon/ProxyShell.

SquirrelWaffle – the newish malware loader that first showed up in September – once again got its scrabbly little claws into an unpatched Microsoft Exchange server to spread malspam with its tried-and-true trick of hijacking email threads.

That’s the same-old, same-old, as in, a SquirrelWaffle campaign will hijack an email thread to increase the chances that a victim will click on malicious links. Those rigged links are tucked into an email reply, similar to how the virulent Emotet malware – typically spread via malicious emails or text messages – has operated.

But this time, the operators added a twist: They sucked knowledge out of an email thread and used it to trick the target into a money transfer.

They almost pulled it off. The targeted organization initiated a money transfer to an attacker-controlled account, but thankfully, one of the financial institutions involved in the transaction smelled a rat and flagged the deal as fraudulent.

In a Tuesday post, Sophos analysts Matthew Everts and Stephen McNally said that typically, in SquirrelWaffle attacks –

Read More: https://threatpost.com/squirrelwaffle-fraud-exchange-server-malspamming/178434/