Squirrelwaffle debuted in September 2021 as a malspam loader. It has made its way into the wild, giving supporting actors a mechanism to deliver malware onto compromised computers and networks. It spreads via spam campaigns and uses malicious URLs or Microsoft Office files to start an infection chain when they are accessed. Two vulnerabilities were employed in the attacks: ProxyLogon and Proxyshell. The servers were exploited using CVE-2021-26855 (ProxyLogon), CVE-2021-34473, and CVE-2021-34523 (ProxyShell) vulnerabilities. ProxyLogon is a server-side request forgery vulnerability that allows cybercriminals to get access to an exchange server by delivering a carefully crafted web request.
On the other hand, to get access to the exchange machines, the ProxyShell vulnerability took advantage of the URL normalization of explicit Login URLs. The other PowerShell vulnerability allows you to perform PowerShell commands as a local administrator.
In this new attack method, the attackers exported an email thread about customer payments from the victim’s Exchange server. They used the knowledge obtained from the thread and created a similar-looking domain to reply to the exported thread. They then redirected the victim’s payments to themselves.
The attack was multi-layered as the attackers also copied additional email addresses to give the impression that they were requesting support from an internal department.