• Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Press Release
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Quasar RAT – Active IOCs
November 23, 2021
Rewterz Threat Advisory – Multiple NVIDIA GPU and Tegra Hardware Vulnerabilities
November 24, 2021

Rewterz Threat Alert – Squirrelwaffle Exploits ProxyLogon and ProxyShell Infect Systems

November 23, 2021

Severity

Medium

Analysis Summary

Squirrelwaffle is a malspam loader that emerged in September, 2021 which utilizes malicious links or Microsoft Office files spread through spam campaigns that trigger and infection chain upon being opened. ProxyLogon and Proxyshell were two exploits used in the attacks.

Vulnerabilities CVE-2021-26855 (ProxyLogon), CVE-2021-34473and CVE-2021-34523 (ProxyShell) were used in the exploitation of the servers. ProxyLogon is a server-side request forgery (SSRF) vulnerability that allows threat actors to access an exchange server by sending a specially crafted web request. The ProxyShell vulnerability on the other hand abused URL normalization of explicit Logon URLs to access the exchange machines. The other PowerShell vulnerability can be used to impersonate a local administrator to run PowerShell commands.

The malicious emails contain malicious Microsoft Excel or Word files which lead to downloading ZIP files on the system and executes the malicious DLL.

Impact

  • Unauthorized Access
  • Data Exfiltration
  • Exposure of Sensitive Data

Indicators of Compromise

Domain Name

  • aayomsolutions[.]co[.]in
  • agoryum[.]com
  • arancal[.]com
  • constructorachg[.]cl
  • decinfo[.]com[.]br
  • dongarza[.]com
  • grandthum[.]co[.]in

Hostname

  • aparnashealthfoundation[.]aayom[.]com

IP

  • 108[.]179[.]192[.]18
  • 108[.]179[.]193[.]34
  • 23[.]111[.]163[.]242
  • 24[.]229[.]150[.]54

MD5

  • d868b389f2f824a32367767a17b397b8

SHA-256

  • 4bcef200fb69f976240e7bc43ab3783dc195eac8b350e610ed2942a78c2ba568

SHA-1

  • 41a0834524ce0df8a18cc94b6a1eba6eebf6f397

URL

  • http[:]//24[.]229[.]150[.]54[:]995/t4
  • http[:]//aayomsolutions[.]co[.]in/etiste/quasnam-4966787
  • http[:]//aparnashealthfoundation[.]aayom[.]com/quasisuscipit/totamet-4966787
  • http[:]//arancal[.]com/HgLCgCS3m/be[.]html
  • http[:]//decinfo[.]com[.]br/s4hfZyv7NFEM/y9[.]html
  • http[:]//grandthum[.]co[.]in/9Z6DH5h5g/be[.]html
  • http[:]//iperdesk[.]com/JWqj8R2nt/be[.]html
  • http[:]//omoaye[.]com[.]br/Z0U7Ivtd04b/r[.]html

Remediation

Block all threat indicators at your respective controls.
Search for IOCs in your environment.
Download patches for all the CVEs mentioned above at
https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/
Use Detection and Protection services like XDRs, SOARs, and EDRs

  • Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.