Rewterz Threat Alert – Squirrelwaffle Exploits ProxyLogon and ProxyShell Infect Systems

November 24, 2021

Severity

Medium

Analysis Summary

Squirrelwaffle is a malspam loader that emerged in September, 2021 which utilizes malicious links or Microsoft Office files spread through spam campaigns that trigger and infection chain upon being opened. ProxyLogon and Proxyshell were two exploits used in the attacks.

Vulnerabilities CVE-2021-26855 (ProxyLogon), CVE-2021-34473and CVE-2021-34523 (ProxyShell) were used in the exploitation of the servers. ProxyLogon is a server-side request forgery (SSRF) vulnerability that allows threat actors to access an exchange server by sending a specially crafted web request. The ProxyShell vulnerability on the other hand abused URL normalization of explicit Logon URLs to access the exchange machines. The other PowerShell vulnerability can be used to impersonate a local administrator to run PowerShell commands.

The malicious emails contain malicious Microsoft Excel or Word files which lead to downloading ZIP files on the system and executes the malicious DLL.

Impact

Unauthorized Access
Data Exfiltration
Exposure of Sensitive Data

Indicators of Compromise

Domain Name

taketuitions[.]com
stunningmax[.]com
omoaye[.]com[.]br
mcdreamconcept[.]ng
imprimija[.]com[.]br
iperdesk[.]com

URL

https[:]//taketuitions[.]com/dTEOdMByori/j[.]html
https[:]//oel[.]tg/MSOFjh0EXRR8/j[.]html
https[:]//mcdreamconcept[.]ng/9jFVONntA9x/r[.]html
https[:]//headlinepost[.]net/3AkrPbRj/x[.]html
https[:]//dongarza[.]com/gJW5ma382Z/x[.]html
https[:]//constructorachg[.]cl/eFSLb6eV/j[.]html
https[:]//agoryum[.]com/lPLd50ViH4X9/r[.]html
http[:]//stunningmax[.]com/JR3xNs7W7Wm1/y1[.]html

Remediation

Block all threat indicators at your respective controls.
Search for IOCs in your environment.
Download patches for all the CVEs mentioned above at
https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/
Use Detection and Protection services like XDRs, SOARs, and EDRs