Security News > 2022 > February > SquirrelWaffle Adds a Twist of Fraud to Exchange Server Malspamming

SquirrelWaffle - the newish malware loader that first showed up in September - once again got its scrabbly little claws into an unpatched Microsoft Exchange server to spread malspam with its tried-and-true trick of hijacking email threads.

In a Tuesday post, Sophos analysts Matthew Everts and Stephen McNally said that typically, in SquirrelWaffle attacks - which typically entail the threat actors walking through holes left by unpatched, notorious, oft-picked-apart ProxyLogon and ProxyShell Exchange server vulnerabilities - the attack ends when those holes finally get patched, removing the attacker's ability to send emails through the server.

In this recent engagement, the Sophos Rapid Response team found that while a SquirrelWaffle malspam campaign was wreaking havoc on an unpatched server, that same vulnerable server was being used by the attackers to siphon off knowledge from a stolen email thread and to launch a financial fraud attack.

In this case, patching Exchange wouldn't have clipped SquirrelWaffle's tail, the analysts said, given that the attackers had already spirited away an email thread about customer payments from the victim's Exchange server.

The double-up attack on the vulnerable Exchange server started with the attackers registering a typosquat domain.

Sophos offered advice on how to protect against malicious email attacks such as the SquirrelWaffle campaign, the first of which is a head-desk-bang-bang cliché: Namely, patch those servers.

News URL

https://threatpost.com/squirrelwaffle-fraud-exchange-server-malspamming/178434/