Researchers have found a new malware campaign exploiting vulnerable Microsoft Exchange Servers. The threat actors deploy the Squirrelwaffle malware loader on vulnerable servers to conduct financial fraud via phishing emails.
Squirrelwaffle Malware Now Targeting Microsoft Exchange Servers
In a recent blog post, Sophos has shared details about a new phishing campaign targeting vulnerable Microsoft Exchange Servers.
As elaborated, the researchers found the threat actors deploying Squirrelwaffle malware on vulnerable Exchange servers. For this, the hackers exploit ProxyLogon and ProxyShell vulnerabilities to compromise target servers.
This isn’t the first time Squirrelwaffle malware has exploited the two vulnerabilities, what makes matters worse here is that the malware can survive remediation on compromised servers. That’s because, in this campaign, the threat actors not only exploit affected servers to send malicious emails, but they also export email threads which they continue to abuse by typosquatting.
Briefly, during their study, Sophos researchers noticed one such email thread that the attackers had exported from a remediated server. They then continued sending the phishing emails via a typo-squatted domain. This technique facilitated the attackers to redirect any payments from the victims to their own servers.
The attackers achieved a nearly-successful payment redirection from the victims until the transaction raised red flags to financial institutions. As stated in the post,
The victim organization initiated a transfer of money to the attackers, however, one of the financial institutions involved in the transaction flagged the transaction as fraudulent and so the transfer did not complete.
Preventing Such Attacks
According to the researchers, remediating the attack can help stop Squirrelwaffle and other similar attacks. However, the recent campaign seems unaffected by remediation as the attackers employ typosquatting to continue sending spam emails.
So, for such cases, the researchers advise the victims to file abuse complaints to the domain registrar behind the typo-squatted domain. Also, flagging the compromised legit domain as spam can help.