The campaign was uncovered by TrendMicro researchers that detailed the technique used to trick victims opening the malicious email used as the attack vector.
The attacks were orchestrated by Squirrelwaffle, a threat actor known for sending malicious spam as replies to existing email chains.
Once compromised the Exchange servers, threat actors use the access to reply to the company’s internal emails in reply-chain attacks containing links to weaponized documents. Sending the messages from the organizations allow the attackers to bypass detection.
“In the same intrusion, we analyzed the email headers for the received malicious emails, the mail path was internal (between the three internal exchange servers’ mailboxes), indicating that the emails did not originate from an external sender, open mail relay, or any message transfer agent (MTA).” reads the analysis published by Trend Micro. “Delivering the malicious spam using this technique to reach all the internal domain users will decrease the possibility of detecting or stopping the attack, as the mail getaways will not be able to filter or quarantine any of these internal emails.”
The emails originate from the same internal network, appear to be a continuation of a previous discussion between two employees.
The attacker did not use tools for lateral movement or execute malware on the Exchange servers to avoid detection.
The emails use weaponized Office documents or include a link to them. Upon enabling the content, malicious macros are executing to download and install the malware, such as Qbot, Cobalt Strike, and SquirrelWaffle.
The excel sheets used in this campaign contain malicious Excel 4.0 macros used to download and execute the malicious DLL.
Experts recommend securing their Microsoft Exchange servers by installing security updates published by Microsoft.
“As mentioned earlier, by exploiting ProxyLogon and ProxyShell attackers were able to bypass the usual checks that would have stopped the spread of malicious email.” concludes the analysis. “It is important to ensure that patches for Microsoft Exchange Server vulnerabilities, specifically ProxyShell and ProxyLogon (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) have already been applied.”
(SecurityAffairs – hacking, ProxyLogon)