SquirrelWaffle Is Using Typosquatting in Latest Campaign
The Attackers Seem to Be Employing New Tactics.
SquirrelWaffle is a relatively new malware loader that was first discovered back in September 2021. It works by hijacking an email thread in order to maximize the likelihood that a victim would click on malicious links, so they are hiding inside an email response, in a manner similar to how the highly contagious Emotet virus, which is often distributed by malicious emails or text messages, has functioned.
Analysts Matthew Everts and Stephen McNally of Sophos wrote in a recent blog post that, in most cases, SquirrelWaffle attacks end when the holes are finally patched, removing the attacker’s ability to send emails through the server.
The Sophos Rapid Response discovered that a SquirrelWaffle malspam campaign was wreaking havoc on an unpatched server allowing the attackers to use the same vulnerable server to siphon information from a stolen email thread and launch a financial fraud attack using the information they had obtained.
The combination of Squirrelwaffle, ProxyLogon, and ProxyShell has been encountered by the Sophos Rapid Response team multiple times in the last few months, but this is the first time we have seen attackers use typo-squatting to maintain the ability to send spam once the Exchange server has been remediated.
According to the experts, patching Exchange would not have prevented SquirrelWaffle from intercepting an email thread containing client payments from the victim’s Exchange server in this particular instance since the attackers had already intercepted the email thread from the victim’s Exchange server, and attempted to reroute the funds of the victim’s customers into bank accounts under their control.
Trying to prove their legitimacy the malicious actors went as far as to copy more email addresses in order to make it seem as if they were asking assistance from an inside department and then began using the phrase “this transaction is ready to proceed!” in order to rush the transaction.
After the SquirrelWaffle operators got an email showing that the fraudulent payment was being completed, the attackers’ bogus accountant pretended to be at ease, promising their mark that they would send them an invoice as soon as possible.