Log in
Show password
Forgot password ?
Become a member for free
Sign up
Sign up
New member
Sign up for FREE
New customer
Discover our services
Dynamic quotes 
  1. Homepage
  2. Equities
  3. Japan
  4. Japan Exchange
  5. Trend Micro
  6. News
  7. Summary
    4704   JP3637300009


SummaryMost relevantAll NewsOther languagesPress ReleasesOfficial PublicationsSector news

Trend Micro Incorporated : Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains

11/19/2021 | 08:14am EST

In September, Squirrelwaffle emerged as a new loader that is spread through spam campaigns. It is known for sending its malicious emails as replies to preexisting email chains, a tactic that lowers a victim's guard against malicious activities. To be able to pull this off, we believe it involved the use of a chain of both ProxyLogon and ProxyShell exploits.

The Trend Micro Incident Response team looked into several intrusions related to Squirrelwaffle, that happened in the Middle East. This led to a deeper investigation into the initial access of these attacks. We wanted to see if the attacks involved the said exploits.

This comes from the fact that all of the intrusions we observed originated from on-premise Microsoft Exchange Servers that appeared to be vulnerable to ProxyLogon and ProxyShell. In this blog entry, we shed more light into these observed initial access techniques and the early phases of Squirrelwaffle campaigns.

Microsoft Exchange infection

We observed evidence of the exploits on the vulnerabilities CVE-2021-26855, CVE-2021-34473, and CVE-2021-34523 in the IIS Logs on three of the Exchange servers that were compromised in different intrusions. The same CVEs were used in ProxyLogon (CVE-2021-26855) and ProxyShell (CVE-2021-34473 and CVE-2021-34523) intrusions. Microsoft released a patch for ProxyLogon in March; those who have applied the May or July updates are protected from ProxyShell vulnerabilities.

CVE-2021-26855: the pre-authentication proxy vulnerability

This server-side request forgery (SSRF) vulnerability can allow a threat actor access by sending a specially crafted web request to an Exchange Server. The web request contains an XML payload directed at the Exchange Web Services (EWS) API endpoint.

The request bypasses authentication using specially crafted cookies and allows an unauthenticated threat actor to execute EWS requests encoded in the XML payload then ultimately perform operations on victims' mailboxes.

From our analysis of the IIS log, we saw that the threat actor uses a publicly available exploit in its attack. This exploit gives a threat actor the ability to get users SID and emails. They can even search for and download a target's emails. Figures 1 to 3 highlights evidence from IIS logs and show the exploit code.

Figure 1. Exploiting CVE-2021-26855, as seen in the IIS logs

The logs (Figure 2 to 3) also show that threat actor used the ProxyLogon vulnerability to get this particular user's SID and emails to use them to send malicious spam.

Figure 2. The function responsible for getting the SID inside the exploit
Figure 3. The user agent used in the attack
CVE-2021-34473: the pre-auth path confusion

This ProxyShell vulnerability abuses the URL normalization of the explicit Logon URL, wherein the logon email is removed from the URL if the suffix is autodiscover/autodiscover.json. This grants arbitrary backend URL the same access as the Exchange machine account (NT AUTHORITYSYSTEM).

Figure 4. Exploiting CVE-2021-34473
CVE-2021-34523: Exchange PowerShell backend elevation-of-privilege

Exchange has a PowerShell remoting feature that can be used to read and send emails. It can't be used by NT AUTHORITYSYSTEM as it does not have a mailbox. However, in cases where it is accessed directly via the previous vulnerability, the backend/PowerShell can be provided with X-Rps-CAT query string parameter. The backen/PowerShell will be deserialized and used to restore user identity. It can therefore be used to impersonate a local administrator to run PowerShell commands.

Figure 5. Exploiting CVE-2021-34523
Figure 6. The malicious spam received by targets

With this, the attackers would be able to hijack legitimate email chains and send their malicious spam as replies to the said chains.

Malicious spam

In one of the observed intrusions, all the internal users in the affected network received emails like similar to those shown in Figure 6, where the spam emails have been sent as legitimate replies to existing email threads. All of the observed emails were written in English for this spam campaign in the Middle East. While other languages were used in different regions, most were written in English. More notably, true account names from the victim's domain were used as sender and recipient, which raises the chance that a recipient will click the link and open the malicious Microsoft Excel spreadsheets.

Figure 7. Malicious spam via the MTA route

In the same intrusion, we analyzed the email headers for the received malicious emails, the mail path was internal (between the three internal exchange servers' mailboxes), indicating that the emails did not originate from an external sender, open mail relay, or any message transfer agent (MTA).

Figure 8. Malicious Microsoft Excel document

Delivering the malicious spam using this technique to reach all the internal domain users will decrease the possibility of detecting or stopping the attack, as the mail getaways will not be able to filter or quarantine any of these internal emails. The attacker also did not drop or use tools for lateral movement after gaining access to the vulnerable Exchange servers, so that no suspicious network activities will be detected. Additionally, no malware was executed on the Exchange servers that will trigger any alerts before the malicious email is spread across the environment.

The malicious Microsoft Excel file

The attacker exploited the Exchange servers to deliver internal mails. This was all done to catch users off-guard, making them more likely to click the link and open the dropped Microsoft Excel or Word file.

Both links used in the malicious emails (aayomsolutions[.]co[.]in/etiste/quasnam[]-4966787 and aparnashealthfoundation[.]aayom.com/quasisuscipit/totamet[-]4966787 ) drop a ZIP file in the machine. The ZIP file contains, in this case, a malicious Microsoft Excel sheet that downloads and executes a malicious DLL related to Qbot.

Figure 9. Excel 4.0 Macros

These sheets contain malicious Excel 4.0 macros that is responsible for downloading and executing the malicious DLL.

Figure 10. Excel file infection chain

The spreadsheets download the DLL from hardcoded URLs which are hxxps:[//]iperdesk.com/JWqj8R2nt/be.html, hxxps:[//]arancal.com/HgLCgCS3m/be.html and hxxps:[//]grandthum.co.in/9Z6DH5h5g/be.html.

The DLL is dropped in C:Datop. Finally, the document executes the DLL using the following commands:

  • C:WindowsSystem32regsvr32.exe" C:Datopgood.good
  • C:WindowsSystem32regsvr32.exe" C:Datopgood1.good
  • C:WindowsSystem32regsvr32.exe" C:Datopgood2.good
Figure 11. DLL infection flow

Security recommendations

As mentioned earlier, by exploiting ProxyLogon and ProxyShell attackers were able to bypass the usual checks that would have stopped the spread of malicious email. This highlights how users plays an important part in the success or failure of an attack. Squirrelwaffle campaigns should make users wary of the different tactics used to mask malicious emails and files. Emails that come from trusted contacts may not be enough of an indicator that whatever link or file included in the email is safe.

It is important to ensure that patches for Microsoft Exchange Server vulnerabilities, specifically ProxyShell and ProxyLogon (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) have already been applied. Microsoft reiterated, those who have applied their patch for ProxyLogon in March are not protected from ProxyShell vulnerabilities, and should install more recent (May or July) security updates.

Here are other security best practices to consider:

  • Enable virtual patching modules on all Exchange servers to provide critical level protection for servers that have not yet been patched for these vulnerabilities.
  • Use endpoint detection and response (EDR) solutions in critical servers, as it provides visibility to machine internals and detect any suspicious behavior running on servers.
  • Use endpoint protection design for servers.
  • Apply sandbox technology on email, network, and web is very imported to detect similar URLs and samples.

Users can also opt to protect systems through managed detection and response (MDR), which utilizes advanced artificial intelligence to correlate and prioritize threats, determining if they are part of a larger attack. It can detect threats before they are executed, preventing further compromise.

The indicators of comromise (IOCs) can be found here.


Trend Micro Inc. published this content on 19 November 2021 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 19 November 2021 13:13:03 UTC.

ę Publicnow 2021
All news about TREND MICRO
01/25TREND MICRO : TianySpy Malware Uses Smishing Disguised as Message From Telco
01/24TREND MICRO : Analysis and Impact of LockBit Ransomware's First Linux and VMware ESXi Vari..
01/24TREND MICRO : Investigating APT36 or Earth Karkaddan's Attack Chain and Malware Arsenal
01/21TREND MICRO : This Week in Security News - January 21, 2022
01/21CODEX EXPOSED : Task Automation and Response Consistency
01/21TREND MICRO : Emotet Spam Abuses Unconventional IP Address Formats to Spread Malware
01/20TREND MICRO : Defending Users' NAS Devices From Evolving Threats
01/18NEW RANSOMWARE SPOTTED : White Rabbit and Its Evasion Tactics
01/17TREND MICRO : Earth Lusca Employs Sophisticated Infrastructure, Varied Tools and Technique..
More news
Sales 2021 188 B 1 640 M 1 640 M
Net income 2021 34 962 M 305 M 305 M
Net cash 2021 182 B 1 587 M 1 587 M
P/E ratio 2021 23,9x
Yield 2021 3,18%
Capitalization 842 B 7 362 M 7 340 M
EV / Sales 2021 3,51x
EV / Sales 2022 3,23x
Nbr of Employees 6 975
Free-Float -
Duration : Period :
Trend Micro Technical Analysis Chart | MarketScreener
Full-screen chart
Technical analysis trends TREND MICRO
Short TermMid-TermLong Term
Income Statement Evolution
Mean consensus HOLD
Number of Analysts 12
Last Close Price 6 030,00 JPY
Average target price 6 983,64 JPY
Spread / Average Target 15,8%
EPS Revisions
Managers and Directors
Yi Fen Chen Auditor
Mahendra Negi Group CFO, COO & Representative Director
Ming Jang Chang Representative Director
Max Cheng Chief Information Officer & Executive VP
Kevin Simzer Chief Operating Officer
Sector and Competitors
1st jan.Capi. (M$)
TREND MICRO-7.51%7 243
SEA LIMITED-35.22%81 436
SYNOPSYS INC.-20.85%44 752