Microsoft Exchange Servers are being used to distribute Qakbot malware

Compromised Microsoft Exchange servers are being used to spread the SquirrelWaffle malspam campaign, according to security researchers.

Speaking to IT Pro, Amir Hadžipašić, CEO and founder of SOS Intelligence, said a vulnerability in Microsoft Exchange, left unpatched as of the last 12 October update, was being exploited using a method similar to ProxyShell - a recent exploit affecting Microsoft Exchange servers that afforded attackers remote code execution access.

Conversations held between SOS Intelligence and organisations who have fallen victim to the campaign confirmed Hadžipašić's suspicions that compromised Exchange servers were being used to launch the malspam campaign.

The new development is particularly concerning for businesses given the sophisticated nature of the attack. SquirrelWaffle hijacks inboxes and sends malicious emails in response to existing email chains, increasing the likelihood that a victim will click on a malicious link or open an infected file because it came from a trusted source. Analysis of victims' logs reveals ProxyShell exploitation leads to mail exporting with Microsoft Exchange Web Services (EWS), allowing it to send from existing chains.

"What is interesting about this particular campaign and is an important development is that all of the emails we observed originated from on-premise Microsoft Exchange Servers that appeared to be vulnerable to ProxyShell," Hadžipašić tosaid to IT Pro.

"Following an investigation of the sender mail servers all were confirmed (by http://Shodan.io) to be vulnerable, further discussions with a number of victims - who had confirmed to have been compromised by a ProxyShell type exploit and indeed were a source of these emails - confirms that Exchange servers and email threads were being 'hijacked' to deliver this malspam."

Another new development in the campaign, observed only in the past few days, is that the URLs in the malspam emails are now changing. Previous hyperlinks have been abandoned for non-hyperlinked, shortened URLs which lead to the download of a malicious payload such as Qakbot if followed.

This opens up the campaign to an element of failure, given victims must manually copy and paste the URL into a browser in order for the malware to be dropped.

URLs have omitted the HTTP/HTTPS prefix to the link, removing the hyperlink and bypassing URL rewrite in the process, and this has led to an uptick in infections because it helps to evade email spam filters.

"Both of these factors increase the likelihood of success since they are social engineering a victim, who will receive an email apparently related to a topic discussed not long ago with the sender and secondly the link was sent in such a way as to bypass any URL rewrite protection mechanisms," said Hadžipašić.

"It is strongly suspected that this campaign is being orchestrated by the 'TR Distro Actor' / TA577 utilising compromised Exchange servers to send these malicious spam emails delivering via an Excel Spreadsheet the Qakbot," he added.

Speaking on the recent TLP Green discoveries, other security researchers, as well Hadžipašić, have warned of the severity of the situation. It is believed that Qakbot campaigns are closely linked to ransomware groups.

Businesses are advised to urgently patch their Exchange servers to Cumulative Update 22, at the very least, and prevent EWS exposure to the internet, most importantly.

IT Pro contacted Microsoft for comment but it did not reply at the time of publication.

SquirrelWaffle at a glance

Cisco Talos researchers published a report detailing the SquirrelWaffle campaign in late October 2021 and how it was infecting systems with a new malware family that has been seen infecting with increased regularity which "could become the next big player in the spam space".

The report notes that SquirrelWaffle provides attackers with a foothold onto victims' machines which then allows them to compromise the victim further and distribute further infections. Qakbot and the penetration testing tool Cobalt Strike were the common payloads the Cisco Talos team observed.

Infections were observed dating back to the middle of September with researchers observing email chains being hijacked in a way not dissimilar to the way Emotet spread before law enforcement intervened in the spread of the botnets.

In these hijacked emails, the researchers identify what they believed to be a degree of localisation taking place, since the emails largely matched the language and style used in the chains that were hijacked. The attack mainly targets English-speaking victims with less than a quarter of emails written in other languages.

While this a relatively new attack vector, the common malware payload, Qakbot, has been around for some time. Back in 2020, researchers discovered the link between Qakbot infections and distributions of DoppelPaymer - the ransomware used to target the likes of Newcastle University, Foxconn, and Compal.