Email security, Phishing, Network Security

‘It’s all about click rate.’ Squirrelwaffle campaign disguises malicious activity as replies to email chains

A Trend Micro expo both during Taipei IT Month in December 2017. (Solomon203, CC BY-SA 4.0, via Wikimedia Commons)

Look closely at the reply to that email you send earlier. It may not be from the party you had expected.

The Incident Response team at Trend Micro has published a new blog post report warning that adversaries behind a newly discovered downloader malware known as Squirrelwaffle are exploiting ProxyLogon and ProxyShell Microsoft Exchange Server vulnerabilities to send malicious replies to existing email threads.

The tactic is a clever one: While employees with security awareness training might eye an unsolicited email warily, users are less likely to be suspicious of a response to an email chain that they’ve already been actively participating in. Before they know it, they might click on a link resulting in malware, or fall for a business email compromise scam and wire funds to an attacker-controlled account. “Emails that come from trusted contacts may not be enough of an indicator that whatever link or file included in the email is safe,” the blog post warned.

“The recipient may think this is coming from a coworker who they’ve had email threads with before and as such simply believe it is from them,” explained Jon Clay, vice president of threat intelligence, in an email interview with SC Media. “This is especially true if the attackers have compromised another employee’s email account and utilize a previous email thread with the other employee. This is an effective way of fooling another employee within the organization.”

“This is a relatively new tactic, but a natural evolution of what already has been occurring,” added John Bambenek, principal threat hunter at Netenrich. “Emails out of the blue are suspicious, but when they come from people you already trust they are more likely to be successful. When there are emails as part of a conversation that is already occurring, it means the click rate can be even higher. It’s all about click rate.”

Early this year, the Unit 42 threat research team at Palo Alto Networks reported on a similar scam perpetrated by the cybercriminal group TA551, as a means to spread information-stealing malware, such as Ursnif, Valak and IcedID.

According to Trend Micro, Squirrelwaffle emerged this past September, playing a hand in several digital Middle East-based digital intrusion events that originated from on-premise, unpatched Microsoft Exchange Servers. In at least one case, internal users at compromised organizations received fraudulent email chain replies that used actual account names from the victim’s domain as sender and recipient, “which raises the chance that a recipient will click the link and open the malicious Microsoft Excel spreadsheets,” explained the blog post.

Moreover, in that same incident, Trend Micro “analyzed the email headers for the received malicious emails,” the blog post continued. “The mail path was internal … indicating that the emails did not originate from an external sender, open mail relay, or any message transfer agent (MTA).”

Traditional email gateways are generally not able to identify and block such attack attempts, as basic email protections generally aren’t set up to prevent internal traffic, even if it’s been compromised in some manner.

Additionally, “the reply chain itself may evade some detection methods based on the use of language,” said Jonathan Tanner, senior security researcher at Barracuda Networks. “A common trick among spammers is to append a large amount of text at the end of spam emails that has been formatted to not be readable by the recipient. Through this method, these types of emails will throw off detection engines using specific keyword frequencies to detect spam.”

“In training even the more advanced detection models, a large number of legitimate emails must be used and these will often contain reply chains,” Tanner continued. “Thus, the model might still be evaded by creating more legitimate content than not for the model to evaluate. While reply chains could simply be faked, and perhaps sometimes are, the information in the headers from a legitimate reply chain may help with the credibility that an exchange of emails has in fact taken place."

This means it may ultimatey be up to the human user to know not to click on a malspam email’s links. In the Squirrelwaffle campaign, these links dropped a zip file containing a weaponized Microsoft Excel sheet with malicious macros that can download and execute a DLL related to the banking trojan Qbot.

To defend against this threat, Trend Micro recommends to apply the most up-to-date patches to the ProxyShell and ProxyLogon vulnerabilities (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207); use endpoint, detection and response solutions in critical servers; leverage endpoint protection design for servers; and apply sandbox technology on email, network and web systems.

But what about from an end-user awareness perspective? How can organizations get the message across that employees shouldn’t inherently trust an email just because it’s part of a larger exchange of emails?

“If the request within the email is not typical from the sender then this may indicate suspiciousness,” said Clay. “Examples would be requests to click on a link, open an attachment or [another] actionable request. Especially if the request is of an urgent manner”

Clay suggested that employees could be taught to check the URL “to see if what is displayed is the same as what the actual link is going to.” Also, “check if the attachment type is typical from that sender, or if it is one not often used. If after clicking a link or opening an attachment, there is a pop-up request to log into an account, take that as potentially malicious and ignore.”

After performing such actions, “if there is still doubt as to whether or not the email is legitimate, alternative means of verifying can be used such as contacting the person the email is allegedly from by a different means, such as chat or a phone call, and simply asking if they sent the message and whether it was from them and legitimate,” added Tanner. “In a more general sense, such as email claiming to be from banks or entities the user interacts with, manually contacting these organizations by calling their official phone numbers or typing their URL into the address bar instead of following links can help avoid phishing attempts.”

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.