Attackers may leave behind a web shell to maintain access and wreak havoc later on, according to Squirrelwaffle malware researchers.

Unpatched Microsoft Exchange servers are in the spotlight again. In a recent incident, a Squirrelwaffle malware loader was used in conjunction with the ProxyLogon and ProxyShell exploits to target an unpatched server to mass-distribute Squirrelwaffle to both internal and external recipients.

This was achieved by inserting malicious replies into employees’ existing email threads. Cyber researchers discovered that while the malicious spam campaign was being implemented, the same vulnerable server was also used for a financial fraud attack using knowledge extracted from a stolen email thread and “typo-squatting” to try to convince an employee to redirect a legitimate customer transaction to the attackers.

The fraud almost succeeded: the transfer of funds to the malicious recipient was authorized, but fortunately a bank had become suspicious and stopped the transaction.

Squirrelwaffle operators also use DocuSign to try and trick the user into enabling macros in Office documents.

Squirrelwaffle malware is distributed as a malicious office document in spam campaigns. It provides attackers with an initial foothold in a victim’s environment, and establishes a channel to deliver and infect systems with other malware.

Said Matthew Everts, Analyst, Sophos Rapid Response, which researched the incident: “In a typical Squirrelwaffle attack leveraging a vulnerable Exchange server, the attack ends when defenders detect and remediate the breach by patching the vulnerabilities, removing the attacker’s ability to send emails through the server. However, such remediation wouldn’t have stopped the financial fraud attack because the attackers had exported an email thread about customer payments from the victim’s Exchange server.”

Everts noted that patching alone is not always enough for protection. In the case of vulnerable Exchange servers, for example, organizations also need to check that the attackers have not left behind a web shell to maintain access. “And when it comes to sophisticated social engineering attacks such as those used in email thread hijacking, educating employees about what to look out for and how to report it, is critical for detection,” he said.