Summary: Microsoft Exchange Servers are hit by yet another malware known as Squirrelwaffle that threat actors use to drop ransomware and install backdoors on compromised servers to take the remote control and steal valuable information. This blog explains the Squirrelwaffle malware, its short history, and tips to protect your Exchange Servers. Also, what to do if the server is already compromised.
Contents
Squirrelwaffle malware surfaced earlier in September 2021 and was found infecting systems with CobaltStrike, a commercial adversary simulation tool used by threat actors. The malware was observed spreading through malicious Microsoft Office attachments.
Recently, the Squirrelwaffle malware was found infecting unpatched Microsoft Exchange Servers through malicious email-based campaigns. The malware belongs to the dropper malware family used for installing malware, virus, or backdoor on the targeted systems and servers.
The new malware is now being used for dropping the CobaltStrike and Qakbot on the unpatched Exchange Servers.
Squirrelwaffle Malware- How It Works?
Threat actors spreading and deploying Squirrelwaffle malware use the stolen reply chain attack. They reply with a hyperlink to zip files hosted on a web server owned by the attackers, usually containing .doc or .xls attachments. Additionally, the attackers use DocuSign, an electronic digital signature service, to trick the addressee enable macros.
Once these attachments are downloaded or opened on the system, the code is executed that downloads the malware on your system.
The code contains string reversal obfuscation that creates a VBS script in the C:\ProgramData folder and executes it. This downloads the Squirrelwaffle malware from the URLs as a DLL file on the compromised system.
The Squirrelwaffle then drops malware on the compromised Exchange Server, such as Quakbot and CobaltStrike. Threat actors use the cracked version of the popular penetration testing tool CobaltStrike for post-exploitation tasks to get persistent access to the compromised servers. Squirrelwaffle can easily evade the detection and white hat analysis with a built-in IP blocklist feature.
How to Safeguard Against Squirrelwaffle Malware
To protect servers from Squirrelwaffle malware and similar attacks, follow these tips,
Lookout for Suspicious Emails and Attachments
inform and educate employees to avoid emails and attachments. Avoid opening suspicious attachments on the system
Install Antivirus
Also, install antivirus protection. If the antivirus is installed, ensure the virus definitions are up to date. Some antivirus software also provides spam protection, automatically detects a malware, and prevents them from downloading on the system.
Look for Indicators of Compromise
But malware, such as Squirrelwaffle, can avoid detection and bypass your antivirus protection. Therefore, you should also look for the Indicators of Compromise (IoC) in such cases.
Check and review the server logs for any suspicious activity. Also, check the resource usage. If the activities or usage is higher than usual, it could be an indicator of compromise.
Update the Server (If Not Compromised)
Update the Exchange server with the latest security patch released for the supported CU. If the server is running on an unsupported CU, update it and then install the security updates.
Move Mailboxes to New Exchange Server (If Compromised)
If the Exchange server has been compromised, it’s recommended to set up a new Exchange Server machine and not use the compromised server anymore, even if you have fixed it. You never know threat actors may have left a backdoor installed, which they may use to access your server and steal your business information.
If the server has broken after the attack or compromise, you can use Exchange server recovery software to export all the mailboxes from the inaccessible Exchange databases to your newly set up Exchange server directly. You may also export the recovered mailboxes to office 365.
The software saves you time and effort by auto-mapping the mailboxes from the source Exchange database to the destination Exchange Server or Office 365 tenant. In addition, it facilitates hassle-free recovery and restoration of the mailboxes.
Using the software can quickly restore the mailboxes and reduce downtime significantly.
Conclusion
Squirrelwaffle is a loader malware that attackers use to infect and compromise the Exchange Servers for ransom with a targeted email reply chain attack. To stay protected, keep your Exchange infrastructure updated to the latest security update and take active measures to deal with the spam emails, detect malicious links and prevent users from directly opening the attachments or links from the email. This can be achieved by changing the group policies. Besides, we have also mentioned some other tips that you can follow to prevent the attack. However, if the server has been compromised, set up a new server and use the backup to restore user mailboxes. Do not continue using the compromised server even if you think you have fixed it and removed the malware. If the backup isn’t available, you can rely on an Exchange recovery software we discussed in the blog.
