Squirrelwaffle + ProxyShell & ProxyLogon

Industry: N/A | Level: Tactical | Source: TrendMicro

Trend Micro has shown research, of Squirrelwaffle loader, that emerged in September 2021, has likely been utilizing ProxyLogon and ProxyShell exploits, in order to send malicious emails from preexisting email chains. Observed threat actors utilizing this email thread hijacking technique, did not drop or use tools for lateral movement after gaining access to vulnerable Exchange servers, nor was any malware installed prior to the spread of the malicious email across the targeted network. Upon the victim executing the attached macro-enabled Excel file, a malicious Qbot DLL is downloaded from hardcoded URLs and the DLL is executed with regsvr32.

• Anvilogic Scenario: SquirrelWaffle - Behaviors