IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Microsoft Exchange Servers are being used to distribute Qakbot malware

Exploiting an unpatched Exchange Server vulnerability and a less-than-foolproof malicious URL strategy is leading to mounting infections in businesses

Compromised Microsoft Exchange servers are being used to spread the SquirrelWaffle malspam campaign, according to security researchers.

Speaking to IT Pro, Amir Hadžipašić, CEO and founder of SOS Intelligence, said a vulnerability in Microsoft Exchange, left unpatched as of the last 12 October update, was being exploited using a method similar to ProxyShell - a recent exploit affecting Microsoft Exchange servers that afforded attackers remote code execution access.

Conversations held between SOS Intelligence and organisations who have fallen victim to the campaign confirmed Hadžipašić's suspicions that compromised Exchange servers were being used to launch the malspam campaign.

The new development is particularly concerning for businesses given the sophisticated nature of the attack. SquirrelWaffle hijacks inboxes and sends malicious emails in response to existing email chains, increasing the likelihood that a victim will click on a malicious link or open an infected file because it came from a trusted source. Analysis of victims' logs reveals ProxyShell exploitation leads to mail exporting with Microsoft Exchange Web Services (EWS), allowing it to send from existing chains.

"What is interesting about this particular campaign and is an important development is that all of the emails we observed originated from on-premise Microsoft Exchange Servers that appeared to be vulnerable to ProxyShell," Hadžipašić tosaid to IT Pro

"Following an investigation of the sender mail servers all were confirmed (by http://Shodan.io) to be vulnerable, further discussions with a number of victims - who had confirmed to have been compromised by a ProxyShell type exploit and indeed were a source of these emails - confirms that Exchange servers and email threads were being 'hijacked' to deliver this malspam."

Another new development in the campaign, observed only in the past few days, is that the URLs in the malspam emails are now changing. Previous hyperlinks have been abandoned for non-hyperlinked, shortened URLs which lead to the download of a malicious payload such as Qakbot if followed.

This opens up the campaign to an element of failure, given victims must manually copy and paste the URL into a browser in order for the malware to be dropped. 

URLs have omitted the HTTP/HTTPS prefix to the link, removing the hyperlink and bypassing URL rewrite in the process, and this has led to an uptick in infections because it helps to evade email spam filters.

"Both of these factors increase the likelihood of success since they are social engineering a victim, who will receive an email apparently related to a topic discussed not long ago with the sender and secondly the link was sent in such a way as to bypass any URL rewrite protection mechanisms," said Hadžipašić.

"It is strongly suspected that this campaign is being orchestrated by the 'TR Distro Actor' / TA577 utilising compromised Exchange servers to send these malicious spam emails delivering via an Excel Spreadsheet the Qakbot," he added.

Speaking on the recent TLP Green discoveries, other security researchers, as well Hadžipašić, have warned of the severity of the situation. It is believed that Qakbot campaigns are closely linked to ransomware groups.

Businesses are advised to urgently patch their Exchange servers to Cumulative Update 22, at the very least, and prevent EWS exposure to the internet, most importantly. 

IT Pro contacted Microsoft for comment but it did not reply at the time of publication.

SquirrelWaffle at a glance

Cisco Talos researchers published a report detailing the SquirrelWaffle campaign in late October 2021 and how it was infecting systems with a new malware family that has been seen infecting with increased regularity which "could become the next big player in the spam space".

Related Resource

How to reduce the risk of phishing and ransomware

Top security concerns and tips for mitigation

Large letter 'O' against a background of a city - whitepaper from MimecastFree download

The report notes that SquirrelWaffle provides attackers with a foothold onto victims' machines which then allows them to compromise the victim further and distribute further infections. Qakbot and the penetration testing tool Cobalt Strike were the common payloads the Cisco Talos team observed.

Infections were observed dating back to the middle of September with researchers observing email chains being hijacked in a way not dissimilar to the way Emotet spread before law enforcement intervened in the spread of the botnets.

In these hijacked emails, the researchers identify what they believed to be a degree of localisation taking place, since the emails largely matched the language and style used in the chains that were hijacked. The attack mainly targets English-speaking victims with less than a quarter of emails written in other languages.

While this a relatively new attack vector, the common malware payload, Qakbot, has been around for some time. Back in 2020, researchers discovered the link between Qakbot infections and distributions of DoppelPaymer - the ransomware used to target the likes of Newcastle University, Foxconn, and Compal.

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

Microsoft launches low-code Power Pages for 'intuitive' web development
web development

Microsoft launches low-code Power Pages for 'intuitive' web development

24 May 2022
Windows 11's nifty new search feature has one major downside
Microsoft Windows

Windows 11's nifty new search feature has one major downside

23 May 2022
Microsoft says it's provided over $100 million in tech support to Ukrainian government
cyber attacks

Microsoft says it's provided over $100 million in tech support to Ukrainian government

20 May 2022
Microsoft to double salary budget to retain workers
Careers & training

Microsoft to double salary budget to retain workers

17 May 2022

Most Popular

Europe's first autonomous petrol station opens in Lisbon
automation

Europe's first autonomous petrol station opens in Lisbon

23 May 2022
Nvidia pauses hiring to help cope with inflation
Careers & training

Nvidia pauses hiring to help cope with inflation

23 May 2022
Open source packages with millions of installs hacked to harvest AWS credentials
hacking

Open source packages with millions of installs hacked to harvest AWS credentials

24 May 2022