Threat actors are employing ProxyShell and ProxyLogon vulnerabilities to penetrate Microsoft Exchange servers to disseminate malware and avoid detection by leveraging stolen internal reply-chain emails. When threat actors carry out malicious email campaigns, the most challenging component is convincing recipients to trust the sender enough to follow links to or files that spread malware.
TrendMicro researchers uncovered a novel method of spreading malicious email to a company’s internal users by exploiting the victim’s corrupted Microsoft Exchange servers. The perpetrators are thought to be ‘TR,’ a well-known threat actor who sends emails containing malicious attachments that drop malware, including Qbot, Cobalt Strike, IcedID, and SquirrelWaffle.
The malicious actor uses the ProxyShell and ProxyLogon flaws in Microsoft Exchange servers to deceive corporate targets into opening infected attachments. Threat actors then exploit these hacked Exchange servers to send reply-chain assaults with links to infected documents that install malware to the company’s internal emails.
According to Trend Micro’s report, they evaluated the email headers for the received malicious emails. They discovered that the mail path was internal (between the mailboxes of three internal exchange servers), suggesting that the emails did not come from an external sender, open mail relay, or any message transfer agency (MTA).
Because these emails appear to be a continuation of a prior debate between two workers and originate from the same internal network, there is a higher level of trust that the email is valid and safe. Not only is this successful against human recipients, but it’s also great for avoiding any warnings from the target firm’s email protection systems.
These emails’ attachments are ordinary malicious Microsoft Excel templates that instruct recipients to ‘Enable Content’ in order to access a protected file. Once the user has enabled content, malicious macros are run, which download and install the malware delivered by the attachment, whether Qbot, SquirrelWaffle, Cobalt Strike, or another malware. As per the experts at Trend Micro, these assaults have spread the SquirrelWaffle loader, which subsequently installs Qbot.
Rather than SquirrelWaffle delivering Qbot, Cryptolaemus researcher ‘TheAnalyst‘ claims that the infected document employed by this threat actor drops both viruses as independent payloads. Microsoft patched the ProxyLogon and ProxyShell vulnerabilities in March and April, and May, treating them as zero-days.
Threat actors have exploited both vulnerabilities to deliver ransomware or install webshells for subsequent backdoor access. The FBI removed web shells from hacked US-based Microsoft Exchange servers before ever alerting the servers’ owners due to the severity of the ProxyLogon assaults. After all this time and the widespread attention of these flaws, failing to fix Exchange Servers is nothing more than an open invitation to cybercriminals.