Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,363
- Points
- 113
Hackers break into servers through ProxyShell and ProxyLogon vulnerabilities and send responses from them to internal emails.
Cybercriminals break into Microsoft Exchange servers through ProxyShell and ProxyLogon vulnerabilities to spread malware and bypass detection by using fake responses to internal emails.
In malicious email campaigns, the trick is getting the recipient to trust the sender enough to open a malicious attachment.
Specialists of information security company Trend Micro discovered an interesting tactic of sending malicious emails to employees of the attacked organization from compromised Microsoft Exchange servers. It is used by a well-known hacker group that spreads malicious emails with attachments that infect computers with malware Qbot, IcedID, Cobalt Strike and SquirrelWaffle.
To force employees to open a malicious attachment, first hackers break into Microsoft Exchange servers through the ProxyShell and ProxyLogon vulnerabilities, and then send responses from them to internal corporate emails. These reply emails contain the malicious attachment.
Since the letters are sent from the same internal network and represent a continuation of an already ongoing correspondence between two employees, they do not cause any suspicion among the recipients. Moreover, these emails do not raise any suspicions among automated email protection systems.
The malicious attachment is a Microsoft Excel document that the recipient must "activate content" to view. However, after the content is activated, malicious macros are executed that download and install malware (Qbot, Cobalt Strike, SquirrelWaffle, etc.) on the system.
According to a report from Trend Micro, this malicious campaign spreads the SquirrelWaffle downloader, which installs the Qbot malware on the system. However, a researcher at Cryptolaemus under the pseudonym TheAnalyst claims that it is not SquirrelWaffle that downloads Qbot, but the malicious document downloads both programs separately.
Microsoft patched ProxyLogon vulnerabilities in March 2021, and ProxyShell in April and May. Cybercriminals exploited them to deploy ransomware or install web shells for subsequent access to servers. In the case of ProxyLogon, things were so bad that the FBI even had to remove web shells from compromised Microsoft Exchange servers in the United States without prior notice to users.
Cybercriminals break into Microsoft Exchange servers through ProxyShell and ProxyLogon vulnerabilities to spread malware and bypass detection by using fake responses to internal emails.
In malicious email campaigns, the trick is getting the recipient to trust the sender enough to open a malicious attachment.
Specialists of information security company Trend Micro discovered an interesting tactic of sending malicious emails to employees of the attacked organization from compromised Microsoft Exchange servers. It is used by a well-known hacker group that spreads malicious emails with attachments that infect computers with malware Qbot, IcedID, Cobalt Strike and SquirrelWaffle.
To force employees to open a malicious attachment, first hackers break into Microsoft Exchange servers through the ProxyShell and ProxyLogon vulnerabilities, and then send responses from them to internal corporate emails. These reply emails contain the malicious attachment.
Since the letters are sent from the same internal network and represent a continuation of an already ongoing correspondence between two employees, they do not cause any suspicion among the recipients. Moreover, these emails do not raise any suspicions among automated email protection systems.
The malicious attachment is a Microsoft Excel document that the recipient must "activate content" to view. However, after the content is activated, malicious macros are executed that download and install malware (Qbot, Cobalt Strike, SquirrelWaffle, etc.) on the system.
According to a report from Trend Micro, this malicious campaign spreads the SquirrelWaffle downloader, which installs the Qbot malware on the system. However, a researcher at Cryptolaemus under the pseudonym TheAnalyst claims that it is not SquirrelWaffle that downloads Qbot, but the malicious document downloads both programs separately.
Microsoft patched ProxyLogon vulnerabilities in March 2021, and ProxyShell in April and May. Cybercriminals exploited them to deploy ransomware or install web shells for subsequent access to servers. In the case of ProxyLogon, things were so bad that the FBI even had to remove web shells from compromised Microsoft Exchange servers in the United States without prior notice to users.
