Cybersecurity Blog | Ingalls Information Security

Critical Advisory Notice for SquirrelWaffle and Qakbot

Written by Cyrus Robinson | Dec 3, 2021 5:00:00 AM

In September 2021, multiple security research teams observed and reported email reply-chain attacks that distributed new SquirrelWaffle Loader and Qakbot-embedded malicious document files. Cisco Talos1 reported that these "distribution campaigns appear to be taking advantage of previously compromised web servers, primarily running versions of the WordPress content management system (CMS). Across the distribution servers we analyzed prior to host/domain suspension, the most prevalent version was WordPress 5.8.1." On Nov 17, Mandiant disclosed2 that the ProxyShell vulnerabilities were being exploited without dropping webshells on compromised Exchange servers in a new tactic that Mandiant dubbed "ProxyNoShell". On Nov 29, Austrian consulting firm, Certitude, was among the first to report3 that Microsoft Exchange Servers that were vulnerable to ProxyShell were being leveraged to send the email reply-chain attacks. Email-based attacks that leverage reply-chains are used by attackers to pre-text victims and to leverage an existing trust relationship between the victim’s compromised Exchange email account and the target, since the target will likely recognize and respond to new emails in the reply-chain. This has led to a significantly higher compromise rate for attackers leveraging this tactic.


Findings and Alert Notice

Ingalls discovered that many compromised WordPress sites hosting the SquirrelWaffle and Qakbot malware appear to have an unusual PHP form, including some that displayed content uploaded to the compromised WordPress site on the page. Without access to the backend of the compromised WordPress sites, the full functionality of the PHP form cannot be ascertained. However, it is likely that this PHP form can be used to upload or append content from other sites or pastebins to the compromised WordPress sites, including the malicious SquirrelWaffle documents being distributed by this campaign. Attackers may also use this capability to upload fake login pages used to capture user credentials hosted on compromised WordPress sites.

Please note that Ingalls has not yet observed evidence of the PHP form being used for this purpose. However, at the time of this post there are over 11,600 Google search results for "xiaoxiannv" + "horse" (elements of the PHP form) indicating potentially compromised WordPress sites.


Recommended Actions to Prevent or Remediate

Ingalls recommends that administrators apply patches KB5003435 (CVE-2021-31207) and KB5001779 (CVE-2021-34473 and CVE-2021-34523) to vulnerable on-premises Microsoft Exchange servers as soon as possible. This Microsoft reference can be used to verify your organization’s current Microsoft Exchange Server version. If business operations prevent your organization from patching immediately, Ingalls recommends mitigating the risk by blocking all Internet connectivity (blocking traffic to/from ports 80 and 443 on Microsoft Exchange Servers)  and requiring internal network or VPN access before accessing email and on Microsoft Exchange servers until patching can be completed. If any webshells or unexpected Exchange accounts have been created within your organization’s environment, your organization should consult with a company that specializes in Incident Response.

Ingalls also recommends that organizations with WordPress websites 1) verify that their WordPress site, PHP version, and WordPress plugins are updated, 2) confirm that no unexpected PHP forms are present on any of their webpages, and 3) verify that no unexpected .zip files or documents are being hosted on their web server.

Screenshots of the PHP form on the compromised WordPress sites:


Contact Us for Help

Need assistance responding to this alert or concerned about an incident? Call our 24x7 emergency hotline at 888-860-0452.

For those of you who may want to dig into the Indicators of Compromise, download the list here:

 

____________
1 https://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html
2 https://www.mandiant.com/resources/change-tactics-proxyshell-vulnerabilities
3 https://certitude.consulting/blog/en/unpatched-exchange-servers-distribute-phishing-links-squirrelwaffle

About the Author
Cyrus Robinson, CISSP, MCSE, MCITP, CEH, CHFI, Sec+
Mr. Robinson is a skilled Information Security professional with experience working with diversified technologies and environments. Mr. Robinson’s professional IT career began as an electronic forensics engineer as an active duty Airman with primary responsibilities with testing and evaluating digital forensic software, policies, and procedures. In this capacity, he worked alongside federal investigators and various DoD, CIA, FBI, NSA, and NIST employees. Following his active duty role with the USAF, Mr. Robinson went on to work in change management and system administration as a DoD Contractor. Mr. Robinson also has extensive experience in the roles of Information Security Officer and IT Director for a large medical group which contribute to his knowledge with security risk assessments, HIPAA compliance, and drafting and implementing corporate IT security and business continuity policies. Mr. Robinson holds various industry standard certifications and a Masters of Science in Information Security and Assurance.