February 17, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Alert – Quasar RAT – Active IOCs
November 23, 2021Rewterz Threat Advisory – Multiple NVIDIA GPU and Tegra Hardware Vulnerabilities
November 24, 2021Rewterz Threat Alert – Quasar RAT – Active IOCs
November 23, 2021Rewterz Threat Advisory – Multiple NVIDIA GPU and Tegra Hardware Vulnerabilities
November 24, 2021
Severity
Medium
Analysis Summary
Squirrelwaffle is a malspam loader that emerged in September, 2021 which utilizes malicious links or Microsoft Office files spread through spam campaigns that trigger and infection chain upon being opened. ProxyLogon and Proxyshell were two exploits used in the attacks.
Vulnerabilities CVE-2021-26855 (ProxyLogon), CVE-2021-34473and CVE-2021-34523 (ProxyShell) were used in the exploitation of the servers. ProxyLogon is a server-side request forgery (SSRF) vulnerability that allows threat actors to access an exchange server by sending a specially crafted web request. The ProxyShell vulnerability on the other hand abused URL normalization of explicit Logon URLs to access the exchange machines. The other PowerShell vulnerability can be used to impersonate a local administrator to run PowerShell commands.
The malicious emails contain malicious Microsoft Excel or Word files which lead to downloading ZIP files on the system and executes the malicious DLL.
Impact
- Unauthorized Access
- Data Exfiltration
- Exposure of Sensitive Data
Indicators of Compromise
Domain Name
- aayomsolutions[.]co[.]in
- agoryum[.]com
- arancal[.]com
- constructorachg[.]cl
- decinfo[.]com[.]br
- dongarza[.]com
- grandthum[.]co[.]in
Hostname
- aparnashealthfoundation[.]aayom[.]com
IP
- 108[.]179[.]192[.]18
- 108[.]179[.]193[.]34
- 23[.]111[.]163[.]242
- 24[.]229[.]150[.]54
MD5
- d868b389f2f824a32367767a17b397b8
SHA-256
- 4bcef200fb69f976240e7bc43ab3783dc195eac8b350e610ed2942a78c2ba568
SHA-1
- 41a0834524ce0df8a18cc94b6a1eba6eebf6f397
URL
- http[:]//24[.]229[.]150[.]54[:]995/t4
- http[:]//aayomsolutions[.]co[.]in/etiste/quasnam-4966787
- http[:]//aparnashealthfoundation[.]aayom[.]com/quasisuscipit/totamet-4966787
- http[:]//arancal[.]com/HgLCgCS3m/be[.]html
- http[:]//decinfo[.]com[.]br/s4hfZyv7NFEM/y9[.]html
- http[:]//grandthum[.]co[.]in/9Z6DH5h5g/be[.]html
- http[:]//iperdesk[.]com/JWqj8R2nt/be[.]html
- http[:]//omoaye[.]com[.]br/Z0U7Ivtd04b/r[.]html
Remediation
Block all threat indicators at your respective controls.
Search for IOCs in your environment.
Download patches for all the CVEs mentioned above at
https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/
Use Detection and Protection services like XDRs, SOARs, and EDRs