otx.alienvault.com
Open in
urlscan Pro
143.204.98.16
Public Scan
URL:
https://otx.alienvault.com/pulse/619bafa5be96b9097b0aa0f9?utm_userid=swimlanecyou&utm_medium=inproduct&utm_source=otx&utm_c...
Submission: On November 22 via api from US — Scanned from DE
Submission: On November 22 via api from US — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
× * Browse * Scan Endpoints * Create Pulse * Submit Sample * API Integration * Login | Sign Up All * Login | Sign Up * Share Actions Subscribers (165710) Suggest Edit Clone Embed Download Report Spam SQUIRRELWAFFLE EXPLOITS PROXYSHELL AND PROXYLOGON TO HIJACK EMAIL CHAINS * Created 32 minutes ago by AlienVault * Public * TLP: White In September, Squirrelwaffle emerged as a new loader that is spread through spam campaigns. It is known for sending its malicious emails as replies to preexisting email chains, a tactic that lowers a victim’s guard against malicious activities. To be able to pull this off, TrendMicro believes it involved the use of a chain of both ProxyLogon and ProxyShell exploits. References: https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/k/squirrelwaffle-exploits-proxyshell-and-proxylogon-vulnerabilities-in-microsoft-exchange-to-hijack-email-chains/IOCs-squirrelwaffle-exploits-proxyshell-and-proxylogon-microsoft-exchange-vulnerabilities-to-hijack-email-chains.txt Tags: squirrelwaffle, proxylogon, proxyshell, CVE-2021-26855, CVE-2021-31207, CVE-2021-34473, CVE-2021-34523 Malware Family: Squirrelwaffle Att&ck IDs: T1566 - Phishing , T1210 - Exploitation of Remote Services , T1137.001 - Office Template Macros , T1027 - Obfuscated Files or Information Endpoint Security Scan your endpoints for IOCs from this Pulse! Learn more * Indicators of Compromise (49) * Related Pulses (33) * Comments (0) * History (0) CVE (4)FileHash-SHA256 (5)URL (20)IPv4 (4)Domain (14)Hostname (2) TYPES OF INDICATORS United States (4) THREAT INFRASTRUCTURE Show 10 25 50 100 entries Search: type indicator Role title Added Active related Pulses hostnametrojan.xf.dloadr.alNov 22, 2021, 2:56:37 PM1 domaintaketuitions.comNov 22, 2021, 2:56:37 PM6 domainstunningmax.comNov 22, 2021, 2:56:37 PM2 domainomoaye.com.brNov 22, 2021, 2:56:37 PM1 domainmcdreamconcept.ngNov 22, 2021, 2:56:37 PM1 domainimprimija.com.brNov 22, 2021, 2:56:37 PM2 domainheadlinepost.netNov 22, 2021, 2:56:37 PM5 domaindongarza.comNov 22, 2021, 2:56:37 PM3 domaindecinfo.com.brNov 22, 2021, 2:56:37 PM2 domainconstructorachg.clNov 22, 2021, 2:56:37 PM5 SHOWING 1 TO 10 OF 49 ENTRIES 1 2 3 4 5 Next COMMENTS You must be logged in to leave a comment. Refresh Comments * © Copyright 2021 AlienVault, Inc. * Legal * Status