Threat actors targeted are exploiting the ProxyLogon vulnerabilities in Microsoft Exchange servers to deploy Monero cryptocurrency miners.
Sophos researchers reported that threat actors targeted Microsoft Exchange by exploiting ProxyLogon vulnerabilities to deploy malicious Monero cryptominer in an unusual attack.
The unknown attacker is attempting to deliver a payload which is being hosted on a compromised Exchange server.
“The attack begins with a PowerShell command to retrieve a file named win_r.zip from another compromised server’s Outlook Web Access logon path (/owa/auth).” reads the analysis published by Sophos. “The .zip file is not a compressed archive, but a batch script that then invokes the built-into-Windows certutil.exe program to download two additional files, win_s.zip and win_d.zip.”
The attack used a PowerShell command to retrieve a file named win_r.zip from another compromised server’s Outlook Web Access logon path (/owa/auth). Experts noticed that the .zip file was not a compressed archive, but a batch script that then invoked the built-into-Windows certutil.exe program to download the win_s.zip and win_d.zip files.
The win_s.zip is written out to the filesystem as QuickCPU.b64, the executable payload in encoded base64 and can be decoded by the certutil application. Then the batch script runs another command that outputs the decoded executable into the same directory. Upon decoding the batch script, it runs the executable that extracts the crypto miner and configuration data from the QuickCPU.dat file, then injects it into a system process and deletes any evidence of its presence.
The executable employed in the attack contains a modified version of the PEx64-Injector tool publicly available on Github.
“Among the files contained in the QuickCPU.dat archive are the configurator for the miner, which appears to be xmr-stak. By default, the payload sets up the miner so that it only can communicate if it can have a secure TLS connection back to the Monero wallet where it will store its value. If the miner detects that there’s a certificate mismatch (or some other indication of a TLS MITM), it quits and attempts to reconnect every 30 seconds.”continues the analsys.
The miner’s pools.txt file is temporarily written to disk, its analysis allowed the researchers to determine the wallet address and its password, and the name DRUGS assigned to the pool of miners.
The wallet began receiving funds on March 9, but after Microsoft addressed the ProxyLogon issues, the cryptomining activity decreased because many servers were secured.