Microsoft Exchange ProxyShell flaws exploited in new crypto-mining attack

ProxyShellMiner is being distributed to Windows endpoints by a very elusive malware operation, according to Morphisec.

ProxyshellMiner Malware

ProxyShell is the name of three Exchange vulnerabilities discovered and fixed by Microsoft in 2021. When chained together, the vulnerabilities allow unauthenticated, remote code execution, letting attackers take complete control of the Exchange server and pivot to other parts of the organization’s network.

ProxyShellMiner exploits a company’s Windows Exchange servers using the ProxyShell vulnerabilities CVE-2021-34473 and CVE-2021-34523 to get initial access and distribute crypto miners.

The malware needs a command line parameter that acts as a password for the XMRig miner component in order to activate.

“This parameter is later used as a key for the XMRig miner configuration, and as an anti-runtime analysis tactic”, Morphisec.

The malware then downloads a file with the name “DC DLL” and uses .NET reflection to get the task scheduler, XML, and XMRig key arguments. The decryption of additional files is done using the DLL file.

By setting up a scheduled activity to start when the user logs in, a second downloader achieves persistence on the compromised system. The report says four other files and the second loader are downloaded from a remote resource.

“The malware waits at least 30 seconds while the target machine blocks any outbound connection. It does this to tamper with the process runtime behavior analysis of common security solutions”, researchers.

Conclusion

INDICATORS OF COMPROMISE 

mail.shaferglazer[.]com 

(malicious files are available from this server) 

mail.itseasy[.]com

Follow Us on: Twitter, Instagram, Facebook to get the latest security news!