Microsoft already released details about a serious vulnerability affecting their Exchange mail server software, a range of threat actors have been targeting exploitable servers with a variety of malware, from webshells to ransomware.
SophosLabs researchers say that “those aren’t the only payloads we’ve seen directed at Exchange servers: An unknown attacker has been attempting to leverage what’s now known as the ProxyLogon exploit to foist a malicious Monero cryptominer onto Exchange servers, with the payload being hosted on a compromised Exchange server”.
The attack used a PowerShell command to retrieve a file named win_r.zip from another compromised server’s Outlook Web Access logon path (/owa/auth).
How the Attack Works?
Experts noticed that the .zip file was not a compressed archive, but a batch script that then invoked the built-into-Windows certutil.exe program to download the win_s.zip and win_d.zip files.
The win_s.zip is written out to the filesystem as QuickCPU.b64, the executable payload in encoded base64 and can be decoded by the certutil application.
Then the batch script runs another command that outputs the decoded executable into the same directory. Upon decoding the batch script, it runs the executable that extracts the crypto miner and configuration data from the QuickCPU.dat file, then injects it into a system process and deletes any evidence of its presence.
The file uses forged data in its Properties sheet that indicates the file is a Windows component, but the binary is not digitally signed and as well, no such file has ever existed as a standard component of Windows, though there is a legitimate utility with the same name, made by a third-party software developer. That utility is not connected to this malware in any way.
The executable employed in the attack contains a modified version of the PEx64-Injector tool publicly available on Github.
The analysis says “Among the files contained in the QuickCPU.dat archive are the configurator for the miner, which appears to be xmr-stak. By default, the payload sets up the miner so that it only can communicate if it can have a secure TLS connection back to the Monero wallet where it will store its value. If the miner detects that there’s a certificate mismatch (or some other indication of a TLS MITM), it quits and attempts to reconnect every 30 seconds.”
The miner’s pools.txt file is temporarily written to disk, its analysis allowed the researchers to determine the wallet address and its password, and the name DRUGS assigned to the pool of miners.
According to the Monero blockchain, the wallet began receiving funds on March 9, but after Microsoft addressed the ProxyLogon issues, the crypto mining activity decreased since many servers were secured.