The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week published details on additional malware identified on compromised Microsoft Exchange servers, namely China Chopper webshells and DearCry ransomware.
The malware operators target Exchange servers through a series of vulnerabilities that were made public on March 3, the same day Microsoft released patches for them. The bugs had been targeted before the public announcement and activity surrounding them increased soon after.
On March 3, CISA published an advisory on the exploitation of the Exchange vulnerabilities, and this week it announced an update for that alert, to add Malware Analysis Reports (MARs) that include information on additional attacks.
The first of these provides details on China Chopper webshells that were identified on Exchange servers following initial compromise through the aforementioned vulnerabilities, and which provide adversaries with control over the infected machine.
A total of 10 webshells were identified, CISA notes, but these should not be considered an all-inclusive list of webshells that threat actors are leveraging in attacks targeting Exchange servers.
Additionally, CISA is warning of assaults on Microsoft Exchange that are attempting to drop the DearCry ransomware on vulnerable servers.
Also referred to as DoejoCrypt, DearCry is the first ransomware family known to target Exchange servers. For over two weeks, the Black Kingdom/Pydomer ransomware has been engaging in similar attempts too.
In the newly shared MARs, CISA has included tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs), to help defenders identify and remediate potential compromise.
The attacks on Microsoft Exchange servers, however, are far more diverse, and also involve the use of cryptominers in some cases. In fact, Microsoft themselves warned roughly two weeks ago of activity involving the Lemon Duck cryptocurrency botnet.
Now, Sophos reveals that the targeting of Exchange servers for crypto-mining purposes dates all the way back to March 9, hours after Microsoft’s Patch Tuesday updates that addressed the exploited vulnerabilities were released. Ever since, the security firm says, an unknown actor has been compromising servers to deploy a malicious Monero miner.
What makes this attack stand out, however, is the fact that the malicious payload itself is hosted on a compromised Exchange server and is being retrieved through a PowerShell command. The payload masquerades as a legitimate utility, named QuickCPU.
Within days, the miner was loaded onto multiple compromised servers, with the crypto-currency output spiking significantly. The activity continues, albeit at a much lower pace, as the miner has lost some of the infected servers.