Microsoft Exchange ProxyShell flaws exploited in new crypto-mining attack

A new malware dubbed 'ProxyShellMiner' exploits the Microsoft Exchange ProxyShell vulnerabilities to deploy cryptocurrency miners throughout a Windows domain to generate profit for the attackers.

ProxyShell is the name of three Exchange vulnerabilities discovered and fixed by Microsoft in 2021. When chained together, the vulnerabilities allow unauthenticated, remote code execution, letting attackers take complete control of the Exchange server and pivot to other parts of the organization's network.

In attacks seen by Morphisec, the threat actors exploit the ProxyShell flaws tracked as CVE-2021-34473 and CVE-2021-34523 to gain initial access to the organization's network.

Next, the threat actors drop a .NET malware payload into the NETLOGON folder of the domain controller to ensure that all devices on the network run the malware.

For the malware to activate, it requires a command line parameter that also dubs as a password for the XMRig miner component.

"ProxyShellMiner uses an embedded dictionary, an XOR decryption algorithm, and an XOR key downloaded from a remote server," describes the Morphisec report.

"Then, it uses a C# compiler CSC.exe with "InMemory" compile parameters to execute the next embedded code modules."

In the next phase, the malware downloads a file named "DC_DLL" and performs .NET reflection to extract arguments for the task scheduler, XML, and the XMRig key. The DLL file is utilized for the decryption of additional files.

A second downloader establishes persistence on the infected system by creating a scheduled task that is configured to run upon the user's login. Finally, the second loader is downloaded from a remote resource, along with four other files.

That file decides which browser of those installed on the compromised system will be used for injecting the miner into its memory space, using a technique known as "process hollowing." After that, it picks a random mining pool from a hardcoded list, and the mining activity begins.

The final step in the attack chain is to create a firewall rule that blocks all outgoing traffic, which applies to all Windows Firewall profiles.

The purpose of this is to make it less likely for defenders to detect infection markers or receive any alerts about a potential compromise from the breached system.

To evade security tools that monitor process runtime behavior, the malware waits at least 30 seconds after the browser's hollowing before creating the firewall rule. Possibly, the miner continues to communicate with its mining pool via a backdoor that isn't monitored by security tools.

Morphisec warns that the impact of the malware goes beyond causing service outages, degrading server performance, and overheating computers.

Once the attackers have gained a foothold in the network, they can do anything from backdoor deployment to code execution.

To address the risk of ProxyShellMiner infections, Morphisec advises all admins to apply available security updates and use comprehensive and multi-faceted threat detection and defense strategies.