HomeWinBuzzer NewsMicrosoft Exchange Servers Targeted by New PowerShell Backdoors

Microsoft Exchange Servers Targeted by New PowerShell Backdoors

Researchers says two new PowerShell backdoors were used against a Microsoft Exchange server of a Kuwait organization.

-

Security researchers have discovered a pair of brand-new vulnerabilities following an attack on a server. While the attacks are from last year, it seems the responsible group used a new method.

According to Palo Alto's Unit 42 security team, a threat group called xHunt is responsible for the attack. This group has been known to target organizations in Kuwait, including a 2018 breach of the country's government system.

A newer attack that occurred around August 22, 2019 shows the group has a new way of breaching targets. Specifically, two new PowerShell backdoors were used. One has been dubbed “TriFive” and other is called “Snugy.”

“Both of the backdoors installed on the compromised Exchange server of a Kuwait government organization used covert channels for C2 communications, specifically DNS tunneling and an email-based channel using drafts in the Deleted Items folder of a compromised email account,” say researchers from the Palo Alto team.

How it Happened

While last year's attack has been discovered, researchers are not clear how the group succeeded in accessing a Microsoft Exchange server. The attack was reported over a year after it happened when an organization found suspicious commands though the Internet Information Services (IIS) process w3w.exe.

On the server, the team says it “did discover two scheduled tasks created by the threat actor well before the dates of the collected logs, both of which would run malicious PowerShell scripts. We cannot confirm that the actors used either of these PowerShell scripts to install the web shell, but we believe the threat actors already had access to the server prior to the logs.”

Two scheduled tasks “ResolutionHosts” and “ResolutionsHosts” were used in c:\Windows\System32\Tasks\Microsoft\Windows\WDI to persistently run PowerShell scripts every 30 minutes and every five minutes.

“The scripts were stored in two separate folders on the system, which is likely an attempt to avoid both backdoors being discovered and removed,” add the researchers.

SourceUnit 42
Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.

Recent News