Cybercriminals are now uploading cryptomining malware onto vulnerable Microsoft Exchange Servers, according to a new report from Sophos.
In a recent blog post, the cybersecurity giant said an unknown attacker has been attempting to leverage the ProxyLogon exploit “to foist a malicious Monero crypt miner onto Exchange server with the payload being hosted on a compromised Exchange sever.”
The company’s Sophos Labs team came across the attack while inspecting telemetry.
According to Sophos researchers, the attack begins with a PowerShell command to retrieve a file named win_r.zip from another compromised server’s Outlook Web Access logon path (/owa/auth).
Instead of being a compressed archive, that .zip file is a batch script that then invokes the certutil.exe program build into Window to download two additional files, win_s.zip and win_d.zip, neither of which are compressed files.
“The first file is written out to the filesystem as QuickCPU.b64,” researchers wrote in a Sophos blog. “The certutil application is designed to be able to decode base64-encoded security certificates, so the attackers have leveraged that functionality by encoding an executable payload in base64 and wrapping it in headers that indicate it is some form of digital certificate.”
The batch script runs a command that outputs the decoded executable into the same directory. Then the miner and configuration data is extracted from the QUickCPU.dat file, is injected it into a system process and deletes the evidence.
The file masquerades as a Windows component, but no such file has ever existed as a Windows component despite there being a legitimate utility with the same name made by a third-party developer that isn’t connected to this malware.
”When it runs, it extracts the contents of the QuickCPU.dat file (an installer for the miner, and its configuration) temporarily to the filesystem, configures the miner, injects it into a running process, then quits,” Sophos says in the blog. “The batch file then deletes the evidence and the miner remains running in memory, injected into a process already running on the system.”
The payload sets up the miner so that communication only happens with a secure TLS connection back to the Monero wallet where the cryptocurrency is stored. If a certificate mismatch is detected, the miner quits and tries to reconnect every half minute.
“The miner’s pools.txt file is also temporarily written to disk, which reveals not only the wallet address and its password, but also that the name the attacker has given to this pool of miners: DRUGS,” Sophos says. “The “currency”: “randomx” in this file appears to be a configuration specific to the xmr-stak miner.”
Sophos says the wallet began receiving the funds on March 9, when Microsoft released Exchange updates as part of its monthly Tuesday patch cycle.
The attack has lost several servers, but has gained new ones to make up for the early losses, Sophos says.