microsoft exchange server backdoor

An attack on the Microsoft Exchange server of an organization in Kuwait revealed two never-before-seen Powershell backdoors.

Two never-before-seen Powershell backdoors have been uncovered, after researchers recently discovered an attack on Microsoft Exchange servers at an organization in Kuwait .

The activity is tied back to the known xHunt threat group, which was first discovered in 2018 and has previously launched an array of attacks targeting the Kuwait government, as well as shipping and transportation organizations.

However, a more recently observed attack – on or before Aug. 22, 2019, based on the creation timestamps of the scheduled tasks associated with the breach – shows the attackers have updated their arsenal of tools.

The attack used two newly discovered backdoors: One that researchers called “TriFive,” and the other, a variant of a previously discovered PowerShell-based backdoor (dubbed CASHY200), which they called “Snugy.”

“Both of the backdoors installed on the compromised Exchange server of a Kuwait government organization used covert channels for C2 communications, specifically DNS tunneling and an email-based channel using drafts in the Deleted Items folder of a compromised email account,” said researchers with Palo Alto’s Unit 42 team, Monday.

The Attack

Researchers said they do not yet have visibility into how the actors gained access to the Exchange server. They first became aware of the attack in September, when they were notified that threat actors breached an organization in Kuwait. The Exchange server in question had suspicious commands being executed via the Internet Information Services (IIS) process w3wp.exe.

After investigating the server, “we did discover two scheduled tasks created by the threat actor well before the dates of the collected logs, both of which would run malicious PowerShell scripts,” said researchers. “We cannot confirm that the actors used either of these PowerShell scripts to install the web shell, but we believe the threat actors already had access to the server prior to the logs.”

The two tasks in question were “ResolutionHosts” and “ResolutionsHosts.”  Both of these were created within the c:WindowsSystem32TasksMicrosoftWindowsWDI folder.

Researchers believe the attackers used these two scheduled tasks as a persistence method, as they ran the two PowerShell scripts repeatedly (one every 30 minutes and the other every five minutes). The commands executed by the two tasks attempt to run “splwow64.ps1” and “OfficeIntegrator.ps1” – which are the two backdoors.

“The scripts were stored in two separate folders on the system, which is likely an attempt to avoid both backdoors being discovered and removed,” said researchers.

TriFive Backdoor

The first backdoor, TriFive, provides backdoor access to the Exchange server by logging into a legitimate user’s inbox and obtaining a PowerShell script from an email draft within the deleted emails folder, according to researchers. This tactic has been previously utilized by the threat actor as a way of communicating with the malicious command-and-control (C2) server in a September 2019 campaign, they noted.

microsoft exchange server email compromise

The email based C2 communication method. Credit: Palo Alto Networks

“The TriFive sample used a legitimate account name and credentials from the targeted organization,” said researchers. “This suggests that the threat actor had stolen the account’s credentials prior to the installation of the TriFive backdoor.”

First, to issue commands to the backdoor, the actor would log into the same legitimate email account and create an email draft with a subject of “555,” including the command in an encrypted and base64 encoded format.

On the backdoor’s end, the PowerShell script then logs into a legitimate email account on the compromised Exchange server and checks the “Deleted Items” folder for emails with a subject of “555.” The script would execute the command found in the email via PowerShell. Finally, they would then send the command results back to the threat actor by setting the encoded ciphertext as the message body of an email draft, and saving the email again in the Deleted Items folder with the subject of “555s.”

Snugy

The other PowerShell-based backdoor, Snugy, uses a DNS-tunneling channel to run commands on the compromised server. DNS tunneling allows threat actors to exchange data using the DNS protocol, which can be used to extract data silently or to establish a communication channel with an external malicious server.

The threat actors used the Snugy backdoor to to obtain the system’s hostname, run commands and exfiltrate the results. Researchers were able to obtain the domains queried via ping requests sent from the compromised server.

“Based on the exfiltrated data from within the subdomains, we were able to determine the actors ran ipconfig /all and dir,” they said. “Unfortunately, we only had a subset of the requests so the data exfiltrated was truncated, which also suggests that the actors likely ran other commands that we did not observe.”

Researchers observed various code overlaps between Snugy and the previously uncovered CASHY200 backdoor – including similar functions used to convert strings to hexadecimal representation and generate a string of random upper and lowercase characters; as well as command handlers using the first octet of the IP address to determine the command to run and to get the hostname and run a command.

Researchers said, the xHunt campaign continues as the threat actors launch ongoing attacks against Kuwait organizations.

Based on these most recently discovered backdoors, moving forward “it appears that this group is beginning to use an email-based communication channel when they already have access to a compromised Exchange server at an organization,” they said.

Hackers Put Bullseye on Healthcare: On Nov. 18 at 2 p.m. EDT find out why hospitals are getting hammered by ransomware attacks in 2020. Save your spot for this FREE webinar on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, limited-engagement webinar.