New crypto-mining attack exploits vulnerabilities in Microsoft Exchange ProxyShell

Russell Kidson
Feb 18, 2023

New crypto-mining attack exploits vulnerabilities in Microsoft Exchange ProxyShell

A recently discovered malware called 'ProxyShellMiner' takes advantage of the Microsoft Exchange ProxyShell vulnerabilities to deploy cryptocurrency miners within a Windows domain, thereby generating profits for the attackers. 

New crypto-mining attack exploits vulnerabilities in Microsoft Exchange ProxyShell

The term ProxyShell refers to three Exchange vulnerabilities that Microsoft addressed and resolved in 2021. The vulnerabilities, when used in tandem, enable remote code execution without authentication, thereby granting threat actors total control of the Exchange server and allowing them to shift to other sections of the organization's network. 

Morphisec reports that the attackers take advantage of the ProxyShell vulnerabilities referred to as CVE-2021-34473 and CVE-2021-34523 to gain initial entry into the organization's network.

Subsequently, the threat actors proceed to deposit a .NET malware payload into the NETLOGON directory of the domain controller, ensuring that all connected devices execute the malware. The malware is activated only after receiving a command line parameter that serves as a password for the XMRig miner component.

According to the Morphisec report, the ProxyShellMiner malware employs an embedded dictionary, an XOR decryption algorithm, and an XOR key that is downloaded from a remote server. It then uses the C# compiler CSC.exe with "InMemory" compile parameters to execute the next embedded code modules.

In the subsequent phase, the malware downloads a file known as "DC_DLL" and performs .NET reflection to extract arguments for the task scheduler, XML, and the XMRig key. The DLL file is utilized for decrypting additional files.

To establish persistence on the infected system, a second downloader creates a scheduled task configured to run upon the user's login. Finally, the second loader and four other files are downloaded from a remote resource. ProxyShellMiner selects a browser from those available on the compromised system to inject the miner into its memory space, utilizing a process called "process hollowing." It then randomly selects a mining pool from a list hardcoded into the malware, and the mining process commences.

The ultimate stage in the attack sequence involves the creation of a firewall rule that prohibits all outgoing traffic, which is applied to all Windows Firewall profiles. This action aims to decrease the likelihood of defenders detecting infection indicators or receiving alerts about a potential compromise from the compromised system.

To avoid detection by security tools that track process runtime behavior, the malware waits for at least 30 seconds after the browser hollowing before generating the firewall rule. It is possible that the miner continues to communicate with its mining pool through an unmonitored backdoor.

Morphisec has raised the alarm that the consequences of the malware go beyond mere service disruptions, causing performance degradation and hardware overheating. As soon as the hackers have penetrated the network, they can execute any action from deploying backdoors to running code.

Morphisec recommends that administrators implement the available security patches and adopt multi-faceted threat detection and defense mechanisms to mitigate the risk of ProxyShellMiner infections.

ProxyShellMiner Malware Utilizes Microsoft Exchange ProxyShell Vulnerabilities


Previous Post: «
Next Post: «


There are no comments on this post yet, be the first one to share your thoughts!

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.