The initial infiltration was accomplished by leveraging the ProxyShell exploit in Microsoft Exchange servers to allow an unauthenticated attacker to execute arbitrary commands on them through an exposed HTTPS port.
As a result, the attackers were able to deploy two web shells:
C:/inetpub/wwwroot/aspnet_client/system_web/iispool.aspx
C:/inetpub/wwwroot/aspnet_client/system_web/map.aspx
These two web shells are used in conjunction with one another, and some of their functionalities overlap.
On numerous occasions, map.aspx was used to validate the results of the commands executed by iispool.aspx.
Post infection, the attackers dedicated several days to the exfiltration of PST files and other sensitive data from the compromised server.
Next, they attempted to steal credentials by creating a memory dump of lsass.exe using a LOLBin.
Finally, the attackers dropped and installed the backdoor components.
Sign Up For Threat Alerts
Aug 08, 2022
RapperBot – new evolving malware
FortiGuard Labs has been tracking a rapidly evolving IoT malware family known as "RapperBot". This...
Aug 04, 2022
Google Drive And Dropbox Used By APT29...
Cloaked Ursa (aka: APT29) has been targeting governmental entities in several countries with spear-phishing campaigns...
Aug 03, 2022
Manjusaka: A Chinese sibling of Sliver and...
Cisco Talos recently discovered a new attack framework called "Manjusaka" being used in the wild...
Aug 03, 2022
macOS Targeted With The CloudMensis Multi-Staged Malware
ESET researchers discovered a previously unknown macOS backdoor that spies on users of the compromised...
Aug 01, 2022
Attackers Target Ukraine With GoMet Backdoor
Since the Russian invasion of Ukraine began, Ukrainians have been under a nearly constant barrage...
Jul 31, 2022
Untangling KNOTWEED: European private-sector offensive actor using...
The Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) found a...
Jul 31, 2022
Untangling KNOTWEED: European private-sector offensive actor using...
The Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) found a...
Jul 26, 2022
EvilNum Targets Cryptocurrency, Forex, Commodities
Proofpoint Threat Research observed the group Proofpoint calls TA4563 targeting various European financial and investment...
Jul 25, 2022
Lightning Framework: New Undetected “Swiss Army Knife”...
Lightning is a previously undocumented and undetected Linux threat. Lightning is a modular framework we...
Jul 24, 2022
Redeemer Ransomware
Redeemer 2.0 Being Distributed Via Affiliate Program Cyble Research Labs has constantly been tracking emerging...
Jul 21, 2022
Cobalt Strikes again: UAC-0056 continues to target...
The Malwarebytes Threat Intelligence team recently reviewed a series of cyber attacks against Ukraine that...
Jul 20, 2022
Trello From the Other Side: APT29 Phishing...
Beginning mid-January 2022, Mandiant detected and responded to an APT29 phishing campaign targeting a diplomatic...
Jul 18, 2022
New OrBit Linux Malware That Hijacks Execution...
New and entirely undetected Linux threat dubbed OrBit, signally a growing trend of malware attacks...
Jul 18, 2022
North Korean threat actor targets small and...
A group of actors originating from North Korea that Microsoft Threat Intelligence Center (MSTIC) tracks...
Jul 13, 2022
ChromeLoader – New Stubborn Malware Campaign
A new browser hijacker/adware campaign named ChromeLoader (also known as Choziosi Loader and ChromeBack) was...