Threat Research

ProxyShellMiner Campaign Creating Dangerous Backdoors

Securonix

Morphisec identifies a highly evasive ProxyShellMiner campaign that leverages ProxyShell flaws to gain access to Windows Exchange servers and deploys a multi-stage coin-mining operation across an organization. The campaign uses domain-wide persistence, obfuscation, anti-analysis techniques, and defenses evasion (including firewall rules and Defender exclusions) to remain stealthy while mining with XMRig. Hashtags: #ProxyShellMiner #ProxyShell #XMRig #mail.shaferglazer[.]com #mail.ghmproperties[.]com #mail.itseasy[.]com #mail.techniservinc[.]com

Keypoints

  • ProxyShellMiner exploits ProxyShell vulnerabilities CVE-2021-34473 and CVE-2021-34523 in Exchange servers to achieve initial access and deliver miners.
  • Post-exploitation, attackers use the domain controller’s NETLOGON folder to propagate the miner across the domain, similar to GPO-driven software delivery.
  • Attack infrastructure includes four compromised mail servers hosting the malware files as C2/VPN-like nodes.
  • The malware employs obfuscation (forked Confuser) and XOR-based decryption, plus in-memory code execution via CSC.exe to run modules.
  • Persistence and evasion hinge on a two-stage downloader, a scheduled task, Defender exclusions, hidden/system file attributes, and a RunPE-based hollowing stage.
  • Final stage blocks outbound traffic with a firewall rule and hollows a browser to inject XMrig, aided by a potentially vulnerable WinRing0x64.sys driver for higher hashrate.
  • Defensive guidance emphasizes patching CVE-2021-34473/34523 and applying defense-in-depth with Moving Target Defense (AMTD) to disrupt runtime memory access.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – The campaign “exploits the ProxyShell vulnerabilities CVE-2021-34473 and CVE-2021-34523 in Windows Exchange servers for initial access and compromise of an organization to deliver crypto miners.”
  • [T1053] Scheduled Task – “To gain persistence, the miner creates a scheduled task configured to run when any user logs on.”
  • [T1027] Obfuscated/Compressed Files and Information – “The malware author applied a forked version of “Confuser” which obfuscates the code.”
  • [T1140] Deobfuscate/Decode Files or Information – “ProxyShellMiner uses an embedded dictionary, an XOR decryption algorithm, and an XOR key downloaded from a remote server.”
  • [T1059] Command and Scripting Interpreter – “The miner uses a C# compiler CSC.exe with ‘InMemory’ compile parameters to execute the next embedded code modules.”
  • [T1055.012] Process Hollowing – “Final Stage … hollows the selected browser to inject the XMrig payload via the well-known RunPE technique.”
  • [T1562.001] Impair Defenses – “By using PowerShell runspace, the miner adds the process path and name of the second stage downloader … to the Defender exclusion.”
  • [T1562.004] Disable/Modify System Firewall – “The final stage creates a firewall rule that applies to all Windows Firewall profiles—domain, private, and public—and blocks all outgoing traffic.”
  • [T1497] Virtualization/Sandbox Evasion – “anti-runtime analysis tactic” indicated by the use of the command line parameter as anti-analysis measure.

Indicators of Compromise

  • [Domain] mail.shaferglazer[.]com – malicious files available from this server (Sept–Dec 2022). Example payloads: CertificatesUpdated*Agent.exe, CertificatesUpdateTESTAgent.exe, MailAgentMS.exe, Windowsd*MailAgent.exe, and 2 more hashes.
  • [Domain] mail.ghmproperties[.]com – malicious files not available from this server (May–Dec 2022). Example: WinUpService.exe, Windowsd*_10Upgrade.exe, CertificateServicesd*Client.exe, and 2 more.
  • [Domain] mail.itseasy[.]com – February–December 2022. Example: AppUpdate_d*.d*d*.d*.exe, AppUpdateLive_d*.d*d*.d*.exe, and 2 more.
  • [Domain] mail.techniservinc[.]com – December 2021–November 2022. Example: FirefoxInstaller.exe, FireFox.exe, and 2 more.
  • [URL] https://mail.shaferglazer[.]com/resources/files – remote resource hosting for downloader/files.
  • [Hash] 936d851d95e621dfb220bed06011e6fac0019dba7f2e601f47764301f5ce60e9, 93430f789cc8397d6476597c54665caf3e2eaedbf90b3faa96bda207bfef0d80, and 18+ more hashes.
  • [Filename] CertificatesUpdated*Agent.exe, Microsoftd*MailAgent.exe, MailAgentMS.exe, Windowsd*MailAgent.exe, and 2 more file variants.

Read more: https://blog.morphisec.com/proxyshellminer-campaign

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint