PHOSPHORUS Automates Initial Access Using ProxyShell

APT35 (PHOSPHORUS/UNC2448) leveraged Microsoft Exchange ProxyShell vulnerabilities to gain initial access, deploy web shells, and perform post-exploitation tasks, including credential dumping and payload deployment. The activity appears scripted and automated, with two bursts over about three days, involving a Go-based proxy tool and multiple persistence, discovery, and exfiltration steps. Hashtags: #PHOSPHORUS #UNC2448 #NemesisKitten #DEV-0270 #APT35 #ProxyShell #FRP #FastReverseProxy #LSASSDump #dllhost

Keypoints

Initial access exploited via Microsoft Exchange ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) to place web shells.
Attack activity occurred in two bursts over ~3 days, with evidence of automated scripting (python-requests/2.26.0 and python-urllib3/1.26.7 user agents).
Persistence established through scheduled tasks and a newly created account added to Remote Desktop Users and Local Administrators groups.
Web shell activity included a DLL shell (dllhost.exe) that referenced Fast Reverse Proxy (FRP) and connected to suspect domains.
Credential access and defense evasion included disabling LSA protection, enabling WDigest, and dumping LSASS memory, with results exfiltrated via the web shell.
Discovery and collection used Windows native tools (net, ipconfig, Get-WMIObject) and targeted data such as domain controller information and email addresses.
Exfiltration focused on an LSASS dump archive; overall impact was limited due to eviction, with historical context suggesting potential ransomware would follow.

MITRE Techniques

[T1190] Exploit Public-Facing Application – The actor exploited Exchange ProxyShell vulnerabilities; an exploit chain of 3 different CVEs: “As similarly seen in our previous report Exchange Exploit Leads to Domain Wide Ransomware, this threat actor utilized the Microsoft Exchange ProxyShell vulnerabilities; an exploit chain of 3 different CVEs:”
[T1003] OS Credential Dumping – “disabled LSA protection, enabled WDigest for access to plain text credentials later, dumped the LSASS process memory, and downloaded the results via the web shell.”
[T1098] Account Manipulation – “The account was then added to the ‘remote desktop users’ and ‘local administrators users’ groups.”
[T1078] Valid Accounts – “they gained a valid privileged session using CVE-2021-34473 and CVE-2021-34523.”
[T1105] Ingress Tool Transfer – “a file masquerading as dllhost.exe … downloaded from the same IP as observed in the prior case and connecting to suspect domains.”
[T1036.005] Match Legitimate Name or Location – “a file masquerading as dllhost.exe that exhibited similarities to a proxy tool call Fast Reverse Proxy (with modifications)…”
[T1543.003] Windows Service – “Remote Desktop Services was started.” (and related service start actions in defense evasion)
[T1505.003] Web Shell – “The web shell had predefined functions for special actions” and “execution of commands via the web shell.”
[T1082] System Information Discovery – “enumerated the environment using Windows native programs such as net and ipconfig.”
[T1016] System Network Configuration Discovery – same discovery activity via ipconfig and related commands.
[T1033] System Owner/User Discovery – “Get-Recipient … | Get-Recipient | Select Name -ExpandProperty EmailAddresses -first 1 | Select SmtpAddress” for user data exposure.
[T1059.003] Windows Command Shell – “PowerShell commands … and specific PowerShell-based actions” used during execution and discovery.

Indicators of Compromise

[Network] context – 148.251.71[.]182, 107.173.231[.]114, tcp443.msupdate[.]us, kcp53.msupdate[.]us, and related C2 domains
[Network] user agents – python-urllib3/1.26.7, python-requests/2.26.0
[File] notable filenames – aspx_dyukbdcxjfi.aspx, dllhost.exe, wininet.xml, wininet.bat, user.exe, task_update.exe
[Hash] file hashes – 1a5ad24a6880eea807078375d6461f58, da2470c3990ea0862a79149c6036388498da83cd, 84f77fc4281ebf94ab4897a48aa5dd7092cc0b7c78235965637eeef0908fb6c7