A new malware dubbed ‘ProxyShellMiner’ exploits the Microsoft Exchange ProxyShell vulnerabilities to deploy cryptocurrency miners throughout a Windows domain to generate profit for the attackers.
ProxyShell is the name of three Exchange vulnerabilities discovered and fixed by Microsoft in 2021. When chained together, the vulnerabilities allow unauthenticated, remote code execution, letting attackers take complete control of the Exchange server and pivot to other parts of the organization’s network.
In attacks seen by Morphisec, the threat actors exploit the ProxyShell flaws tracked as CVE-2021-34473 and CVE-2021-34523 to gain initial access to the organization’s network.
Next, the threat actors drop a .NET malware payload into the NETLOGON folder of the domain controller to ensure that all devices on the network run the malware.
For the malware to activate, it requires a command line parameter that also dubs as a password for the XMRig miner component.
