An unnamed government agency associated with the United Arab Emirates (UAE) was targeted, presumably by Iranian attackers, using a “simple and effective” backdoor to compromise the victim’s Microsoft Exchange Server Did. Power Exchange.
According to a new report from Fortinet FortiGuard Labs, the intrusion relied on email phishing as the initial access vector, leading to the execution of a .NET executable contained in a ZIP file attachment.
A binary masquerading as a PDF document acts as a dropper that executes the final payload and launches the backdoor.
PowerExchange is written in PowerShell and uses text files attached to emails for command-and-control (C2) communication. This allows the attacker to execute arbitrary payloads and upload and download files to and from the system.
The custom implant accomplishes this by leveraging the Exchange Web Services (EWS) API to connect to the victim’s Exchange server and using mailboxes on the server to send and receive encoded commands to and from the operator.
“Because Exchange Server is accessible from the Internet, it saves C2 communication from devices inside the organization to external servers,” said the Fortinet researchers. “It also acts as a proxy for attackers to hide themselves.”
However, it is currently unknown how the attacker obtained the domain credentials to connect to the target Exchange Server.
Fortinet’s investigation found that several web shells called ExchangeLeech (aka System.Web.ServiceAuthentication.dll) were used to plant backdoors to provide persistent remote access and steal user credentials. It also turned out to be an Exchange server.
Zero Trust + Deception: Learn How to Outsmart Attackers!
See how Deception can detect advanced threats, stop lateral movement, and strengthen your Zero Trust strategy. Join us for an insightful webinar!
Reserve your seat!
PowerExchange is suspected to be an upgraded version of TriFive, which was previously used by Iranian state actor APT34 (aka OilRig) in an intrusion targeting Kuwaiti government agencies.
Additionally, as observed in the Karkoff and MrPerfectionManager cases, communication via Internet-facing Exchange servers is a proven tactic employed by the OilRig actors.
The researchers wrote, “Using the victim’s Exchange server for the C2 channel allows the backdoor to mingle with benign traffic, allowing the attacker to access virtually any network-based network within or outside the target organization’s infrastructure.” It makes it easier to evade detection and remediation.”
