New PowerExchange malware backdoors Microsoft Exchange servers

Bleeping computer reports* that A new PowerShell-based malware dubbed PowerExchange was used in attacks linked to APT34 Iranian state hackers to backdoor on-premise Microsoft Exchange servers.

After infiltrating the mail server via a phishing email containing an archived malicious executable, the threat actors deployed a web shell named ExchangeLeech (first observed by the Digital14 Incident Response team in 2020) that can steal user credentials.

The FortiGuard Labs Threat Research team found the PowerExchange backdoor on the compromised systems of a United Arab Emirates government organization. Notably, the malware communicates with its command-and-control (C2) server via emails sent using the Exchange Web Services (EWS) API, sending stolen info and receiving base64-encoded commands through text attachments to emails with the “Update Microsoft Edge” subject.

Commentary by Thomas Uhlemann, Security Specialist at ESET:

While some might have thought that attacks via fake invoices or job applications delivering malware are a thing of the past, this example proves otherwise. In fact, many APT groups, such as Lazarus, utilize such attacks preferably in spear-phishing attacks on high level targets. According to our telemetry E-Mail threats increased by 30% in 2022. For on-premises installations of mail servers and gateways it is vital to employ proper anti-phishing but also antimalware solutions, capable of scanning all mail attachments.To avoid credential stealing attacks success, it remains vital that companies adopt better password security features in their daily routines such as password managers and to enforce multi factor authentication on all important systems.”

*ESET does not bear any responsibility for the accuracy of this information.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s