Morphisec has recently identified a highly evasive malware campaign delivering ProxyShellMiner to Windows endpoints.
As the name suggests, ProxyShellMiner exploits the ProxyShell vulnerabilities CVE-2021-34473 and CVE-2021-34523 in Windows Exchange servers for initial access and compromise of an organization to deliver crypto miners. After successfully breaching an Exchange server and obtaining control, the attackers use the domain controller’s NETLOGON folder to ensure the miner executes throughout the domain, similar to how software is delivered through GPO. Morphisec detected four C2 servers in use by the attackers. All are legitimate, compromised mail servers which host the malware-dependent files.
Mining cryptocurrency on an organization’s network can lead to system performance degradation, increased power consumption, equipment overheating, and can stop services. Unfortunately, mining threats are often disregarded or deprioritized until the same backdoor delivers ransomware.