Well, the Proxy Logon Microsoft Exchange vulnerability is again in the news. It’s known that attackers always keep trying new ways to exploit the vulnerabilities. This time attackers have been found using Prometei botnet to compromise Proxy Logon Microsoft Exchange vulnerability (CVE-2021-27065 and CVE-2021-26858) in order to penetrate the network and install Monero crypto-mining malware on the targets. Let’s see how Proxy Logon Microsoft Exchange vulnerability is being exploited by the Prometei botnet?
What Do We Know About the Prometei Botnet?
Promote is a crypto miner mostly created by a group of Russian speakers (not backed by the Russian government), which is used for malicious activities. It is a modular multistage cryptocurrency botnet that has been created for both Windows and Linux platforms. The main goal of the Prometei botnet is to mine Monero cryptocurrency. Researchers found that the Prometei botnet has chosen illegal ways to propagate across the network to mine the Monero coins.
Although, Prometei was officially discovered in June 2020. Researchers recently found the existence of the malware back in 2016. Researchers also found that during these few years, the Prometei has seen several advancements. Now the malware is loaded with a lot of sophisticated features like stealthy backdoor, mining Monero coins, and APT-like features.
Researchers also discovered four different command and control servers (C2) which give a boost to the botnet’s infrastructure. This makes the malware more robust against attacks to take the malware down.
What Is Proxy Logon Microsoft Exchange Vulnerability?
To tell about this in short, Recently, a cyberespionage group, HAFNIUM, has compromised several Microsoft’s Exchange servers by exploiting the four vulnerabilities found in Exchange servers. All these four vulnerabilities are collectively called Proxy Logon Microsoft Exchange vulnerability.
CVE-2021-26855: This is a server-side request forgery (SSRF) vulnerability in Exchange, Which allows arbitrary HTTP requests sent and authenticate as a server.
CVE-2021-26857: This is an insecure deserialization vulnerability In a united messaging service that allows the attacker to run the code on the Exchange Server. This requires administrator privileges or another vulnerability CVE-2021-26858 to exploit.
CVE-2021-26858 & CVE-2021-27065: This is a Post authentication, and arbitrary file writes vulnerabilities allow an attacker to write a script on any location on the exchange server. This vulnerability requires either exploiting the CVE-2021-26855 SSRF vulnerability or compromising a legitimate admin’s credentials.
Who Are the Victims of Prometei Botnet Malware?
There are no specific targets has seen at this point in time. A wide range of industry sectors has reported the infection, which includes Finance, Insurance, Retail, Manufacturing, Utilities, Travel, and Construction globally. Promote has been observed to be active across the US, the UK, and many other European countries, as well as countries in South America and East Asia. It was also observed that the threat actors appear to be avoiding infecting former Soviet bloc countries. The most concerning aspect is that the targets are random. We warn every industry across the globe.
Threat Actors Behind the Prometei Botnet:
At the time of this report, there is no much information about the threat actors. We believed that the authors of the Prometei botnet are financially motivated and operated by Russian-speaking individuals. Researchers are still collecting evidence to find out more about the threat actors of the Prometei botnet.
Prometei Botnet IoCs:
Promote has four C2 servers. Here is one among them.
Files of Prometei Botnet:
- C:windowszsvc.exe: Initial payload downloaded from the C2 servers.
- C:windowsSqhost.exe: is the main bot module.
- RdpClip.exe: A key component of malware that is used to interact with other components of the malware and make them work all together
- Miwalk.exe: A customized version of Mimikatz used for Credential harvesting.
- ExchDefender.exe: it creates a service named “Microsoft Exchange Defender” [MSExchangeDefenderPL] that is set to execute the binary (from C:Windows)
- SearchIndexer.exe: It’s an open-source Monero mining software. See if it is illegally installed.
- Netwalker.7z:: Is an archive application download from the C2
- Nethelper2.exe and Nethelper4.exe: It creates connections to SQL servers in the network and tries to infect them with the main module
- Windrlver.exe: It is an OpenSSH and SSLib-based software that the attackers have created so they can spread across the network using SSH
Prometei Botnet Toolset:
Since 2019, the malware keeps evolving over time, adding more and more functionalities. It might have used plenty of tools and may have added even more. Researchers have found only these few tools in their research as attackers don’t use a complete toolset in one attack. Researchers are trying to discover more tools as they investigate more attacks.
- C:WorkTools_2019prometeirdpexecshift – botReleaseshift.pdb
- C:WorkTools_2019prometeiscan_rdprdp_checkerRDPDetect (rdp_checker)RDPDetectbinReleaseCryptoObfuscator_Outputnethost.pdb
- C:WorkTools_2019prometeirdpexecshift – botReleaseshift.pdb
What Is the Real Motive Behind This Attack?
Not all Attackers, cybercriminals, and threat actors conduct attacks for one reason. Some attacks were carried out to steal sensitive information, some attacks were carried out in causing damage, some attacks for political intent, but one thing is common among all the attacks, profit. All the attacks will carry out to reap some benefit in any form.
The main reason behind this attack is to install Monero crypto-mining malware on the targets. Monero is one of the world’s popular cryptocurrencies. Threat actors want to join more servers to the blockchain network to horn the computing resources from the servers to mine cryptocurrency. Mining cryptocurrencies has become a kind of race as some money will be rewarded to those who first verify the block of transaction.
Cryptocurrency mining is legal. But in this attack, threat actors compromise the others servers to full fill their high computational requirement, which is needed to verify the block of transactions.
Watch this video to know how does cryptocurrency mining work.
How Is Microsoft Exchange Vulnerability Being Exploited by Prometei Botnet?
Proxy logon vulnerability is made up of four vulnerabilities. When all the four vulnerabilities are chained together, they can create pre-authentication remote code execution (RCE) exploit. This allows attackers to take over the Microsoft Exchange server without credentials. This gives attackers access to email communication and rights to install web shells for further exploitation like hosting ransomware and crypto miners.
In this attack, attackers try to exploit North American companies by using these two proxy login vulnerabilities on exchange servers: CVE-2021-27065 and CVE-2021-26858. These are post-authentication, and arbitrary file writes vulnerabilities allow an attacker to write a script on any location on the exchange server.
An attacker uses these Microsoft exchange vulnerabilities to install and execute the China Chopper web shell. Attackers use this web shell to launch Power Shell, downloading the malware payload from attacker’s shared web URL. The payload then executes and starts Prometei botnet execution.
Technical Details About Prometei Botnet:
- Promote botnet first starts its execution from ‘zsvc.exe’ file. Then it starts to create a likelihood environment for other modules.
- Promote botnet copy the ‘zsvc.exe’ file into C:Windows it rename that file to ‘sqhost.exe’.
- The malware tries to find a registry key named ‘UPlugPlay’ and deletes that if it is found.
- The bot then sets a registry key ‘HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesUPlugPlay’ with the image path and command line c:windowssqhost.exe Dcomsvc.
- It then creates multiple registry keys underneath SOFTWAREMicrosoftFax and SOFTWAREIntelsupport with the names MachineKeyId, EncryptedMachineKeyId, and commit, for later use by the different components for C2 communication.
Please visit the Cybereason post for comprehensive technical details.