A newly identified malware named the PowerExchange has emerged in attack operations. This novel backdoor employs PowerShell as its primary scripting language. The malware was utilized to establish backdoors on on-premise the Microsoft Exchange servers. The attack incidents involving the threat could be linked to the APT34 (Advanced Persistent Threat) Iranian state hackers.
The attack vector employed by the threat actors involved infiltrating the targeted mail server through a phishing email. The email contained a compressed archive housing a compromised executable. Once executed, PowerExchange was deployed, enabling the hackers to gain unauthorized access and control over the compromised Microsoft Exchange servers. Next, the threat actors also utilize a Web shell tracked as ExchangeLeech, which was first uncovered in 2020, enabling them to exfiltrate sensitive data, primarily focusing on the theft of user credentials stored within the compromised Microsoft Exchange servers.
The usage of PowerExchange malware, in conjunction with the ExchangeLeech Web shell, demonstrates the sophisticated tactics employed by APT34 in their threatening activities. The PowerExchange backdoor was discovered by a research team on the compromised systems of a government organization based in the United Arab Emirates.
Table of Contents
The PowerExchange Malware Exploits the Victim’s Exchange Server
The PowerExchange malware establishes communication with the Command-and-Control (C2) server of the attack operation. It leverages emails sent through the Exchange Web Services (EWS) API, utilizing text attachments within these emails to send collected information and receive base64-encoded commands. These emails attempt to avoid attracting additional scrutiny by the victim by carrying the subject line 'Update Microsoft Edge.'
The utilization of the victim's Exchange server as the C2 channel is a deliberate strategy employed by the threat actors. This approach allows the backdoor to blend in with legitimate traffic, making it exceedingly difficult for network-based detection and remediation mechanisms to identify and mitigate the threat. By camouflaging its activities within the organization's infrastructure, the threat actors can effectively avoid detection and maintain a covert presence.
The PowerExchange backdoor provides the operators with extensive control over the compromised servers. It enables them to execute various commands, including the delivery of additional threatening payloads onto the compromised servers and the exfiltration of harvested files. This versatility empowers the threat actors to extend their reach and carry out further harmful activities within the compromised environment.
Additional Threatening Implants are Deployed as Part of the PowerExchange Backdoor Attacks
Additional compromised endpoints that contained various other unsafe implants also have been identified. Notably, one of the discovered implants was the ExchangeLeech Web shell, which had been disguised as a file named System.Web.ServiceAuthentication.dll, adopting the naming conventions typically associated with legitimate IIS files.
ExchangeLeech operates by actively gathering sensitive information, specifically targeting the usernames and passwords of individuals who log into the compromised Exchange servers using basic authentication. This is achieved through the Web shell's ability to monitor clear text HTTP traffic and capture credentials from Web form data or HTTP headers.
To further exploit the compromised servers, the attackers can instruct the Web shell to transmit the collected credential logs via cookie parameters. This allows them to covertly exfiltrate the captured credentials without arousing suspicion.
The PowerExchange Attacks are Attributed to the APT34 Hacker Group
The PowerExchange attacks have been attributed to the Iranian state-sponsored hacking group known as APT34 or Oilrig. The researchers made this connection by identifying striking similarities between the PowerExchange malware and the TriFive malware previously utilized by APT34 to establish backdoors within Kuwaiti government organizations' servers.
Both PowerExchange and TriFive exhibit notable resemblances. They are both based on PowerShell, activated through scheduled tasks, and exploit the organization's Exchange server using the EWS API as the C2 channel. Although the code of these backdoors is clearly different, the researchers speculate that PowerExchange represents an evolved and improved iteration of the TriFive malware.
Furthermore, it is worth mentioning that APT34 consistently employs phishing emails as an initial infection vector of their attack operations. By enticing victims to interact with unsafe content or clicking on corrupted links within these emails, APT34 gains a foothold in the targeted environment, enabling them to proceed with their threatening activities. The fact that APT34 has previously breached other entities in the United Arab Emirates adds to the evidence linking them to these attacks.