Security News > 2020 > November > Microsoft Exchange Attack Exposes New xHunt Backdoors

Two never-before-seen Powershell backdoors have been uncovered, after researchers recently discovered an attack on Microsoft Exchange servers at an organization in Kuwait.
The attack used two newly discovered backdoors: One that researchers called "TriFive," and the other, a variant of a previously discovered PowerShell-based backdoor, which they called "Snugy."
"Both of the backdoors installed on the compromised Exchange server of a Kuwait government organization used covert channels for C2 communications, specifically DNS tunneling and an email-based channel using drafts in the Deleted Items folder of a compromised email account," said researchers with Palo Alto's Unit 42 team, Monday.
The first backdoor, TriFive, provides backdoor access to the Exchange server by logging into a legitimate user's inbox and obtaining a PowerShell script from an email draft within the deleted emails folder, according to researchers.
On the backdoor's end, the PowerShell script then logs into a legitimate email account on the compromised Exchange server and checks the "Deleted Items" folder for emails with a subject of "555." The script would execute the command found in the email via PowerShell.
News URL
https://threatpost.com/microsoft-exchange-attack-xhunt-backdoors/161041/
Related news
- CISA tags Microsoft .NET and Apache OFBiz bugs as exploited in attacks (source)
- Critical RCE bug in Microsoft Outlook now exploited in attacks (source)
- Microsoft Identifies 3,000 Leaked ASP.NET Keys Enabling Code Injection Attacks (source)
- Microsoft Uncovers Sandworm Subgroup's Global Cyber Attacks Spanning 15+ Countries (source)
- Microsoft: Hackers steal emails in device code phishing attacks (source)
- Microsoft's End of Support for Exchange 2016 and 2019: What IT Teams Must Do Now (source)
- Microsoft fixes Power Pages zero-day bug exploited in attacks (source)
- Botnet targets Basic Auth in Microsoft 365 password spray attacks (source)
- New ClickFix attack deploys Havoc C2 via Microsoft Sharepoint (source)
- New ‘Rules File Backdoor’ Attack Lets Hackers Inject Malicious Code via AI Code Editors (source)