Security News > 2020 > November > Microsoft Exchange Attack Exposes New xHunt Backdoors

Two never-before-seen Powershell backdoors have been uncovered, after researchers recently discovered an attack on Microsoft Exchange servers at an organization in Kuwait.
The attack used two newly discovered backdoors: One that researchers called "TriFive," and the other, a variant of a previously discovered PowerShell-based backdoor, which they called "Snugy."
"Both of the backdoors installed on the compromised Exchange server of a Kuwait government organization used covert channels for C2 communications, specifically DNS tunneling and an email-based channel using drafts in the Deleted Items folder of a compromised email account," said researchers with Palo Alto's Unit 42 team, Monday.
The first backdoor, TriFive, provides backdoor access to the Exchange server by logging into a legitimate user's inbox and obtaining a PowerShell script from an email draft within the deleted emails folder, according to researchers.
On the backdoor's end, the PowerShell script then logs into a legitimate email account on the compromised Exchange server and checks the "Deleted Items" folder for emails with a subject of "555." The script would execute the command found in the email via PowerShell.
News URL
https://threatpost.com/microsoft-exchange-attack-xhunt-backdoors/161041/
Related news
- New ClickFix attack deploys Havoc C2 via Microsoft Sharepoint (source)
- New ‘Rules File Backdoor’ Attack Lets Hackers Inject Malicious Code via AI Code Editors (source)
- Microsoft Exchange Online outage affects Outlook web users (source)
- Microsoft: Exchange Online bug mistakenly quarantines user emails (source)
- Hidden Threats: How Microsoft 365 Backups Store Risks for Future Attacks (source)
- New npm attack poisons local packages with backdoors (source)
- New SparrowDoor Backdoor Variants Found in Attacks on U.S. and Mexican Organizations (source)
- Cisco warns of CSLU backdoor admin account used in attacks (source)
- Microsoft Warns of Tax-Themed Email Attacks Using PDFs and QR Codes to Deliver Malware (source)
- Microsoft investigates global Exchange Admin Center outage (source)