Security News > 2020 > November > Microsoft Exchange Attack Exposes New xHunt Backdoors

Two never-before-seen Powershell backdoors have been uncovered, after researchers recently discovered an attack on Microsoft Exchange servers at an organization in Kuwait.

The attack used two newly discovered backdoors: One that researchers called "TriFive," and the other, a variant of a previously discovered PowerShell-based backdoor, which they called "Snugy."

"Both of the backdoors installed on the compromised Exchange server of a Kuwait government organization used covert channels for C2 communications, specifically DNS tunneling and an email-based channel using drafts in the Deleted Items folder of a compromised email account," said researchers with Palo Alto's Unit 42 team, Monday.

The first backdoor, TriFive, provides backdoor access to the Exchange server by logging into a legitimate user's inbox and obtaining a PowerShell script from an email draft within the deleted emails folder, according to researchers.

On the backdoor's end, the PowerShell script then logs into a legitimate email account on the compromised Exchange server and checks the "Deleted Items" folder for emails with a subject of "555." The script would execute the command found in the email via PowerShell.

News URL

https://threatpost.com/microsoft-exchange-attack-xhunt-backdoors/161041/