Security News > 2021 > June > Exchange Servers Targeted by ‘Epsilon Red’ Malware

Threat actors have deployed new ransomware on the back of a set of PowerShell scripts developed for making encryption, exploiting flaws in unpatched Exchange Servers to attack the corporate network, according to recent research.

Researchers from security firm Sophos detected the new ransomware, called Epsilon Red, in an investigation of an attack on a U.S.-based company in the hospitality sector, Sophos Principal Researcher Andrew Brandt wrote in a report published online.

While the malware itself is a "Bare-bones" 64-bit Windows executable programmed in the Go programming language, its delivery system is a bit more sophisticated, relying on a series of PowerShell scripts that "Prepared the attacked machines for the final ransomware payload and ultimately delivered and initiated it," he wrote.

The initial point of entry for the attack was an unpatched enterprise Microsoft Exchange server, from which attackers used Windows Management Instrumentation - a scripting tool for automating actions in the Windows ecosystem, primarily used on servers - to install other software onto machines inside the network that they could reach from the Exchange server.

During the attack, threat actors launched a series of PowerShell scripts, numbered 1.ps1 through 12.ps1, as well as some that were named with a single letter from the alphabet, to prepare the attacked machines for the final ransomware payload. The scripts also delivered and initiated the Epsilon Red payload, he wrote.

Because the point of entry was an unpatched Microsoft Exchange Server vulnerable to ProxyLogon, Sophos recommends that administrators update all servers to the patched version as soon as possible to mitigate an attack.

News URL

https://threatpost.com/exchange-servers-epsilon-red-ransomware/166640/