Security News > 2023 > May > New PowerExchange malware backdoors Microsoft Exchange servers
A new PowerShell-based malware dubbed PowerExchange was used in attacks linked to APT34 Iranian state hackers to backdoor on-premise Microsoft Exchange servers.
Notably, the malware communicates with its command-and-control server via emails sent using the Exchange Web Services API, sending stolen info and receiving base64-encoded commands through text attachments to emails with the "Update Microsoft Edge" subject.
"Using the victim's Exchange server for the C2 channel allows the backdoor to blend in with benign traffic, thereby ensuring that the threat actor can easily avoid nearly all network-based detections and remediations inside and outside the target organization's infrastructure," the FortiGuard Labs Threat Research team said.
The backdoor enables its operators to execute commands to deliver additional malicious payloads on the hacked servers and to exfiltrate harvested files.
FortiGuard Labs linked these attacks to the Iranian state-backed hacking group APT34 based on similarities between PowerExchange and the TriFive malware they used to backdoor the servers of Kuweiti government organizations.
"Both backdoors share striking commonalities: they are written in PowerShell, activated by a periodic scheduled task, and the C2 channel leverages the organization's Exchange server with EWS API. And while their code is much different, we speculate that PowerExchange is a new and improved form of TriFive," the researchers said.
News URL
Related news
- Microsoft confirms Windows Server 2025 blue screen, install issues (source)
- VEILDrive Attack Exploits Microsoft Services to Evade Detection and Distribute Malware (source)
- Microsoft blames Windows Server 2025 automatic upgrades on 3rd-party tools (source)
- Microsoft Exchange adds warning to emails abusing spoofing flaw (source)
- Microsoft fixes bugs causing Windows Server 2025 blue screens, install issues (source)
- Microsoft pulls Exchange security updates over mail delivery issues (source)
- Microsoft 365 outage impacts Exchange Online, Teams, Sharepoint (source)
- Salt Typhoon hackers backdoor telcos with new GhostSpider malware (source)
- Hackers exploit ProjectSend flaw to backdoor exposed servers (source)
- Microsoft re-releases Exchange updates after fixing mail delivery (source)