A new strain of Malware has surfaced, dubbed ‘ProxyShellMiner,’ that takes advantage of the Microsoft Exchange Proxyshell vulnerabilities to deploy cryptocurrency miners on the Windows domain for the attackers’ monetary gain.

The Proxyshell Vulnerabilities, discovered and addressed by Microsoft in 2021, comprise three distinct flaws that can be combined to enable remote code execution without authentication and grant attackers complete control of the Exchange server and enable them to pivot to other network components.

Morphisec has observed attacks that exploit the CVE-2021-34473 and CVE-2021-34523 ProxyShell flaws to gain an initial foothold into the targeted organization’s network. Once inside, the perpetrators deposit a .NET malware payload into the NETLOGON folder on the domain controller to run the malware on every device on the network.

A command-line parameter is required to activate the malware, which doubles as a password for the XMRig miner component. The attackers’ actions are deplorable and pose a significant threat to affected organizations.  

The ProxyShellMiner employs multiple techniques to obfuscate its activities. It relies on an embedded dictionary, an XOR decryption algorithm, and an XOR key downloaded from a remote server.

Additionally, it leverages the C# compiler, CSC.exe, with “InMemory” compile parameters to execute the following embedded code modules.

The malware then progresses to the subsequent phase, where it retrieves a file named “DC_DLL” and uses the .NET reflection to extract arguments for the task scheduler, XML, and the XMRig key. This DLL file is crucial for the decryption of additional files. A second downloader establishes a foothold on the compromised system to ensure persistence by creating a scheduled task set to execute upon user login. Subsequently, the second loader is retrieved from a remote source, accompanied by four other files.

These files determine which browser to use on the compromised system to insert the miner into its memory space using process hollowing. The miner then selects a mining pool at random from a hardcoded list and performs mining.

The final step in the attack chain is to erect a firewall rule that blocks all outgoing traffic, which applies to all Windows Firewall profiles. The attackers intend to decrease the likelihood of detection and any notifications to security personnel about the potential compromise of the breached system.

To avoid detection from security tools that monitor process runtime behavior, the malware waits at least 30 seconds after the browser’s hollowing before creating the firewall rule. The miner may continue interacting with its mining pool through an unmonitored backdoor.

Morphisec cautions that the implications of the malware extend beyond mere service disruptions, performance degradation, and overheating computers. Once the attackers establish a foothold within the network, they can carry out many nefarious activities, from installing backdoors to executing malicious code. In response to the danger of ProxyShellMiner infections, Morphisec strongly recommends that all administrators implement available security updates and implement multi-layered threat detection and defense strategies to combat the threat.