ProxyShellMiner Exploits Microsoft Exchange Vulnerabilities

February 16, 2023

A new malware dubbed 'ProxyShellMiner' is exploiting the Microsoft Exchange ProxyShell vulnerabilities to deploy cryptocurrency miners throughout a Windows domain. The vulnerabilities, tracked as CVE-2021-34473 and CVE-2021-34523, allow unauthenticated, remote code execution, giving attackers complete control of the Exchange server and access to other parts of the organization's network.

The malware drops a .NET payload into the NETLOGON folder of the domain controller to ensure that all devices on the network run the malware. According to Morphisec, "ProxyShellMiner uses an embedded dictionary, an XOR decryption algorithm, and an XOR key downloaded from a remote server, then it uses a C# compiler CSC.exe with 'InMemory' compile parameters to execute the next embedded code modules." The malware then downloads a file named "DC_DLL" and performs .NET reflection to extract arguments for the task scheduler, XML, and the XMRig key.

Morphisec warns that the impact of the malware goes beyond causing service outages, degrading server performance, and overheating computers. "Once the attackers have gained a foothold in the network, they can do anything from backdoor deployment to code execution," said Morphisec. To address the risk of ProxyShellMiner infections, Morphisec advises admins to apply available security updates and use comprehensive and multi-faceted threat detection and defense strategies.

Latest News

• Arris Routers Vulnerable to Remote Code Execution
• Fortinet Releases Security Updates for FortiNAC and FortiWeb
• SolarWinds Patches High-Severity Vulnerabilities
• CISA Adds Four Security Vulnerabilities to Known Exploited List
• Mirai Variant V3G4 Targets 13 IoT Vulnerabilities