ProxyShellMiner Exploits Microsoft Exchange Vulnerabilities

February 16, 2023

A new malware dubbed 'ProxyShellMiner' is exploiting the Microsoft Exchange ProxyShell vulnerabilities to deploy cryptocurrency miners throughout a Windows domain. The vulnerabilities, tracked as CVE-2021-34473 and CVE-2021-34523, allow unauthenticated, remote code execution, giving attackers complete control of the Exchange server and access to other parts of the organization's network.

The malware drops a .NET payload into the NETLOGON folder of the domain controller to ensure that all devices on the network run the malware. According to Morphisec, "ProxyShellMiner uses an embedded dictionary, an XOR decryption algorithm, and an XOR key downloaded from a remote server, then it uses a C# compiler CSC.exe with 'InMemory' compile parameters to execute the next embedded code modules." The malware then downloads a file named "DC_DLL" and performs .NET reflection to extract arguments for the task scheduler, XML, and the XMRig key.

Morphisec warns that the impact of the malware goes beyond causing service outages, degrading server performance, and overheating computers. "Once the attackers have gained a foothold in the network, they can do anything from backdoor deployment to code execution," said Morphisec. To address the risk of ProxyShellMiner infections, Morphisec advises admins to apply available security updates and use comprehensive and multi-faceted threat detection and defense strategies.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.