The attackers are looking to take advantage of the ProxyLogon Exchange vulnerabilities: Sophos

The recent Microsoft Exchange vulnerabilities and the release of security patches on March 2 and on March 9, a growing number of new adversaries are exploiting these bugs to launch attacks. Sophos has previously reported on attacks by DearCry and Black Kingdom ransomware.

The operators behind the attack named the new variant, “QuickCPU,” possibly to confuse targets into thinking it is actually the (completely unrelated) legitimate, open source CPU optimization tool, Quick CPU. If you are writing a story about crypto-miners or other attacks related to ProxyLogon, please feel free to use Andrew’s comments. We can also arrange an interview with Andrew and other threat experts, as needed.

The key findings are summarized in the following commentary from Andrew Brandt, principal threat researcher at Sophos.

“While some of the attacks looking to take advantage of the ProxyLogon Exchange vulnerabilities took a week or so to emerge, the same cannot be said for crypto-miners. They were hitting vulnerable servers with their payloads within hours of the bugs being reported and security updates released. ‘QuickCPU,’ a variant of the xmr-stak Monero crypto-miner is no exception – our analysis of this campaign shows mining value flowing to the attackers’ Monero wallet on March 9, with the attack diminishing rapidly in scale thereafter. This suggests we are looking at yet another rapidly compiled, opportunistic and possibly experimental attack attempting to make some easy money before widespread patching takes place.

“What makes this attack unusual is the fact that the operators installed their crypto-mining payload on an infected Exchange server and then used that as a platform to spread the malicious miners to other infected servers. The attackers implemented a range of standard anti-detection techniques, installing the malicious miner in memory to keep it hidden from security scans, deleting the installation and configuration files after use, and using the traffic encryption of Transport Layer Security to communicate with their Monero wallet. As a result, for most victims the first sign of compromise is likely to be a significant drop in processing power. Servers that remain unpatched could be compromised for quite some time before this becomes clear.

“Defenders should take urgent steps to install Microsoft’s patches to prevent exploitation of their Exchange Server. However, patching is not enough on its own – organizations need to determine and address their wider exposure so they don’t remain vulnerable to later attacks. For instance, admins should scan the Exchange server for web shells and monitor servers for any unusual processes that appear seemingly out of nowhere. High processor usage by an unfamiliar program could be a sign of crypto-mining activity or ransomware. If this isn’t possible, closely monitor the server until you migrate the Exchange data to an updated server then disconnect the unpatched server from the internet.” - Andrew Brandt, principal threat researchers, Sophos

How the attack works

The .zip file is not a compressed archive, but a batch script that then invokes the built-into-Windows certutil.exe program to download two additional files, win_s.zip and win_d.zip. Neither of these are compressed files, either.

The first file is written out to the filesystem as QuickCPU.b64. The certutil application is designed to be able to decode base64-encoded security certificates, so the attackers have leveraged that functionality by encoding an executable payload in base64 and wrapping it in headers that indicate it is some form of digital certificate.

The batch script runs this command that outputs the decoded executable into the same directory.

certutil.exe -decode QuickCPU.b64 QuickCPU.exe

When decoded, the batch script runs the executable, which extracts the miner and configuration data from the QuickCPU.dat file, injects it into a system process, and then deletes the evidence. The file uses forged data in its Properties sheet that indicates the file is a Windows component, but the binary is not digitally signed and besides, no such file has ever existed as a standard component of Windows, though there is a legitimate utility with the same name, made by a third-party software developer. That utility is not connected to this malware in any way.

The executable appears to contain a modified version of a tool publicly available on Github called PEx64-Injector. The page for that project describes the tool as having the ability to “migrate any x64 exe to any x64 process…no administrator privileges required.” When it runs, it extracts the contents of the QuickCPU.dat file (an installer for the miner, and its configuration) temporarily to the filesystem, configures the miner, injects it into a running process, then quits. The batch file then deletes the evidence and the miner remains running in memory, injected into a process already running on the system.

A segment of a root-cause analysis flowchart shows the QuickCPU installer running within the system folder on a compromised Exchange server after certutil.exe decoded it.

Among the files contained in the QuickCPU.dat archive are the configurator for the miner, which appears to be xmr-stak. By default, the payload sets up the miner so that it only can communicate if it can have a secure TLS connection back to the Monero wallet where it will store its value. If the miner detects that there’s a certificate mismatch (or some other indication of a TLS MITM), it quits and attempts to reconnect every 30 seconds.

The miner’s pools.txt file is also temporarily written to disk, which reveals not only the wallet address and its password, but also that the name the attacker has given to this pool of miners: DRUGS. The “currency”: “randomx” in this file appears to be a configuration specific to the xmr-stak miner.

According to the Monero blockchain, the wallet began receiving funds on March 9 (the Patch Tuesday in which the Exchange updates were released as part of the update cycle), which corresponds with when we saw the attack begin. As time has gone on, the attacker lost several servers and the cryptomining output decreased, but then gained a few new ones that more than make up for the early losses.

Sophos Intercept X and Sophos Intercept X with EDR protect against threats attempting to exploit the ProxyLogon Exchange vulnerabilities.