ProxyLogon Exploit: Attackers Install Cryptojacker


The threat actors have targeted the ProxyLogon exploit, the compromised exchange servers for hosting the malicious Monero (XMR) crypto miner in a very unusual attack. The Sophos researchers have discovered the incident.

Cryptojacking is one of the many threats utilizing the unpatched exchange servers and remains vulnerable to the currently infamous ProxyLogon exploit, mentions the new researchers. 

The researchers have unveiled that the threat actors are using the Exchange servers that are compromised with the help of a highly publicized exploit chain. The exchange servers have suffered a bunch of cyber attacks starting off the advanced persistent threat (APT) groups. The APT groups infected the system with ransomware to the web shells and finally to hosting the cryptomining malware, states the SophosLabs report posted last week.

“An unknown attacker has been attempting to leverage what’s now known as the ProxyLogon exploit to foist a malicious Monero crypto miner onto Exchange servers, with the payload being hosted on a compromised Exchange server,” Sophos principal researcher Andrew Brandt wrote in the report.

The researchers had been inspecting the telemetry when they had found out what seemed to be an unusual attack targeting the Exchange server of their customers. As Brandt acknowledged, Fraser Howard and Simon Porter, the Sophos researchers, had been instrumental in discovering and analyzing the novel threat.

The researchers mentioned that they had detected the executables in association with this attack as Mal/Inject-GV and the XMR-Stak Miner (PUA), cites the report. Furthermore, the researchers have published a list of compromised indicators on the SophosLabs GitHub page for helping the organizations recognize whether they have been hacked in the same way.

As the researchers have observed, it started with the PowerShell command for retrieving a file called “” from the Outlook Web Access logon path (/owa/auth) of another compromised server. With close inspection, the .zip file had not been a compressed archive at all. It was just a batch script that then enforced the built-into-Windows certutil.exe program. This program then downloads two additional files, such as and, that were also not compressed.

The latter file is written out to the file system as the QuickCPU.b64. It is an executable payload in base64, and a certutil application can decode it. The researchers have observed that the certutil application can decode base64 by design.

Next, the batch script runs another command that places the decoded executable into the same directory. Once it is cracked, the batch script runs the executable that attracts the configuration data and miner from the QuickCPU.dat file. Then it injects the file into a system process and deletes any evidence present there, mentions the report.

It appears that the executable in the attack contains a modified version of a tool and is publicly available on GitHub named PEx64-Injector. It is described on the GitHub page as possessing the capability to “migrate any x64.exe to any z64 process”, having “no administrator privilege requirement”, the report states.

As soon as the file runs on an infected system, it churns out the contents of the QuickCPU.dat file. The file includes an installer for the cryptominer and its configuration to the file system temporarily. Then, it configures the miner and injects it into a running process and finally quits.

“The batch file then deletes the evidence and the miner remains running in memory, injected into a process already running on the system,” Brandt wrote.

Researchers have observed that the Monero cryptominer received funds back on the 9th of March. It is at the same time when Microsoft released updates to Exchange for patching the flaws. Although the attacker had lost multiple servers following this date and the output from the miner had decreased. The other servers gained after this had made up more from the early losses, the report mentioned.

The problem of ProxyLogon had started for Microsoft in the initial days of March when the company had stated that it could spot multiple Zero-day exploits in the wild. They were being used to attack the Microsoft Exchange server’s on-premises versions.

Four flaws together formed the exploit chain – 

  • CVE-2021-26855
  • CVE-2021-26857
  • CVE-2021-26858
  • CVE-2021-27065

The flaws together created a pre-authentication remote code execution exploit or RCE. This means that the attackers are able to take over the servers without the knowledge of any valid account credentials. This offered them access to email communications and an opportunity for installing a web shell for further exploitation within the environment. 

As mentioned earlier, Microsoft had released an out-of-band update after its scramble for patching the flaws in the ProxyLogon chain. However, the company had boasted later that month of 92% of affected machines being patched. Much of the damage had already been created, and that the unpatched systems likely exist remaining vulnerable. 

Source: Threatpost

Disclaimer: Read the complete disclaimer here.


Please enter your comment!
Please enter your name here