ProxyShell mining campaign.

Morphisec is tracking a stealthy malware campaign that’s distributing the new ProxyShellMiner cryptominer.

ProxyShell vulnerabilities used to install cryptominer.

ProxyShellMiner exploits the ProxyShell vulnerabilities in Microsoft Exchange Server (which Microsoft issued patches for in 2021). The malware uses the vulnerabilities to gain initial access, then installs the cryptominer. Morphisec states, “After successfully breaching an Exchange server and obtaining control, the attackers use the domain controller’s NETLOGON folder to ensure the miner executes throughout the domain, similar to how software is delivered through GPO. We detected four C2 servers in use by the attackers. All are legitimate, compromised mail servers which host the malware-dependent files.”

Cryptominers shouldn’t be ignored.

The researchers note that while cryptominers are often viewed as a somewhat benign form of malware, the access gained by attackers can be used to launch more damaging attacks: “ProxyShellMiner doesn’t just slow down organization networks, inflate power bills, overheat equipment, and prevent services from running. It allows threat actors access for even more nefarious ends. Once attackers have a foothold in a network, they have deployed web shells, backdoors, and used tunneling utilities to further compromise victim organizations.”