Exchange servers turned into malware control centers

Recently, malware companies have been observed targeting the defense industry and Exchange servers. The campaigns seek to install the “DeliveryCheck” backdoor on compromised computers and have been attributed to the Russian malicious actor group, “Turla”.

According to observations carried out by Microsoft and Cert-ua, those responsible for the campaign are the malicious group Turla, also known as Secre Blizzard, and UAC-0003, who have been linked to the Russian government, and categorized as an APT group. The malicious actors in question have previously been linked to other types of attacks against countries in the Western region over the years. An example of this is “Snake”, a cyber espionage campaign using malware distributed by botnets. This operation was interrupted by joint actions in the operation called “MEDUSA”.

The most recent UAC-0003 campaign targets defense forces for espionage purposes through malware called “CAPIBAR” also known as “DeliveryCheck” by Microsoft, and “GAMEDAY” by mandiant. According to Microsoft reports, DeliveryCheck is distributed via email as documents with malicious macros. Its ability to persist is due to scheduled tasks that it downloads and launches in memory.

Microsoft Exchange

The attack starts with phishing emails which have XLSM files attached with malicious macros, once activated, the macros execute a PowerShell command to create a scheduled task which pretends to be a Firefox browser updater.

The scheduled task downloads the “DeliveryCheck” backdoor and starts it in memory, from where it connects to the attackers’ command and control (C2) server. From here, the backdoor receives instructions to execute or later deploy malware payloads, which are integrated and launched from an XSLT.

At the same time and under specific circumstances, the backdoor called “KAZUAR” is also loaded, which proceeds to implement more than 40 functions in the compromised systems. Among the functions, we can mention:

• “chakra”, which executes JS via ChakraCore,
• “eventlog”, which retrieves information from operating system logs, “forensic”, which collects various artifacts,
• “steal” which performs spoofing: passwords, bookmarks, autofill, history, proxies, cookies, filezilla, chromium, mozilla, outlook, openvpn, system, winscp, signal, git, and
• “unattend” which executes database/application configuration file theft: KeePass, Azure, Gcloud, AWS, bluemix, among others.

After infecting the devices by using the Rclone tool, the malicious actors leak sensitive information through the backdoor.

The highlight of DeliveryCheck’s capabilities is its component that turns a Microsoft Exchange server into a command-and-control server that can be used by malicious actors at their convenience. According to Microsoft, the component is installed by configuring the desired state, a PowerShell module that allows administrators to create standardized server configurations and apply them to devices.

This capability is usually used to create a default configuration template, which can be used to configure multiple devices with the same settings automatically.

As stated by Microsoft, the use of DSC by malicious actors serves the purpose of automatically loading a base-64 encrypted Windows executable, which turns legitimate Microsoft Exchange servers into a malware distribution server.

IOCs