Don’t Sleep on the New ProxyShellMiner Campaign

Morphisec has recently identified a highly evasive malware campaign delivering ProxyShellMiner to Windows endpoints.

As the name suggests, ProxyShellMiner exploits the ProxyShell vulnerabilities CVE-2021-34473 and CVE-2021-34523 in Windows Exchange servers for initial access and compromise of an organization to deliver crypto miners. After successfully breaching an Exchange server and obtaining control, the attackers use the domain controller’s NETLOGON folder to ensure the miner executes throughout the domain, similar to how software is delivered through GPO. We detected four C2 servers in use by the attackers. All are legitimate, compromised mail servers which host the malware-dependent files. 

Mining cryptocurrency on an organization’s network can lead to system performance degradation, increased power consumption, equipment overheating, and can stop services. Unfortunately, mining threats are often disregarded or deprioritized until the same backdoor delivers ransomware. 

Technical Analysis 

Configuration Option 

The samples Morphisec analyzed require a command line parameter to be supplied upon execution, for example “000.” This parameter is later used as a key for the XMRig miner configuration, and as an anti-runtime analysis tactic. 

The parameter serves as anti-analysis technique, and as a password for the XMrig miner 

Execution and Code Decryption Behavior 

ProxyShellMiner uses an embedded dictionary, an XOR decryption algorithm, and an XOR key downloaded from a remote server. Then, it uses a C# compiler CSC.exe with “InMemory” compile parameters to execute the next embedded code modules. 

The miner downloads a KEY from a remote server which is used for XOR decryption 
 Remote server https://mail.shaferglazer[.]com/resources/files 

For the next stage, ProxyShellMiner downloads a file named “DC_DLL” from a remote server (see IOCs. Analyzed sample downloads from hxxps://mail.shaferglazer[.]com/resources/files/). ProxyShellMiner performs .NET reflection of the DC_DLL file and passes arguments such as task scheduler, XML, and the XMRig key. 

Reflective loading of the DC_DLL 

The malware author applied a forked version of “Confuser” which obfuscates the code. 

 
Second Downloader: Persistence and Evasion 

To gain persistence, the miner creates a scheduled task configured to run when any user logs on. For naming of the scheduled task and creating the next stage downloader path, the miner creates a hashed value of the target machine name (7826F246.exe) and gets the environment variable CommonProgramFiles. By concatenating the two variables it creates the next stage of the downloader path. 

Creating a path C:\Program Files\Common Files\microsoft shared\ for the next stage downloader: 7826F246.exe 

Then, it uses Deflate to deobfuscate the embedded task schedule .XML.  

The deobfuscated scheduled task 

By using PowerShell runspace, the miner adds the process path and name of the second stage downloader (7826F246.exe) to the Defender exclusion. 

It sets file attributes to the file as hidden, system, and notcontentindexed so the file is not indexed by the operating system's content indexing service. 

It eventually writes and executes the file. Immediately upon launch, it attempts to validate the existence of the programdata\softwaredistribution path. If not found, the attacker creates the directory. 

Validating the existence of programdata\softwaredistribution path 

The second stage downloader has a key for decrypting the additional files: the second loader named LC_DLL, the XMrig payload named DATA1, and two additional configuration files. It writes the files into the generated directory with the name “%ProgramData%\SoftwareDistribution\<file>. 

It downloads five additional files, among them the payload (DATA1) and second loader (LC_DLL) 

The Second loader 

At this point the second loader decides which of the installed browsers will be hollowed by the XMrig, then randomly chooses a pool from a list of XMrig pools. 

List of XMrig pools 

Then the XMrig config file is created, along with several parameters such as the server IP used by the XMrig, user identifier, and the password passed by the command line. In addition, the second loader checks if WinRing0x64.sys already exists in the browser path. The WinRing0x64.sys is a known, signed, and vulnerable driver used as part of the XMrig randomX algorithm to achieve a higher hash rate by accessing the MSR registers. If the driver is not found, it writes the driver from the sys variable embedded in the loader. Lastly, it sets the file attributes as hidden, system, and notcontentindexed so the file is not indexed by the operating system's content indexing service. 

Creating the XMrig config file 

Final Stage and Security Evasion 

ProxyShellMiner creates a firewall rule that applies to all Windows Firewall profiles—domain, private, and public—and blocks all outgoing traffic. In the final stage, it hollows the selected browser to inject the XMrig payload via the well-known RunPE technique. It then waits at least 30 seconds while the target machine blocks any outbound connection. It does this to tamper with the process runtime behavior analysis of common security solutions. 

Creation of the firewall rule and hollowing of the selected browser 

 ‘LockOutboundConnection’ firewall rule 

We came across a thread of several Windows Exchange server owners complaining about the new “LockOutboundConnections” firewall rule added to their server that blocks all outbound traffic. The reason for this behavior is due to the scheduled task triggered by a logon event, so every logon to a target machine will block outbound traffic for at least 30 seconds. 

Stopping ProxyShellMiner 

ProxyShellMiner doesn’t just slow down organization networks, inflate power bills, overheat equipment, and prevent services from running. It allows threat actors access for even more nefarious ends. Once attackers have a foothold in a network, they have deployed web shells, backdoors, and used tunneling utilities to further compromise victim organizations.  

Security teams should apply patches KB5003435 (CVE-2021-31207) and KB5001779 (CVE-2021-34473 and CVE-2021-34523) as a first step in preventing these vulnerabilities from being exploited. But some may not be able to do so, and what if an attacker has already established persistence in a network?

An effective defense-in-depth strategy can stop ProxyShellMiner, even if the relevant patches aren’t applied. But what does this entail? Use technology like Automated Moving Target Defense (AMTD) to augment detection-based tools like NGAV, EPP, and EDR/XDR, which don’t reliably stop ProxyShellMiner. MTD can function like a virtual patch by preventing ProxyShellMiner access to runtime memory. It does this by regularly morphing (randomizing) the runtime memory environment and leaving decoy traps where legitimate targets used to be. Any code that tries to engage with the decoys is instantly shut down and trapped for forensic analysis. To learn more about Moving Target Defense, read the white paper: The Ultimate Ransomware Strategy: Zero Trust + Moving Target Defense. 

Indicators Of Compromise 

Payload names  

Hash table