As cybersecurity experts at Fortinet FortiGuard Labs have detected, an organization with ties to the United Arab Emirates (UAE) has become the target of a novel PowerShell-based backdoor, PowerExchange, allegedly the handiwork of an APT group with Iranian roots. The PowerExchange backdoor cleverly utilizes emails for C2 communication with the unsuspecting victim’s Microsoft Exchange server.
The method and the madness
The attack initially sprung from spear phishing emails that came with a deceptive zip file named Brochure.zip. The zip file contained a .NET executable file (Brochure.exe) disguised with an Adobe PDF icon, which upon running, gives off an error message while discreetly downloading and executing the final payload.
Subsequent investigation on Fortinet’s part has turned up more malware hidden on various servers, one of which, a new web shell called ExchangeLeech, was found to be on Microsoft Exchange servers.
PowerExchange: The inside story
The PowerExchange backdoor employs the Exchange Web Services (EWS) API to connect to the targeted Exchange Server and uses a server mailbox to send and receive encoded commands. Thus, the server conveniently accessible over the internet doubles as a proxy for the attacker to conceal his identity.
The backdoor sends the computer name (base64-encoded) to a mailbox as a sign of being operational. The mailbox and connection credentials are hardcoded in the implant’s code. The operator can further command the backdoor to beacon additional mailboxes or the ID of a mail containing further commands.
Why the Iranian APT?
The attribution to APT34, the Iranian APT group, is drawn from parallels between PowerExchange and TriFive, a backdoor used against Kuwaiti government organizations by the said group. Additionally, APT34 is known to have tested communication via internet-facing Exchange servers in its campaigns, as seen in the Karkoff exploit.
The PowerExchange backdoor uses the victim’s Exchange server for C2 communication. This method allows it to blend in with normal traffic. As a result, it can bypass many network-based detections and defensive actions inside and outside the target’s infrastructure.
In light of this development, organizations need to prioritize their cybersecurity measures. Threat actors are constantly evolving and innovating in their cyber warfare strategies. This ongoing change should act as a wake-up call, signaling the importance of strong and updated cybersecurity tactics.
What are your thoughts on this emerging cybersecurity issue? Please share your views in the comment section below!
{{user}} {{datetime}}
{{text}}