It's not yet over for Proxylogon

Proxylogon update

The entire month of March has been saturated with news regarding a group of vulnerabilities for Microsoft Exchange. Commonly referred to as Proxylogon (CVE-2021-26855), the vulnerability allows unauthenticated remote code execution (RCE) on on-premises Exchange servers. This is a 0-day vulnerability was observed in use in the wild by multiple groups earlier this year. We’ve already reported on this multiple times (see herehere, and here). The main point security practitioners across the world have been hitting hard is that you need to patch your servers and then you need to look for web shells or other malicious files that bad actors may have dropped on your servers.

Microsoft reported this week that patching efforts are going well, and as of March 23, 92% of all impacted Exchange servers have been patched. Microsoft has also released a one-click mitigation tool. We also recommend downloading and running Microsoft’s Safety Scanner to scan for and remove any existing web shells.

The urgency to patch and scan your Exchange servers grows as we are seeing ransomware operators targeting these servers.

We discussed DearCry on a live stream a couple of weeks ago as the first ransomware targeting Exchange servers vulnerable to Proxylogon. The DearCry operators were re-using statically named web shells dropped by other APTs to run their malware, so only a handful of organizations were targeted, but this week a new variant of BlackKingdom, known as Black KingDom, has begun using publicly available proof-of-concept (PoC) code available that exploits Proxylogon.

Black KingDom is written in Python and compiled using pyinstaller. With a little work, it can be de-compiled to the original Python. The Black KingDom operators use Proxylogon to drop a web shell, and then use PowerShell to download and execute the ransomware. It generates a unique key and gen_id for each machine it infects and then uploads this information to a mega[.]io account. It then encrypts files not in one of its defined excluded directories and adds a randomly generated extension to the end of each encrypted file.

Most ransomware appends a specific extension to the end of files. For example, earlier versions of Black Kingdom appended .DEMON, so it can track files that have already been encrypted. Since Black KingDom is appending random extensions, it is possible for files to be doubly encrypted which will make decrypting a challenge.

We’ve managed to collect a few samples for analysis and are keeping an eye out for any new infections based on the intel we’ve gathered.

New variant of Purple Fox

We previously reported on a fileless malware known as Purple Fox that was primarily spreading through exploit kits and email phishing. It has now added worm propagation to its arsenal. The new worm module allows Purple Fox to scan for vulnerable servers over the internet and exploit them in order to install the malware. It can then spread across a LAN over SMB. So far, Purple Fox has a botnet of over 2,000 compromised servers hosting the malware dropper and its various modules. Based on telemetry from Guardicore Labs, the number of Purple Fox infections has risen by roughly 600 percent, and amounted to a total of 90,000 attacks since May 2020.

Once installed, Purple Fox installs a rootkit that allows it to hide its activity and establish persistence. It then blocks TCP and UDP port 445, 139, and 135; likely an effort to prevent re-infection by other malware, and then adds an IPv6 interface so it can scan the IPv6 address space, which is often unmonitored. It will then begin scanning for open SMB ports (TCP port 445) across the internet and attempt brute-force authentication in order to spread further. Once authenticated, it’ll download an MSI from one of the infected servers that pretends to be a Windows update.

A list of IOCs used for detection can be located here, and have already been added to our threat hunting platform.

That’s all for this week.

  • Bryson Medlock, The Dungeon Master