Restore everything if you have these two Microsoft Exchange backdoor processes on your network devices

Cybersecurity specialists report finding two PowerShell backdoors never detected and apparently used in attacking a Kuwait-based organization’s Microsoft Exchange servers.

These attacks are related to a hacker group known as xHunt, first detected in 2018 and which in the past launched a series of attacks targeting the Kuwaiti government as well as shipping and transport organizations. In addition, the latest reports indicate that this hacking group has updated its malicious arsenal.

Threat actors used the two discovered backdoors, known as TriFive and Snugy. Both attacks were carried out against a compromised Exchange server of a Kuwaiti government organization using undercover channels for C&C server communications.

TriFive

This backdoor provides access to the Exchange server by logging in to a legitimate user’s inbox and obtaining a PowerShell script from a draft email within the Deleted Emails folder. This attack has been used by other hacking groups as a method of communication between hackers and compromised system.

“TriFive’s sample used a legitimate account name and credentials of the attacked organization,” the report of the specialists mentions. To issue commands to the backdoor, threat actors must log in to the same legitimate email account and create a draft with a subject line “555”, in addition to including the command in an encrypted and base64-encoded format.

Snugy

On the other hand, the Snugy backdoor uses the DNS tunnel channel to execute commands on the compromised server, allowing actors in amenzas to exchange data using the DNS protocol and extract information inadvertently. Malicious hackers use Snugy to obtain system hostnames, execute malicious commands, and extract the results of these searches.

Researchers observed several code overlays between Snugy and the previously discovered CASHY200 backdoor, including similar functions that are used to convert strings to hexadecimal representation and generate a string of random characters in uppercase and lowercase as well as command handlers that use the first octet of the IP address to determine the command to execute and get the host name and execute a command.

Finally, experts mentioned that xHunt’s malicious campaign remains active as threat actors launch ongoing attacks on multiple Kuwaiti organizations.