PowerExchange Malware Targets UAE Government Bodies
A new form of malicious software has been identified, dubbed PowerExchange, which is believed to have been used by the Iranian state-backed hacking group APT34, also known as Oilrig.
This PowerShell-based malware was used in an attack on a United Arab Emirates government organization and allows attackers to backdoor Microsoft Exchange servers. It works by sending emails using the Exchange Web Services API, with base64-encoded commands sent as attachments and the "Update Microsoft Edge" subject line. It is also capable of delivering additional malicious payloads to the server and exfiltrating harvested files. This form of malware has been linked to other attacks by APT34, as they have used similar phishing tactics, such as sending malicious executables in archived emails.
Additionally , the malware was found to have similarities to TriFive, which was used in an attack on Kuwaiti government organizations. It is thought that PowerExchange is a new and improved version of TriFive.
The malicious software is also able to collect usernames and passwords from those logging into the compromised Exchange servers through basic authentication. This is done by monitoring clear text HTTP traffic and capturing credentials from webform data or HTTP headers. It can then be instructed to send the logged credential information as cookie parameters.
Alongside other malicious implants, the researchers also discovered a web shell dubbed Exchange Leech which was installed as a file named System.Web.ServiceAuthentication.dll, but mimicked the legitimate IIS file naming convention.
During their investigation, the researchers also identified a number of backdoors, including ExchangeLeech, which was disguised as a legitimate IIS file. It works by collecting passwords and usernames of those logging in via basic authentication by monitoring clear text HTTP traffic. These credentials are then sent out to the attacker via cookie parameters.
The attack is linked to APT34 due to the similarities between PowerExchange and their previously used TriFive malware, which was used in an attack on Kuwaiti government organizations. It is thought that PowerExchange is a more sophisticated version of TriFive, due to the code being written in PowerShell and their use of scheduled tasks and the EWS API as a command-and-control (C2) channel. Phishing emails have also been identified as an initial infection vector, and the group has previously been linked to other UAE-based attacks.