Exposed: The PowerExchange Backdoor Vulnerability in Microsoft Exchange Servers

We have discovered that the PowerExchange Backdoor is targeting Microsoft Exchange Servers and a Custom-made Powershell backdoor deployed on an unidentified UAE government entity.
Updated on
May 30, 2023
Published on
May 30, 2023
Subscribe to the latest industry news, threats and resources.

Category: Adversary Intelligence

Industry: Government


Region: Middle East

Source: Underground

Executive Summary


  • Custom-made Powershell backdoor deployed on unidentified UAE government entity.
  •  Post this, multiple other implants and payloads were deployed, one such implant having credential-harvesting capabilities.


  • Access to government assets and related entities.
  • Access to government accounts.

Analysis and Attribution

Technical Summary - Attack Overview


  • A campaign involving a custom-made Powershell backdoor has been rediscovered. This campaign targeted Microsoft Exchange servers belonging to an unidentified UAE government entity.
  • The PowerExchange backdoor was delivered by the means of a phishing email, which contained an executable that served as a loader for the Powershell backdoor.
  • The backdoor achieved persistence by using the MicrosoftEdgeUpdateService scheduled task, making it so that the payload runs every five minutes under a new process.

  • The access provided by the backdoor was used to deploy more payloads, which included modules from the open-source project Invoke The-Hash in order to laterally move across the target domain.
  • Two C# webshells were also deployed in the form of .dlls. One of them was named ExchangeLeech, which had credential harvesting capabilities along with providing the ability to execute commands. Refer to Yara Rules for threat hunting.

Technical Summary - PowerExchange Backdoor

  • The backdoor comes in the form of a custom-made Powershell script. 
  • What makes it crafty in nature is that it uses the Microsoft Exchange Web Services API to connect to the target’s Exchange servers, and receives commands from the threat actor using mailboxes on the server.
  • In order to indicate that it is running, the backdoor connects to the target Exchange server, and sends the computer name encoded in base64 to a mailbox. The credentials used for the connection are hardcoded in the script.
  • In order to send data, the backdoor creates an email with the subject “Update Microsoft Edge” and the body “Microsoft Edge Update”, with the data being sent in a .txt attachment.
  • Commands are sent to the backdoor in the form of attachments containing base64 content, and the commands allow the threat actor to execute commands, download files or upload files.


Based on research published by multiple sources on the xHunt campaign from July 2018 targeting Kuwaiti government entities and shipping companies, we can attribute this campaign, the PowerExchange backdoor, and related tools to APT34, which is an Iranian threat.

The tools used in the xHunt campaign, notably the TriFive backdoor, share many similarities with the PowerExchange backdoor. Both backdoors are Powershell scripts, and use scheduled tasks in order to achieve persistence, and use the same method for C2 communication: the Exchange servers using the EWS API. APT34 is known to use phishing in order to gain initial access, and has targeted entities from the UAE before.


The MITRE TTPs associated with this campaign are as follows:



Initial Access (TA0001)

Phishing: Spearphising Attachment (T1566.001)

Execution (TA0002)

User Execution: Malicious File (T1204.002)

Scheduled Task/Job: Scheduled Task (T1053.005)

Command and Scripting Interpreter: PowerShell (T1059.001)

Defense Evasion (TA0005)

Masquerading: Masquerade Task or Service (T1036.004)
Masquerading: Match Legitimate Name or Location (T1036.005)

Discovery (TA0007)

Network Share Discovery (T1135)

Lateral Movement (TA0008)

Lateral Tool Transfer (T1570)

Exfiltration (TA0010)

Exfiltration Over C2 Channel (T1041)

Command and Control (TA0011)

Application Layer Protocol: Web Protocols (T1071.001)

Data Encoding: Standard Encoding (T1132.001)

YARA Rules 

The C# Webshells (.dll) are associated with the ExchangeLeech backdoor mentioned in the report.

import "pe"
rule System_Web_Transport_d11
description = "Webshell DLL installed as IIS module with named pipe tunneling"
author = "Digital14 Incident Response Team"
$opcode1 = {0C 72 [4] 0D 07 6F [4] 09 (1?| 1? ??) (1?| 1? ??) 6F [4] 6F [4] 1? ?? 07 6F [4] 09 (1?| 1? ??) (1?| 1? ??) 6F [4] 6F [4] 1? ??} //opcode for EndRequest
$opcode2 = {72 [4] 0A 72 [4] 0B 72 [4] 07 72 [4] 03 28 [4] 28 [4] 07 06 73 [4] 0C 08 20 [4] 6F [4].08} //opcode for Client
$PATH= "C:\\Users\\sheep\\" //DLL compilation folder
$splsvc= "splsvc" fullword wide //Named pipe defined name
pe.DLL and (($PATH and $splsvc) or any of ($opcode1, $opcode2)) and filesize < 12KB

rule System_Web_ServiceAuthentication_d11
description = "DLL installed as IIS module acting as credential harvester for users logging to OWA"
author = "Digital4 Incident Response Team"
$opcode1 {07 6F [4] 72 [4] 6F [4] 39 [4] 07 6F [4] 72 [4] 6F [4] 39 [4] 07 6F [4] 72 [4] 6F [4] 6F [4] ??} //opcode for begingHandler
$opcode2= {72 [4] 6F [4] 39 [4] 08 6F [4] 72 [4] 6F [4] 72 [4] 6F [4] 3A [4] 07 6F [4] 72 [4] 6F [4] ??} //opcode for Endrequest handler
$PATH1 = "c$\\windows\\temp\\D226B187 44C3 454B AD66" fullword wide //Users credentials output file save location
$PATH2 = "C:\\Users\\sheep\\" //DLL compilation folder
pe.DLL and (($PATH1 and $PATH2) or any of ($opcode1, $opcode2)) and filesize < 15KB


Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations