Category: Adversary Intelligence
Region: Middle East
- Custom-made Powershell backdoor deployed on unidentified UAE government entity.
- Post this, multiple other implants and payloads were deployed, one such implant having credential-harvesting capabilities.
- Access to government assets and related entities.
- Access to government accounts.
Analysis and Attribution
Technical Summary - Attack Overview
- A campaign involving a custom-made Powershell backdoor has been rediscovered. This campaign targeted Microsoft Exchange servers belonging to an unidentified UAE government entity.
- The PowerExchange backdoor was delivered by the means of a phishing email, which contained an executable that served as a loader for the Powershell backdoor.
- The backdoor achieved persistence by using the MicrosoftEdgeUpdateService scheduled task, making it so that the payload runs every five minutes under a new process.
- The access provided by the backdoor was used to deploy more payloads, which included modules from the open-source project Invoke The-Hash in order to laterally move across the target domain.
- Two C# webshells were also deployed in the form of .dlls. One of them was named ExchangeLeech, which had credential harvesting capabilities along with providing the ability to execute commands. Refer to Yara Rules for threat hunting.
Technical Summary - PowerExchange Backdoor
- The backdoor comes in the form of a custom-made Powershell script.
- What makes it crafty in nature is that it uses the Microsoft Exchange Web Services API to connect to the target’s Exchange servers, and receives commands from the threat actor using mailboxes on the server.
- In order to indicate that it is running, the backdoor connects to the target Exchange server, and sends the computer name encoded in base64 to a mailbox. The credentials used for the connection are hardcoded in the script.
- In order to send data, the backdoor creates an email with the subject “Update Microsoft Edge” and the body “Microsoft Edge Update”, with the data being sent in a .txt attachment.
- Commands are sent to the backdoor in the form of attachments containing base64 content, and the commands allow the threat actor to execute commands, download files or upload files.
Based on research published by multiple sources on the xHunt campaign from July 2018 targeting Kuwaiti government entities and shipping companies, we can attribute this campaign, the PowerExchange backdoor, and related tools to APT34, which is an Iranian threat.
The tools used in the xHunt campaign, notably the TriFive backdoor, share many similarities with the PowerExchange backdoor. Both backdoors are Powershell scripts, and use scheduled tasks in order to achieve persistence, and use the same method for C2 communication: the Exchange servers using the EWS API. APT34 is known to use phishing in order to gain initial access, and has targeted entities from the UAE before.
The MITRE TTPs associated with this campaign are as follows:
The C# Webshells (.dll) are associated with the ExchangeLeech backdoor mentioned in the report.