A Babuk ransomware campaign has been observed exploiting ProxyShell vulnerabilities in Exchange Servers. Experts noted that the vulnerabilities are being exploited by threat actors identified as Tortilla.

What's happening?

  • Since October, the Tortilla group has been exploiting the Exchange server Proxyshell vulnerabilities using the China Chopper web shell.
  • While most of the targets are from the U.S., the attack has also been launched against organizations based in Germany, Brazil, Thailand, and the U.K.
  • The gang asks for around $10,000 ransom in Monero to decrypt the encrypted documents.

A brief about Proxyshell

ProxyShell refers to a set of three vulnerabilities that were identified in Microsoft Exchange Servers in August.

A complex attack chain

The attack begins with the use of a downloader module on a server of victims as a standalone executable format and a DLL. The DLL downloader is executed by the Exchange IIS worker process.
  • The attackers have used a modified EfsPotato exploit to target flaws in both Proxyshell and PetitPotam. It runs a PowerShell command that downloads a packed downloader module.
  • Additionally, the PowerShell command runs an AMSI bypass to dodge endpoint protection. The loader then connects to ‘pastebin[.]pl’ to download an unpacker module.
  • Finally, the unpacker module deploys the Babuk ransomware payload inside the memory and injects it into a newly created NET Framework process (AddInProcess32).

Ending notes

Babuk ransomware is actively expanding to new geographical areas and is in use in malicious campaigns by new threat groups such as Tortilla. This indicates the increasing popularity and adoption of this malware. Moreover, there could be more attacks expected in the future involving Babuk. Therefore, organizations should always be ready for ransomware attacks with adequate security measures.

Cyware Publisher

Publisher

Cyware