xHunt Campaign Distributing Two New Powershell Backdoors

Recently, a threat actor has been seen updating its arsenal of tools with slightly new features and communication channels to avoid detection. Known as xHunt, the group has continued to attack Kuwaiti organizations by targeting Microsoft Exchange servers.

The recent discovery

In the recent xHunt campaign, Palo Alto’s Unit 42 researcher team has uncovered the use of two never-before-seen Powershell backdoors on the Microsoft Exchange server of a government organization in Kuwait.
  • The threat actors used an email-based channel using drafts in the Deleted Items folder of a compromised email account and covert channels for C2 communications, specifically DNS tunneling.
  • The xHunt actors used two scheduled tasks ResolutionHosts and ResolutionsHosts to persistently run malicious PowerShell-based backdoors, named TriFive and Snugy (a variant of CASHY200).
  • The creation of these scheduled tasks dates back to August 2019, which indicates that the hackers already had access to the compromised Exchange server at the targeted organization.

Recent attacks on Microsoft Exchange

Recently, a vulnerability (CVE-2020-0688) found in the Microsoft Exchange mail and calendaring control panel has attracted several attacks towards unpatched servers.
  • In the last month, the Iranian APT group MuddyWater was seen abusing unpatched Microsoft Exchange email servers to exploit the vulnerability and deploy PowGoop malware.
  • In September, the Chinese Ministry of State Security (MSS)-affiliated hackers were seen attacking U.S. organizations by exploiting vulnerabilities in publicly exposed edge systems.

Conclusion

The evolution of the xHunt campaign with Microsoft Exchange servers stipulates the group’s strategic approach. To protect against such unexpected threats, organizations and users should follow proactive measures such as filling existing gaps.