The emergence of several zero-day exploits relating to ProxyLogon, a Microsoft Exchange Server vulnerability that was discovered in late 2020, has allowed several threat actors to carry out attacks against unpatched systems. Three malware families taking advantage of the ProxyLogon vulnerability beginning in March: the coinminer LemonDuck was sighted first, quickly followed by the ransomware BlackKingdom, then the Prometei botnet.
Leveraging the ProxyLogon vulnerability allowed the threat actors behind BlackKingdom, Prometei, and LemonDuck to execute Chopper web shells (detected as Backdoor.JS.CHOPPER.SMYCBCD and Trojan.ASP.CVE202126855.SM), which then led to the deployment of the final payload in their respective infections. The China Chopper web shell, which was first discovered in 2012, continues to be widely used by threat actors in their campaigns to gain remote access to a targeted system.
It’s recently been found in many ransomware families, such as Hello ransomware.
Once they have compromised a system, these can start deploying malicious activities, such as dropping ExchDefender.exe, a binary file seen in BlackKingdom and Prometei cases, or using a WMI modifier that leads to a LemonDuck infection.
SkyWatchSM Alert Legend
Glesec Information Sharing Protocol
GLESEC CYBER SECURITY INCIDENT REPORTS are in compliance with the U.S. Department of Homeland Security (DHS) Traffic-Light Protocol (TLP).
Disclosure is Not Limited.
Limited Disclosure, Restricted Only to the Community.
Limited Disclosure, restricted to the Participant's Organization.
Not for Disclosure, Restricted/ Classified - Only Shared with US DHS.