Pierluigi Paganini
May 22, 2024
Positive Technologies researchers observed while responding to a customer’s incident spotted an unknown keylogger embedded in the main Microsoft Exchange Server page. The keylogger was used to collect account credentials. Further investigation allowed to identify over 30 victims in multiple countries, most of whom were linked to government agencies. According to the researchers, the malware campaign targeting MS Exchange Server has been active since at least 2021. The researchers can’t attribute this campaign to a specific group, however, they observed that most victims are in Africa and the Middle East.
Some of the countries targeted by this campaign are Russia, the U.A.E., Kuwait, Oman, Niger, Nigeria, Ethiopia, Mauritius, Jordan, and Lebanon.
The threat actors exploited the ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) in Microsoft Exchange Server to inject an info stealer. They added keylogger code to the server’s main page by embedding it into the clkLgn() function.
The attackers also added a code that processes the results of the stealer in the logon.aspx file, then the code redirects account credentials in a file accessible from the internet.
“You can check for potential compromise by searching for the stealer code on the main page of your Microsoft Exchange server.” concludes the report from Positive Technologies. “If your server has been compromised, identify the account data that has been stolen and delete the file where this data is stored by hackers. You can find the path to this file in the logon.aspx file. Make sure you are using the latest version of Microsoft Exchange Server, or install pending updates.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, MS Exchange Server)
