An unnamed government entity linked to the United Arab Emirates (UAE) was targeted by a possible Iranian threat actor to penetrate a victim’s Microsoft Exchange Server with a “simple but effective” backdoor dubbed Power Exchange.
According to a new report from Fortinet FortiGuard Labs, the compromise relied on a phishing email as the initial access point, leading to a .NET executable containing a ZIP file attachment.
The binary, masquerading as a PDF document, serves as a dropper to execute the final payload, which then launches a backdoor.
PowerExchange, written in PowerShell, uses text files attached to emails for command-and-control (C2) communication. This allows threat actors to execute arbitrary payloads and upload and download files to and from the system.
Custom implants achieve this by leveraging Exchange Web Services (EWS) API to connect to the victim’s Exchange Server and use the mailbox on the server to send and receive encoded commands from the operator.
“Exchange servers can be accessed from the internet, saving C2 communications to external servers from devices in the organization,” Fortinet researchers said. “It also acts as a proxy for the attacker to cover himself.”
However, it is currently unknown how the threat actor managed to obtain domain credentials to connect to the target Exchange Server.
Fortinet’s investigation also uncovered backdoored Exchange servers with multiple web shells, one of which was named ExchangeLeech (aka System.Web.ServiceAuthentication.dll), to achieve persistent remote access and steal user credentials.
PowerExchange is allegedly an upgraded version of TriFivepreviously used by Iranian state stage actor APT34 (aka OilRig) in an infiltration targeting government organizations in Kuwait.
Additionally, communication via an internet-facing Exchange server is a tried and tested tactic adopted by the OilRig actor, as observed in the cases of Karkoff and MrPerfectionManager.
“Using the victim’s Exchange server for the C2 channel allows backdoors to blend in with non-malicious traffic, thereby ensuring that threat actors can easily circumvent virtually any network-based detection and remediation within and outside of the target organization’s infrastructure,” the researchers said.