xHunt hackers uses New Backdoor to assault Exchange Servers and the xHunt Campaign has actually likewise targeted Kuwait companies to jeopardize systems. One among the tools utilized is CASHY200, which is a Powershell based back door that interacts with a C2 server using DNS tunneling.
What is CASHY200?
ThisCASHY200 is delivered through a destructive Microsoft Office accessories dispersed through e-mail phishing campaigns. Which then utilizes the Exchange Web Services (EWS) to produce drafts within the Deleted Items folder of a compromised e-mail account.
CASHY200 works on the basis of PowerShell scripts connected with the bigger xHunt malware project.
When the email is opened, a preliminary script in the accessories will execute CASHY200 directly in memory.
If the execution achieves success, then CASHY200 will connect to a command and will manage the server, and will use a DNS tunnelling channel to bypass basic network tracking and effectively run commands on the compromised server.
CASHY200 variations likewise have the capability to draw out files as well as install secondary payloads.
All the versions of Microsoft Windows are known to be impacted
CASHY200 C2 domains
windows64x  comwinx64-microsoft  comfirewallsupports  comwindows-updates  com Samples discovered
It was identified that Word documents were used to deliver PowerShell payloads utilizing firewallsupports  com as a C2 to target government organizations in Kuwait, likewise it is observed that the threat actors jeopardized a Microsoft Exchange Server at an organization in Kuwait which based on timestamp forecasts to have happened on or before August 22, 2019.
In spite of initially being greatly targeted at shipping, transportation and government organisations in the Middle East, it now seems impacting organisations throughout Europe.
Safety measures that can be Taken
You can follow us on Linkedin, Twitter, Facebook for everyday Cybersecurity and hacking news updates.
C2 domains such as windows64x  com, firewallsupports  com, windows-updates  com, and winx64-microsoft  com can be blocked. All CASHY200 tunnelling procedures can be obstructed by DNS Security.
Hackers Using COVID-19 Training Lure to Attack Office 365 Users
Hackers Would Bypass Multi-Factor Authentication to Gain Full Access to Microsoft 365 Services