xHunt Hackers Uses New Backdoor to Attack Exchange Servers


xHunt hackers uses New Backdoor to assault Exchange Servers and the xHunt Campaign has actually likewise targeted Kuwait companies to jeopardize systems. One among the tools utilized is CASHY200, which is a Powershell based back door that interacts with a C2 server using DNS tunneling.

What is CASHY200?

ThisCASHY200 is delivered through a destructive Microsoft Office accessories dispersed through e-mail phishing campaigns. Which then utilizes the Exchange Web Services (EWS) to produce drafts within the Deleted Items folder of a compromised e-mail account.

CASHY200 works on the basis of PowerShell scripts connected with the bigger xHunt malware project.

When the email is opened, a preliminary script in the accessories will execute CASHY200 directly in memory.

If the execution achieves success, then CASHY200 will connect to a command and will manage the server, and will use a DNS tunnelling channel to bypass basic network tracking and effectively run commands on the compromised server.

CASHY200 variations likewise have the capability to draw out files as well as install secondary payloads.

Affected platforms

All the versions of Microsoft Windows are known to be impacted

CASHY200 C2 domains

windows64x [] comwinx64-microsoft [] comfirewallsupports [] comwindows-updates [] com Samples discovered

It was identified that Word documents were used to deliver PowerShell payloads utilizing firewallsupports [] com as a C2 to target government organizations in Kuwait, likewise it is observed that the threat actors jeopardized a Microsoft Exchange Server at an organization in Kuwait which based on timestamp forecasts to have happened on or before August 22, 2019.

In spite of initially being greatly targeted at shipping, transportation and government organisations in the Middle East, it now seems impacting organisations throughout Europe.

Safety measures that can be Taken

You can follow us on Linkedin, Twitter, Facebook for everyday Cybersecurity and hacking news updates.

C2 domains such as windows64x [] com, firewallsupports [] com, windows-updates [] com, and winx64-microsoft [] com can be blocked. All CASHY200 tunnelling procedures can be obstructed by DNS Security.

Likewise Read

Hackers Using COVID-19 Training Lure to Attack Office 365 Users

Hackers Would Bypass Multi-Factor Authentication to Gain Full Access to Microsoft 365 Services