Security firm Morphisec has identified a highly evasive malware campaign, known as ProxyShellMiner, which exploits vulnerabilities in Windows and in Exchange servers to deliver crypto miners to organizations and deliver ransomware.

ProxyShellMiner was initially discovered by Morphisec Cyber Threat Research Center (CTRC) in the third quarter of 2018, when it became evident that this malware was exploiting legitimate applications, such as PowerShell and MSExchange, at first glance to mine cryptocurrency.

In order to successfully deliver its payloads, the trojan used a sophisticated technique involving an innovative operating system (OS) level bypass enabling itself to execute programs remotely through maliciously crafted proxy scripts.

The very fact that ProxyShellMiner had the ability to bypass Windows defenses in this way took Morphisec researchers by surprise. The malware’s capabilities grew even further throughout the course of their investigation into its characteristics and behavior. ProxyShellMiner has been identified in numerous organizations, including those of multinational firms.

ProxyShellMiner also uses a zero-day vulnerability in Windows Defender Application Control (WinDAC), CVE-2018-8249, to bypass WinDAC’s protection and deliver cryptocurrency miners. The trojan also exploits an exploit for a subsequent zero-day vulnerability (CVE-2018-8251), which allows for arbitrary code execution if the privileges are elevated through privilege escalation exploit (PE).

‍

Source: ProxyShellMiner Campaign Creating Dangerous Backdoors - AlienVault - Open Threat Exchange