New cryptomining campaign leveraging ProxyShell bugs

BleepingComputer reports that Microsoft Exchange ProxyShell flaws are being exploited by the new ProxyShellMiner malware to facilitate cryptominer deployment. Attacks with the ProxyShellMiner malware involve the exploitation of the ProxyShell vulnerabilities CVE-2021-34523 and CVE-2021-34473 to achieve initial network access followed by the deployment of a .NET malware payload into the domain controller's NETLOGON folder to guarantee malware execution across all devices within the same network, a Morphisec report revealed. After malware activation, ProxyShellMiner proceeds to run succeeding embedded code modules and download the "DC_DLL" file, from which it executes .NET reflection to allow the extraction of several arguments and decryption of other files. The report also showed that ProxyShellMiner establishes persistence via a second downloader that enables scheduled task creation. All outgoing traffic is then averted via a firewall rule, which seeks to evade detection by network defenders and security tools. Immediate patching of ProxyShell vulnerabilities has been urged to prevent infections with the new malware.