A Technical Analysis of Remote Code Execution in Exchange Server

The analyzed malware, identified as msedge_proxy.exe, represents a highly sophisticated, multi-stage threat targeting Windows-based systems. It is designed for stealthy infiltration, persistent access, and sensitive data exfiltration, with a strong focus on harvesting stored browser credentials. The malware operates through four coordinated components, leveraging an encrypted configuration file (index.dat), modular plugins, and adaptive persistence techniques to maintain long-term access to compromised hosts.

Shell code is a set of assembly instructions that often is used within a malware to preform several tasks on the infected machine. While conducting an analysis of PowerShell operation event logs, I came across an event bearing the eventID “4104” (0x1008) in which an encoded PowerShell command of a dubious nature was executed.

A webshell is a dangerous tool in the hands of a threat actor, as it can be used to carry out a range of malicious tasks on an infected machine. In this article, I will focus on a webshell that contains an XOR encrypted payload with unknown key.

“srvnet2.sys” is a rootkit that enumerates (usermode) processes, and injects a shell code into a process. The rootkit looks up the name of the process while enumerating to avoid injecting into some processes. If the process name matches with the list of names in the rootkit, then it will skip the process and look for others, when it finds a process name that is not blacklisted, then the shell code is injected into the process.

The “tmp.txt” file contains an ELF binary format, commonly found in Unix-like systems for executable files. In this binary, a TCP connection has been established with an attacker’s machine, creating a communication channel between the compromised system and the attacker. This connection enables the attacker to exploit a vulnerability and gain Remote Code Execution (RCE) capabilities. It is worth noting that this binary is a custom-made beacon with a customized mallable config from cabalstrike C2.

The VBscript “ff.vbs” contains two obfuscated powershell scripts that decodes scripts and binaries as staging which the attacker runs on the victim machine. In Figure 1, the script “ff.vbs” is executed first. It has a powershell script “first.ps1” that is decoded. When the powershell script is executed, it will decode another powershell script “second.ps1” and execute it, “second.ps1” will decode and execute the .NET binary.