ProxyShellMiner is being distributed to Windows endpoints through a very elusive malware operation, according to Morphisec.
As the name implies, ProxyShellMiner compromises an organisation by using the ProxyShell vulnerabilities CVE-2021-34473 and CVE-2021-34523 in Windows Exchange servers to get initial access and distribute crypto miners. The attackers use the domain controller’s NETLOGON folder to make sure the miner runs throughout the domain after successfully penetrating an Exchange server and taking control, much as how software is distributed through GPO. We discovered that the attackers were utilising four C2 servers. The legitimate, infected mail servers are all where the malware-dependent files are kept.