Huntress Labs has discovered multiple partners with Exchange servers receiving malicious scheduled tasks that executed a PowerShell downloader from hxxp://p.estonine[.]com/p?e. According to Huntress Labs CEO, Kyle Hanslovan, the server being hosted on Digital Ocean resolves to the IP address 188.166.162[.]201 and it delivers a base64 encoded powershell script.

Kyle Hanslovan, Twitter

This PowerShell script is similar in comparison to a coin miner campaign discovered by Carbon Black in 2019.

Huntress Labs reported their findings to Digital Ocean and the accompanying registrar NameCheap. After this, they discovered a fifth stage in the malware where two Mimikatz DLLs are embedded within the script which get loaded or injected. Huntress has discovered over 200 compromised version of Exchange servers due to the vulnerabilities.

Kyle Hanslovan, Twitter

SpearTip’s experts are closely monitoring this situation as it develops. If you have any questions regarding the Exchange Server vulnerabilities, don’t hesitate to reach out to our Security Operations Center at 833.997.7327.

SpearTip’s cyber experts continuously monitor environments 24/7 in our US based Security Operations Center. Our certified engineers work in unison with our proprietary endpoint detection and response tool, ShadowSpear®. This allows your organization to have a direct communication with our engineers at any moment and a completely transparent view of your risk profile.