According to Palo Alto’s Unit 42 security team, a threat group called xHunt is responsible for the attack. This group has been known to target organizations in Kuwait, including a 2018 breach of the country’s government system. A newer attack that occurred around August 22, 2019 shows the group has a new way of breaching targets. Specifically, two new PowerShell backdoors were used. One has been dubbed “TriFive” and other is called “Snugy.” “Both of the backdoors installed on the compromised Exchange server of a Kuwait government organization used covert channels for C2 communications, specifically DNS tunneling and an email-based channel using drafts in the Deleted Items folder of a compromised email account,” say researchers from the Palo Alto team.
How it Happened
While last year’s attack has been discovered, researchers are not clear how the group succeeded in accessing a Microsoft Exchange server. The attack was reported over a year after it happened when an organization found suspicious commands though the Internet Information Services (IIS) process w3w.exe. On the server, the team says it “did discover two scheduled tasks created by the threat actor well before the dates of the collected logs, both of which would run malicious PowerShell scripts. We cannot confirm that the actors used either of these PowerShell scripts to install the web shell, but we believe the threat actors already had access to the server prior to the logs.” Two scheduled tasks “ResolutionHosts” and “ResolutionsHosts” were used in c:\Windows\System32\Tasks\Microsoft\Windows\WDI to persistently run PowerShell scripts every 30 minutes and every five minutes. “The scripts were stored in two separate folders on the system, which is likely an attempt to avoid both backdoors being discovered and removed,” add the researchers.