New Phishing Attack Distributes Malware through Microsoft Exchange Servers 

Microsoft and the Ukraine CERT have identified targeted attacks against the defense industry and Microsoft Exchange servers by a Russian state-sponsored hacking group known as Turla. The attacks leverage a new malware backdoor called ‘DeliveryCheck,’ a .NET backdoor which can execute second-stage payloads.

What makes DeliveryCheck stand out is its Microsoft Exchange Server-side component. The malware turns the server into a command and control center for the threat actors. Microsoft has confirmed this component is installed using Desired State Configuration (DSC), a PowerShell module that enables admins to create a standardized server configuration and apply it across devices.

The threat actors use DSC to automatically load a base64-encoded Windows executable which converts the legitimate Exchange Server into a malware-distribution server.

Microsoft has identified targeted attacks against the defense sector in Ukraine and Eastern Europe by the threat actor Secret Blizzard (KRYPTON, UAC-0003) leveraging DeliveryCheck, a novel .NET backdoor used to deliver a variety of second stage payloads. https://t.co/mWoyzOoydF

— Microsoft Threat Intelligence (@MsftSecIntel) July 19, 2023

According to Microsoft Threat Intelligence, the DeliveryCheck attack is distributed by a phishing email as Excel documents with malicious macros. When activated, Exchange Servers can be compromised and used to deploy further commands or additional malware.

Read the full story here.