Microsoft and the Ukraine CERT have identified targeted attacks against the defense industry and Microsoft Exchange servers by a Russian state-sponsored hacking group known as Turla. The attacks leverage a new malware backdoor called ‘DeliveryCheck,’ a .NET backdoor which can execute second-stage payloads.
What makes DeliveryCheck stand out is its Microsoft Exchange Server-side component. The malware turns the server into a command and control center for the threat actors. Microsoft has confirmed this component is installed using Desired State Configuration (DSC), a PowerShell module that enables admins to create a standardized server configuration and apply it across devices.
The threat actors use DSC to automatically load a base64-encoded Windows executable which converts the legitimate Exchange Server into a malware-distribution server.
According to Microsoft Threat Intelligence, the DeliveryCheck attack is distributed by a phishing email as Excel documents with malicious macros. When activated, Exchange Servers can be compromised and used to deploy further commands or additional malware.
Read the full story here.