New PowerExchange Backdoor Used in Iranian Cyber Attack on UAE Government

An unnamed government entity associated with the United Arab Emirates (U.A.E.) was targeted by a likely Iranian threat actor to breach the victim’s Microsoft Exchange Server with a “simple yet effective” backdoor dubbed PowerExchange.

According to a new report from Fortinet FortiGuard Labs, the intrusion relied on email phishing as an initial access pathway, leading to the execution of a .NET executable contained with a ZIP file attachment.

The binary, which masquerades as a PDF document, functions as a dropper to execute the final payload, which then launches the backdoor.

PowerExchange, written in PowerShell, employs text files attached to emails for command-and-control (C2) communication. It allows the threat actor to run arbitrary payloads and upload and download files from and to the system.

The custom implant achieves this by making use of the Exchange Web Services (EWS) API to connect to the victim’s Exchange Server and uses a mailbox on the server to send and receive encoded commands from its operator.

“The Exchange Server is accessible from the internet, saving C2 communication to external servers from the devices in the organizations,” Fortinet researchers said. “It also acts as a proxy for the attacker to mask himself.”

That said, it’s currently not known how the threat actor managed to obtain the domain credentials to connect to the target Exchange Server.

Fortinet’s investigation also uncovered Exchange servers that were backdoored with several web shells, one of which is called ExchangeLeech (aka System.Web.ServiceAuthentication.dll), to achieve persistent remote access and steal user credentials.

PowerExchange is suspected to be an upgraded version of TriFive, which was previously used by the Iranian nation-stage actor APT34 (aka OilRig) in intrusions targeting government organizations in Kuwait.

Furthermore, communication via internet-facing Exchange servers is a tried-and-tested tactic adopted by the OilRig actors, as observed in the case of Karkoff and MrPerfectionManager.

“Using the victim’s Exchange server for the C2 channel allows the backdoor to blend in with benign traffic, thereby ensuring that the threat actor can easily avoid nearly all network-based detections and remediations inside and outside the target organization’s infrastructure,” the researchers said.

Leave a Comment Cancel Reply

London, GB

10:45 am, Mar 13, 2025

5°C

L: 4° | H: 5°

Feels like 2°C° broken clouds

Humidity: 84 %

Pressure: 1004 mb

Wind: 8 mph NNW

Wind Gust: 0 mph

UV Index: 0

Precipitation: 0 mm

Clouds: 75%

Rain Chance: 0%

Visibility: 10 km

Sunrise: 6:19 am

Sunset: 6:01 pm

DailyHourly

Daily ForecastHourly Forecast

Today 9:00 pm

4° | 5°°C 0.99 mm 99% 8 mph 84 % 1007 mb 0 mm/h

Tomorrow 9:00 pm

1° | 7°°C 1 mm 100% 8 mph 93 % 1016 mb 0 mm/h

Sat Mar 15 9:00 pm

1° | 8°°C 0 mm 0% 12 mph 87 % 1026 mb 0 mm/h

Sun Mar 16 9:00 pm

1° | 10°°C 0 mm 0% 10 mph 75 % 1030 mb 0 mm/h

Mon Mar 17 9:00 pm

4° | 8°°C 0 mm 0% 7 mph 85 % 1030 mb 0 mm/h

Today 12:00 pm

5° | 5°°C 0.87 mm 87% 8 mph 84 % 1004 mb 0 mm/h

Today 3:00 pm

5° | 6°°C 0.26 mm 26% 5 mph 77 % 1004 mb 0 mm/h

Today 6:00 pm

5° | 5°°C 0.99 mm 99% 4 mph 76 % 1005 mb 0 mm/h

Today 9:00 pm

3° | 3°°C 0 mm 0% 4 mph 82 % 1007 mb 0 mm/h

Tomorrow 12:00 am

2° | 2°°C 0 mm 0% 3 mph 85 % 1007 mb 0 mm/h

Tomorrow 3:00 am

2° | 2°°C 0 mm 0% 3 mph 90 % 1007 mb 0 mm/h

Tomorrow 6:00 am

1° | 1°°C 0 mm 0% 3 mph 93 % 1008 mb 0 mm/h

Tomorrow 9:00 am

3° | 3°°C 0 mm 0% 4 mph 79 % 1010 mb 0 mm/h

Name	Price	24H (%)
Bitcoin(BTC)	€76,400.49	1.10%
Ethereum(ETH)	€1,738.99	0.06%
Tether(USDT)	€0.92	0.01%
XRP(XRP)	€2.08	3.28%
Solana(SOL)	€116.45	2.46%
USDC(USDC)	€0.92	0.00%
Dogecoin(DOGE)	€0.157032	3.08%
Shiba Inu(SHIB)	€0.000011	0.97%
Pepe(PEPE)	€0.000006	16.04%

New PowerExchange Backdoor Used in Iranian Cyber Attack on UAE Government

Share:

Leave a Comment Cancel Reply

Utility link

Useful link

Newsletter

Follow Us