New PowerExchange Backdoor Used in Iranian Cyber Attack on UAE Government

Teilen:

An unnamed government entity associated with the United Arab Emirates (U.A.E.) was targeted by a likely Iranian threat actor to breach the victim’s Microsoft Exchange Server with a “simple yet effective” backdoor dubbed PowerExchange.

According to a new report from Fortinet FortiGuard Labs, the intrusion relied on email phishing as an initial access pathway, leading to the execution of a .NET executable contained with a ZIP file attachment.

The binary, which masquerades as a PDF document, functions as a dropper to execute the final payload, which then launches the backdoor.

PowerExchange, written in PowerShell, employs text files attached to emails for command-and-control (C2) communication. It allows the threat actor to run arbitrary payloads and upload and download files from and to the system.

 

 

The custom implant achieves this by making use of the Exchange Web Services (EWS) API to connect to the victim’s Exchange Server and uses a mailbox on the server to send and receive encoded commands from its operator.

“The Exchange Server is accessible from the internet, saving C2 communication to external servers from the devices in the organizations,” Fortinet researchers said. “It also acts as a proxy for the attacker to mask himself.”

Microsoft Exchange backdoor

That said, it’s currently not known how the threat actor managed to obtain the domain credentials to connect to the target Exchange Server.

Fortinet’s investigation also uncovered Exchange servers that were backdoored with several web shells, one of which is called ExchangeLeech (aka System.Web.ServiceAuthentication.dll), to achieve persistent remote access and steal user credentials.

PowerExchange is suspected to be an upgraded version of TriFive, which was previously used by the Iranian nation-stage actor APT34 (aka OilRig) in intrusions targeting government organizations in Kuwait.

Furthermore, communication via internet-facing Exchange servers is a tried-and-tested tactic adopted by the OilRig actors, as observed in the case of Karkoff and MrPerfectionManager.

“Using the victim’s Exchange server for the C2 channel allows the backdoor to blend in with benign traffic, thereby ensuring that the threat actor can easily avoid nearly all network-based detections and remediations inside and outside the target organization’s infrastructure,” the researchers said.

 

(c) Ravie Lakshmanan

Kommentar verfassen

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

lade-bild
London, GB
9:13 am, Juni 1, 2025
Wetter-Symbol 15°C
L: 15° | H: 16°
aufgelockerte Bewölkung
Luftfeuchtigkeit: 66 %
Druck: 1014 mb
Wind: 17 mph WSW
Windböe: 0 mph
UV-Index: 0
Niederschlag: 0 mm
Wolken: 40%
Regen Chance: 0%
Sichtbarkeit: 10 km
Sonnenaufgang: 4:49 am
Sonnenuntergang: 9:07 pm
TäglichStündlich
Tägliche VorhersageStündliche Vorhersage
Today 10:00 pm
Wetter-Symbol
15° | 16°°C 0 mm 0% 14 mph 70 % 1014 mb 0 mm/h
Tomorrow 10:00 pm
Wetter-Symbol
11° | 21°°C 0 mm 0% 10 mph 82 % 1019 mb 0 mm/h
Di. Juni 03 10:00 pm
Wetter-Symbol
11° | 17°°C 1 mm 100% 16 mph 92 % 1013 mb 0 mm/h
Mi. Juni 04 10:00 pm
Wetter-Symbol
9° | 19°°C 0 mm 0% 13 mph 83 % 1010 mb 0 mm/h
Do. Juni 05 10:00 pm
Wetter-Symbol
11° | 15°°C 1 mm 100% 13 mph 97 % 1009 mb 0 mm/h
Today 10:00 am
Wetter-Symbol
15° | 16°°C 0 mm 0% 10 mph 66 % 1014 mb 0 mm/h
Today 1:00 pm
Wetter-Symbol
16° | 17°°C 0 mm 0% 12 mph 59 % 1014 mb 0 mm/h
Today 4:00 pm
Wetter-Symbol
16° | 16°°C 0 mm 0% 14 mph 46 % 1013 mb 0 mm/h
Today 7:00 pm
Wetter-Symbol
15° | 15°°C 0 mm 0% 12 mph 51 % 1013 mb 0 mm/h
Today 10:00 pm
Wetter-Symbol
16° | 16°°C 0 mm 0% 9 mph 70 % 1014 mb 0 mm/h
Tomorrow 1:00 am
Wetter-Symbol
13° | 13°°C 0 mm 0% 7 mph 82 % 1016 mb 0 mm/h
Tomorrow 4:00 am
Wetter-Symbol
11° | 11°°C 0 mm 0% 6 mph 78 % 1017 mb 0 mm/h
Tomorrow 7:00 am
Wetter-Symbol
12° | 12°°C 0 mm 0% 9 mph 72 % 1018 mb 0 mm/h
Name Preis24H (%)
Bitcoin(BTC)
€91,913.33
0.52%
Ethereum(ETH)
€2,211.60
-0.58%
Fesseln(USDT)
€0.88
0.00%
XRP(XRP)
€1.90
1.23%
Solana(SOL)
€136.07
-0.40%
USDC(USDC)
€0.88
0.00%
Dogecoin(DOGE)
€0.167454
0.22%
Shiba Inu(SHIB)
€0.000011
1.71%
Pepe(PEPE)
€0.000011
1.97%
Peanut das Eichhörnchen(PNUT)
€0.228932
2.82%
Nach oben scrollen