A recent report from Fortinet FortiGuard Labs has revealed that a likely Iranian threat actor has targeted an unnamed government entity associated with the United Arab Emirates (U.A.E.). The attack used email phishing to gain initial access, then deployed a .NET executable contained within a ZIP file attachment. This binary acted as a dropper to execute the final payload, which then launched a backdoor called PowerExchange. Written in PowerShell, PowerExchange uses text files attached to emails for command-and-control (C2) communication, allowing the threat actor to run arbitrary payloads and upload and download files to and from the system. It utilizes the Exchange Web Services (EWS) API to connect to the victim’s Exchange Server, and uses a mailbox on the server to send and receive encoded commands from its operator.
It is suspected that the actor behind this attack is an upgraded version of TriFive, previously used by the Iranian nation-state actor APT34 (also known as OilRig). It is believed that the threat actor was able to obtain the domain credentials to connect to the target Exchange Server, as well as backdoored the Exchange servers with several web shells, one of which is called ExchangeLeech (also known as System.Web.ServiceAuthentication.dll). By using the victim’s Exchange server for the C2 channel, the threat actor is able to blend in with benign traffic, making it difficult to detect and remediate.
Source: Hackernews
To mitigate potential threats, it is important to implement additional cybersecurity measures with the help of a trusted partner like INFRA www.infrascan.net or you can try your self using check.website.