Exploitation Tactics
Proxyshell Exploitation
Department 40 conducted extensive Proxyshell exploitation campaigns targeting Microsoft Exchange servers worldwide.Campaign Scale
Documented targeting across multiple countries:- India: 52+ targets exploited
- Greece: 34+ Exchange servers compromised
- Belgium: 31+ targets attacked
- Canada: Multiple targets identified
- Egypt: Various entities compromised
Exploitation Process
- Target Identification: Scanning for vulnerable Exchange servers
- Vulnerability Exploitation: Using CVE-2024-1709 and Proxyshell vulnerabilities
- Initial Access: Gaining authentication bypass
- Webshell Deployment: Installing persistent access mechanisms
- Credential Harvesting: Extracting user credentials and domain information
Target Selection
Proxyshell campaigns targeted:- Corporate email infrastructure
- Government Exchange servers
- Financial institution mail servers
- Professional services organizations
- Healthcare entities
Webshell Deployment
Multiple webshell variants employed:Webshell Types
-
ASP Webshells:
webshell.aspm0s.aspfile.asp- Custom variants for Exchange OWA paths
-
Deployment Locations:
/owa/auth/OutlookOU.aspx/owa/auth/webclient.aspx- Custom Exchange authentication paths
-
Capabilities:
- File upload and download
- Command execution
- Credential harvesting
- Network reconnaissance
Python Framework
Custom Python-based webshell management framework:- Command Interface: Python scripts for attacker-side command management
- Remote Execution: RCE capabilities (
rce5.py,RCE4.py) - Connection Management:
connect.pyfor session handling - Centralized Control: Framework for managing multiple compromised hosts
BellaCiao Malware
Department 40 developed and deployed the BellaCiao malware family, publicly analyzed by BitDefender.Variant 1: C# Webshell Dropper
Technical Details:- .NET-based dropper service
- Disguised as legitimate Windows services:
- “Exchange Agent Diagnostic Services”
- “Microsoft Monitoring Exchange Services”
- “Microsoft Agent Services”
- “WinUpdateService”
- Drops C# webshell on target systems
- File upload functionality
- File download capabilities
- Command execution interface
- Persistence through service installation
- Turkish Foreign Ministry attack documented
- Multiple webshell deployments
- Sustained access operations
Variant 2: PowerShell Reverse Proxy
Technical Details:- PowerShell-based implementation
- Uses Plink (PuTTY suite) for reverse proxy
- Customized PowerShell webserver based on publicly available code
- Reference: Modified version of
Start-Webserver.ps1from venom framework
iis.ps1: PowerShell webserver scriptiis.txt: Configuration and logs- Plink integration for tunneling
- Reverse proxy establishment
- Network tunneling
- Command and control communications
- Bypassing network restrictions
TAGHEB System
Internal documents reference the “TAGHEB system” for Windows infection and access:- Designed for Windows operating system targeting
- Access and persistence mechanisms
- Details contained in leaked operational documents
Social Engineering Operations
AMEEN ALKHALIJ Recruitment Campaign
Sophisticated social engineering operation targeting UAE security personnel.Campaign Design
Target Audience: Former government and security employees from the United Arab Emirates Operational Method:- Established fake recruitment website: ameen-alkhalij.nu
- Posed as legitimate employment opportunity
- Collected credentials and personal information
- Gathered intelligence on UAE security personnel
Infrastructure
Server Logs Available: Complete access logs from the ameen-alkhalij.nu server showing:- Visitor IP addresses
- Access timestamps
- User agent information
- Attack reconnaissance activities
Objectives
- Credential Harvesting: Collecting login credentials from targets
- Intelligence Gathering: Profiling former UAE security personnel
- Network Mapping: Identifying connections and relationships
- Operational Preparation: Building target database for future operations
Technical Capabilities
Credential Harvesting
Multiple methods employed:- Webshell Access: Extracting credentials from compromised systems
- Phishing Operations: Social engineering for credential collection
- Domain Enumeration: Active Directory user discovery
- Password Extraction: From memory and stored credentials
DNS Beaconing
Command and control communications via DNS:- Covert C2 channel establishment
- Data exfiltration through DNS queries
- Avoiding traditional network monitoring
- Maintaining persistent communications
Network Reconnaissance
Systematic intelligence gathering:- Active Directory enumeration
- Network mapping and topology discovery
- User and group identification
- Service and application discovery
- Credential and privilege mapping
Operational Security
Anti-Detection Measures
Documented testing against security products:-
Antivirus Testing: Malware tools tested against:
- Microsoft Defender
- Kaspersky
- Avira
- ESET
- Other major AV products
- Stealth Operations: Focus on avoiding detection during operations
Infrastructure Security
Procurement Methods:- Multiple procurement identities for server purchases
- Use of front companies
- Compartmentalized infrastructure
- Operational servers separated by function:
- Attack servers
- Tunnel servers
- File storage servers
- C2 infrastructure
- Documented credentials for server access
- Internal communication platforms (ISABELLE, 3CX, SIGNAL)
- File extraction systems
- Centralized infrastructure management
Attack Lifecycle
Initial Access
- Vulnerability Exploitation: Proxyshell, CVE-2024-1709, other CVEs
- Social Engineering: Phishing and fake recruitment sites
- Credential Compromise: Harvested credentials for initial entry
Persistence
- Webshell Deployment: Multiple ASP and custom webshells
- Service Installation: BellaCiao dropper services
- Backdoor Placement: Multiple access methods maintained
- Credential Collection: For future access
Privilege Escalation
- Domain Enumeration: Identifying privileged accounts
- Credential Harvesting: Administrator and service account credentials
- Lateral Movement Preparation: Mapping privilege paths
Collection and Exfiltration
- File Access: Via webshells and backdoors
- Email Access: Through compromised Exchange servers
- Credential Databases: User and system credentials
- Intelligence Gathering: Documents and communications
- DNS Exfiltration: Covert data extraction
Documented Attack Examples
Turkish Foreign Ministry
- Method: BellaCiao malware deployment
- Access: Sustained webshell access
- Duration: Extended operation documented
- Objective: Government intelligence collection
Mass Proxyshell Campaign
- Timeline: May-June 2022
- Scale: 200+ targets across multiple countries
- Method: Automated exploitation and webshell deployment
- Success Rate: Documented successful compromises in logs
UAE Security Personnel
- Operation: AMEEN ALKHALIJ social engineering
- Target: Former government and security employees
- Method: Fake recruitment website
- Duration: Extended campaign with detailed logging
Training and Development
Leaked documents reveal:- Training Programs: Internal training materials
- Technical Documentation: Espionage techniques and tools
- Malware Development: Source code and testing procedures
- Intelligence Reports: Analysis of Israeli entities and other targets
- Operational Guides: Including “The Group’s Phishing Guide”
Tools and Frameworks
Custom Malware
- BellaCiao (both variants with source code)
- CYCLOPS (referenced in public reporting)
- Custom webshells (ASP variants)
- Python command framework
- PowerShell scripts
Third-Party Tools
- Plink (PuTTY suite) for tunneling
- Modified open-source tools
- Standard penetration testing utilities
Infrastructure
- Comprehensive server inventory
- Attack infrastructure
- Tunnel servers
- Storage servers
- Internal communication platforms