Babuk gang uses ProxyShell vulnerability in Exchange for ransomware attacks

Sicherheit (Pexels, allgemeine Nutzung)[German]Cisco Talos security researchers have discovered that the Babuk ransomware gang is using the ProxyShell vulnerability in Microsoft Exchange to install a web shell called "China Chopper". A Babuk ransomware partner named "Tortilla" probably joined the group in October and is deploying this web shell. The ProxyShell vulnerability can be closed long ago by updates on on-premises Microsoft Exchange servers.


I became aware of this threat via the following tweet from Bleeping Compute. Cisco Talos describes the issue in the blog post Microsoft Exchange vulnerabilities exploited once again for ransomware, this time with Babuk. A summary is available at Bleeping Computer.

Babuk Ransomware Campaign in October 2021

On October 12, 2021, Cisco Talos security researchers came across a campaign targeting vulnerable Microsoft Exchange servers via telemetry data from their security solutions. The campaign attempts to exploit the ProxyShell vulnerability to deploy the Babuk ransomware on victims' Exchange servers.

The campaign, which deploys variants of the Babuk ransomware, mainly affects users in the US. However, there are also a smaller number of infections in the UK, Germany, Ukraine, Finland, Brazil, Honduras and Thailand.

The actor of the campaign, based on the names of the payload files used in the campaign, is named Tortilla by Cisco Talos. It is a new actor that has been active since July 2021. Prior to this ransomware campaign, Tortilla experimented with other payloads, such as the PowerShell-based netcat clone Powercat, So we known to give attackers unauthorized access to Windows machines.


Security researchers are reasonably certain that the initial infection vector is the exploitation of ProxyShell vulnerabilities in Microsoft Exchange Server through the use of China Chopper Web Shell, the blog post in question states.

The Babuk infection chain

The threat actor uses a somewhat unusual infection chain technique in which an intermediate unpacking module is hosted on a clone The intermediate unpacking stage is downloaded and decrypted in memory before the final payload embedded in the original sample is decrypted and executed.

  • The infection usually starts with a downloader module (.exe or .dll) on the victim's server. The DLL downloader is executed by the parent Exchange IIS work process w3wp.exe.
  • The original downloader is a modified EfsPotato exploit that targets proxyshell and PetitPotam vulnerabilities. The downloader executes an embedded, obfuscated PowerShell command to connect and download a packed downloader module from the actor's infrastructure.
  • The PowerShell command also executes an AMSI bypass to bypass endpoint protection. The download server is hosted via the malicious domains fbi[.]fund and xxxs[.]info.
  • The initial packed load module contains encrypted .NET resources as bitmap images. The decrypted content is the actual Babuk ransomware payload.
  • To decrypt and unpack the payload, the loader connects to a URL on that contains the intermediate unpacker module.
  • The unpacker module decrypts the embedded Babuk ransomware payload in memory and injects it into a newly created process AddInProcess32.

The Babuk ransomware module running inside the AddInProcess32 process enumerates the processes running on the victim's server and attempts to disable a number of processes related to backup products, such as the Veeam backup service. It also deletes Volume Shadow Service (VSS) snapshots from the server using the vssadmin utility to ensure that the encrypted files cannot be recovered from their VSS copies.

The ransomware module encrypts the files on the victim's server and appends a .babyk file extension to the encrypted files. The actor requires victims to pay $10,000 to get the decryption key to restore their files. More details can be read in the post Microsoft Exchange vulnerabilities exploited once again for ransomware, this time with Babuk.

Closing the ProxyShell vulnerability

Regarding the facts of the case, it should be noted that the ProxyShell vulnerability has long been closed by Microsoft updates. And the vulnerability of unpatched Exchange servers is also well known. Taiwanese security researcher Orange Tsai from the DEVCORE team gave a presentation on Exchange vulnerabilities at BlackHat 2021 in early August. He showed how by combining old vulnerabilities (e.g. CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207) that were closed by updates in April 2021, Microsoft Exchange servers can be attacked and taken over via exploits called ProxyLogon, ProxyOracle and ProxyShell.

I had written in the blog post Exchange vulnerabilities: Will we see Hafnium II? on this issue. The recommendation was to update the on-premises Exchange servers to the latest patch level and to make sure that they are not accessible via the Internet (see also Attacks on Exchange Server via ProxyShell vulnerability (8/13/2021)). Already in the blog post Attacks on Exchange Server via ProxyShell vulnerability are rolling on (13.8.2021) I had then pointed out incipient attacks. In one wave of attacks, almost 2,000 servers were hacked (see Wave of attacks, almost 2,000 Exchange servers hacked via ProxyShell). So if you still don't have your Exchange servers patched, don't be surprised about a ransomware infection – other ransomware gangs also use the ProxyShell vulnerability for attacks. 

Similar articles
Exchange server 0-day exploits are actively exploited
Important notes from Microsoft regarding the Exchange server security update (March 2021)
Exchange isues with ECP/OWA search after installing security update (March 2021)
Exchange Hack News – Test tools from Microsoft and others
Microsoft MSERT helps to scan Exchange Servers
Cyber attack on Exchange server of the European Banking Authority
Exchange hack: new patches and new findings
Exchange Server: Remote Code Execution Vulnerability CVE-2020-16875
Exchange hack: new victims, new patches, new attacks
Update on ProxyLogon hafnium exchange issue (March 12, 2021)
Was there a leak at Microsoft in the Exchange mass hack?
ProxyLogon hack: Administrator's Repository for affected Exchange systems
Microsoft Exchange (On-Premises) one-click Mitigation Tool (EOMT) released
Security update for Exchange Server 2013 SP1; CUs for Exchange 2019 and 2016 (03/16/2021)
Exchange ProxyLogon News: Patch status, new PoC and new findings (03/18/2021)
Exchange vulnerabilities: Will we see Hafnium II?
Exchange Server: Update on ProxyShell vulnerabilities
Attacks on Exchange Server via ProxyShell vulnerability (8/13/2021)
Exchange ProxyLogon News: Patch status, new PoC and new findings (03/18/2021)
Wave of attacks, almost 2,000 Exchange servers hacked via ProxyShell
ProxyShell, ProxyLogon and Microsoft's contradictious Exchange doc for virus scan exceptions
Exchange and ProxyShell: News from Microsoft and security experts
Exchange Server: Authentication bypass with ProxyToken
Tianfu Cup 2021: Exchange 2019 and iPhone hacked

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *