A recent report from Fortinet FortiGuard Labs reveals that an unnamed government entity linked to the United Arab Emirates (UAE) has fallen victim to a sophisticated cyberattack orchestrated by an alleged Iranian threat actor. The attack leveraged a backdoor named PowerExchange, which proved to be a “simple yet effective” infiltration tool.
The breach began with an initial email phishing campaign, enticing unsuspecting victims to open a ZIP file attachment containing a disguised .NET executable file posing as a harmless PDF document. This executable acts as a dropper, enabling the deployment of the final payload—the PowerExchange backdoor.
PowerExchange, implemented in PowerShell, cleverly utilizes text files attached to emails for command-and-control (C2) communication. Using the approach, the threat actor can execute arbitrary payloads and upload and download files on the compromised system. The backdoor employs the Exchange Web Services (EWS) API to connect with the victim’s Exchange Server, leveraging a mailbox on the server to send and receive encoded commands from the attacker. It makes it easy to maintain stealthy communication.
By exploiting the internet-facing Exchange Server, PowerExchange acts as a proxy, skillfully masking the threat actor’s identity and evading detection. How the threat actor obtained domain credentials to access the target Exchange Server remains undisclosed.
Fortinet’s investigation also uncovered other backdoored Exchange servers housing various web shells, including ExchangeLeech (known as System.Web.ServiceAuthentication.dll). These web shells enable persistent remote access and facilitate the theft of user credentials.
PowerExchange is an upgraded iteration of TriFive, previously employed by the Iranian nation-state actor APT34 (also referred to as OilRig) in targeted intrusions against government entities in Kuwait. This attack methodology aligns with the OilRig actors’ past utilization of internet-facing Exchange servers, as demonstrated in cases involving Karkoff and MrPerfectionManager.
By utilizing the victim’s Exchange server as the C2 channel, PowerExchange can effectively camouflage its malicious activities within legitimate network traffic. Consequently, the threat actor can easily circumvent network-based detection and remediation measures inside and outside the target organization’s infrastructure, heightening the challenges of defending against this sophisticated cyber threat.
 has fallen victim to a sophisticated cyberattack orchestrated by an alleged Iranian threat actor. The attack leveraged a backdoor named PowerExchange, which proved to be a "simple yet effective" infiltration tool.){kind=link}