January 18, 2022

ProxyShell Exploited with DatopLoader Leading to Qakbot

Industry: N/A | Level: Operational | Source: Cybereason

A threat report from Cybereason and security researcher, Orange Tsai, investigates a new malware loader – DatopLoader that emerged in September 2021. The malware loader was observed to be a payload dropping following the attacker’s successful exploitation of ProxyShell and Exchange vulnerabilities. Once the loader is executed, Qakbot/Qbot lands on the victim’s workstation to set up persistence and conduct reconnaissance activity, using largely native tools with the exception of AdFind. Cobalt Strike is also launched, using PsExec to move laterally in the environment. In addition, credential access has been identified through gathering from registry hives.

  • Anvilogic Scenario: DatopLoader & Qakbot
  • Anvilogic Use Cases:
    • Potential ProxyShell
    • Common Exchange Recon cmdlets
    • Exchange Remove Export Request
    • regsvr32 Execution
    • Credentials in Registry