By the time you see these two files on your Exchange server, it might be too late…:
[…] Symantec analyzed LockFile’s attack chain and note that the hackers typically spend at least several days on the network before detonating the file-encrypting malware, typical for this kind of attacks.
The researchers say that when compromising the victim’s Exchange server, the attacker runs a PowerShell command that downloads a file from a remote location.
In the last stage of the attack, 20 to 30 minutes before deploying the ransomware, the threat actor proceeds to take over the domain controller by installing on the compromised Exchange server the PetitPotam exploit and two files:
- active_desktop_render.dll
- active_desktop_launcher.exe (legitimate KuGou Active Desktop launcher)
The legitimate KuGou Active Desktop launcher is abused to perform a DLL hijacking attack to load the malicious DLL to evade detection by security software.
[…]