The Chinese hacking group, which Microsoft calls Hafnium, appears to have been breaking into private and government computer networks through the company’s popular Exchange email software for a number of months.As observed, Below are the latest indicators of compromise.
Credits : Research by ExecuteMalware
Indicators of Compromise (IOCs)
Attacker IP Addresses
103.77.192[.]219
104.140.114[.]110
104.250.191[.]110
108.61.246[.]56
149.28.14[.]163
157.230.221[.]198
167.99.168[.]251
185.250.151[.]72
192.81.208[.]169
203.160.69[.]66
211.56.98[.]146
5.254.43[.]18
5.2.69[.]14
80.92.205[.]81
91.192.103[.]43
Web Shell Hashes
b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0
097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e
2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1
65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5
511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1
4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea
811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d
1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944
Web Shell Paths
%PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\
C:\Exchange\FrontEnd\HttpProxy\owa\auth\
C:\inetpub\wwwroot\aspnet_client\
C:\inetpub\wwwroot\aspnet_client\system_web\
\inetpub\wwwroot\aspnet_client\ (any .aspx file under this folder or sub folders)
\\FrontEnd\HttpProxy\ecp\auth\ (any file besides TimeoutLogoff.aspx)
\\FrontEnd\HttpProxy\owa\auth\ (any file or modified file that is not part of a standard install)
\\FrontEnd\HttpProxy\owa\auth\Current\
\\FrontEnd\HttpProxy\owa\auth\\
Web Shell Names
web.aspx
help.aspx
document.aspx
errorEE.aspx
errorEEE.aspx
errorEW.aspx
errorFF.aspx
healthcheck.aspx
aspnet_www.aspx
aspnet_client.aspx
xx.aspx
shell.aspx
aspnet_iisstart.aspx
one.aspx