A Persistent Threat: Keylogger Injection in Microsoft Exchange Authentication Pages

In May 2024, a previously unknown attack was discovered where malicious code was injected into the login pages of Microsoft Exchange Servers. This attack involved the use of keyloggers, categorized into two types: keyloggers with local logging and those sending data to an external server. The malicious JavaScript code embedded into the legitimate authentication process allowed attackers to capture sensitive data, including user credentials, cookies, and other information. In 2025, a similar attack was identified, affecting 26 countries worldwide.

Severity Level: High

Threat Overview

Compromise of Microsoft Exchange Server:

• Attackers initially compromise Microsoft Exchange Servers by exploiting vulnerabilities in the server software. These vulnerabilities are often older ones that have not been patched, allowing attackers to gain unauthorized access.

Injection of Malicious Code into Login Page:

• Once the attacker has access to the Exchange Server, they inject malicious JavaScript code into the legitimate login page (often a page like logon.aspx).
• This malicious JavaScript is embedded within the existing code of the Exchange Server’s authentication mechanism, making it hard to detect through basic checks.

User Interaction:

• The victim visits the compromised Exchange Server’s authentication page (the login page).
• They enter their login credentials (username and password) into the page, which appears to be normal to the user.

Keylogger Activation:

• The malicious JavaScript code activates and captures the entered credentials (username and password).
• In some cases, the keylogger also captures additional data like cookies, user-agent headers, and other sensitive information from the victim’s browser.

Data Exfiltration:

• The captured data is either sent immediately to an external server controlled by the attackers or stored in a file on the compromised server.
• The exfiltration methods used include:
  • XHR Requests (XMLHttpRequest) sent to a specific page within the compromised server.
  • Obfuscated POST or GET requests to send data as part of HTTP headers or request bodies.
  • Use of Telegram bots or other services: Data is sent directly to a Telegram bot or another legitimate external service for easy collection by the attacker.
  • DNS Tunneling: In some cases, attackers use DNS tunneling, where the stolen data is encoded and sent as part of DNS requests.

Data Collection and Storage:

• The stolen data is stored either in an open directory or in files that are accessible externally by the attacker. This allows the attackers to retrieve the data remotely.
• The files containing the stolen credentials and other sensitive information remain accessible to the attacker without alerting detection systems.

Evading Detection:

• The attackers use techniques like obfuscation to hide the malicious JavaScript code, making it harder for traditional security systems to detect the malicious actions.
• There is no need for a command-and-control (C2) server, as attackers can access the stolen data directly from the compromised server or external tools (like Telegram bots), reducing the chance of detection by network security systems.

Stealth Persistence:

• By embedding the malicious code in legitimate pages, attackers can maintain persistence on the system for extended periods without triggering traditional security alarms. The attack is designed to remain undetected until the credentials are exfiltrated and used for malicious purposes.

Vulnerabilities exploited:

• CVE-2021-31206, CVE-2021-34473, CVE-2021-34523, CVE-2021-31207, CVE-2014-4078, CVE-2021-26858, CVE-2021-26857, CVE-2021-26855, CVE-2021-27065, CVE-2013-0941, CVE-2020-0796

Victimology

• Affected sectors: Government, IT, Industrial, Banking, Education, and Logistics.
• Affected regions: Vietnam, Russia, Taiwan, China, Pakistan, Lebanon, Australia, Zambia, Netherlands, Turkey, Kazakhstan, Morocco, Mozambique, Kuwait, Portugal, Greece, Egypt, the UAE, Oman, Niger, Nigeria, Ethiopia, Mauritius, Jordan, Iran, Iraq, South Africa, Georgia, Saudi Arabia, Uzbekistan, Mexico, Senegal.

Recommendations

1. Ensure Microsoft Exchange Servers are patched and updated to the latest versions to mitigate known vulnerabilities that could be exploited by attackers.
2. Regularly review critical files related to authentication, such as logon.aspx in Microsoft Exchange, and scan them for changes using file integrity monitoring tools.
3. Avoid storing sensitive information, such as credentials, in open directories or easily accessible files on your servers. Ensure that any files containing sensitive data are encrypted and stored securely.
4. Enforce MFA for all users accessing Exchange Servers, particularly administrative accounts, to provide an additional layer of defense in case credentials are compromised.
5. You can check for potential compromise by searching for the stealer code on the main page of your Microsoft Exchange server. Following is the code that hackers embed in the Microsoft Exchange Server main page, in particular, into the clkLgn() function:
   var ObjectData = “ObjectType=” + escape(curTime + “\t” + gbid(“username”).value + “\t” + gbid(“password”).value) + “&uin=” + Math.random().toString(16).substring(2);

Source:

• https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/exchange-mutations-malicious-code-in-outlook-pages
• https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/positive-technologies-detects-a-series-of-attacks-via-microsoft-exchange-server

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.