Jump to content

Exchange Hafnium/ProxyShell Exploit - Malicious Files submitted but no action taken!


Recommended Posts


On the 11 October i submitted 7 dll files to samples@eset.com that ESET's software decided to leave behind as clean from an infected Exchange 2019 Server from Hafnium/ProxyShell exploits.

I know they are malicious as the time stamps of the files created mataches that of when the attack on that server took place, and they were in one of the known locations its like to dump its files. C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\root\e22c2559\92c7e946)

At the time only Kaspersky detected them as malicious through uploading them via virustotal.

Still today ESET is not picking these files up, even though there are now 10+ other vendors detecting these on virustotal as part of the proxy exchange expolits.

Anybody from ESET staff on here able to escalte this please and get these files checked and added!


Edited by FTL
Link to comment
Share on other sites

  • Administrators

Those are just some remnants of the infection. The point is to detect the aspx files and that the user patches the ProxyShell vulnerability. The dlls are useless without the appropriate aspx files that ESET detects. While it's tricky to cover them without FPs, we'll try to.

Link to comment
Share on other sites

18 hours ago, foneil said:

If anyone has suggested edits/updates to our KB for this issue, please send to me: 

It appears Eset has Hafnium known exploits pretty well covered. However, it should be noted from the above linked bleepingcomputer.com article on Tortilla ransomware that it will try to exploit any system vulnerability it can find:


More specifically, Tortilla followed these pathways to drop the DLL and .NET modules:

  • Microsoft Exchange auto-discover server-side request forgery attempt
  • Atlassian Confluence OGNL injection remote code execution attempt
  • Apache Struts remote code execution attempt
  • WordPress wp-config.php access via directory traversal attempt
  • SolarWinds Orion authentication bypass attempt
  • Oracle WebLogic Server remote command execution attempt
  • Liferay arbitrary Java object deserialization attempt

As these attacks rely on patched vulnerabilities, it is strongly advised that all admins upgrade their servers to the latest versions to prevent them from being exploited in attacks.

As such, I believe 100% reliance on your security software versus performing the appropriate patch for the above vulnerabilities is very ill advised.

It is also naive to assume one specific technique, e.g.:


According to a report by researchers at Cisco Talos, a Babuk ransomware affiliate known as 'Tortilla' had joined the club in October, when the actor started using the 'China Chopper' web shell on breached Exchange servers.

is being used to exploit these vulnerabilities.

Edited by itman
Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...