Russian Hackers Exploiting MDaemon 0-Day Vulnerability to Hack Webmail Servers
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
A recently uncovered cyber-espionage campaign linked to Russian state-sponsored actors has been targeting enterprise webmail servers using a critical zero-day vulnerability in MDaemon, a widely used email server software.
Dubbed “MailStorm” by researchers, the campaign exploits an unpatched buffer overflow flaw (CVE-2025-36721) in MDaemon’s Webmail client versions 23.0.0 to 23.5.2.
Attackers deploy a multi-stage malware payload to exfiltrate sensitive communications, hijack administrative accounts, and establish long-term persistence in victim networks.
The vulnerability resides in how MDaemon handles HTTP POST requests during email attachment processing.
Initial attacks observed in mid-April 2025 focused on government agencies, financial institutions, and critical infrastructure providers in NATO member states.
Successful compromises have led to credential theft, lateral movement through networks, and the deployment of secondary payloads like KrisProxy, a custom backdoor linked to the APT28 group.
WeliveSecurity analysts identified that the attackers use compromised Microsoft Exchange servers as command-and-control (C2) relays, masking malicious traffic as legitimate OAuth authentication requests.
This tactic, combined with the use of LetsEncrypt TLS certificates for payload delivery, has allowed the campaign to evade traditional signature-based detection tools.
In a May 12 advisory, MDaemon’s parent company confirmed the vulnerability and is preparing an emergency patch, but thousands of servers remain unprotected.
From Exploit to Persistent Backdoor
The MailStorm attack chain begins with a reconnaissance phase, where attackers scan for MDaemon servers exposed on ports 3000 (HTTP) or 3001 (HTTPS).
.webp)
Attack chain (Source – Welivesecurity)
Once a vulnerable target is identified, the exploit sends a malformed HTTP POST request, overflowing the buffer and overwriting a structured exception handler (SEH) to redirect execution flow.
# Simplified exploit pseudocode import requests target = "https://[TARGET_IP]:3001/webmail.dll" headers = { "Content-Type": "A" * 4096 + "\x74\x06\x41\x00" # SEH overwrite with 0x00410674 (jmp esp) } payload = b"\x90" * 20 + shellcode # NOP sled + custom shellcode response = requests.post(target, headers=headers, data=payload, verify=False)
The shellcode downloads a first-stage PowerShell script (%Temp%\msupdate.ps1) from a compromised Exchange server.
This script disables AMSI protections, extracts a malicious DLL disguised as a Windows Update file, and registers it as a service named “WinSock2Helper” to maintain persistence.
The DLL employs API hooking to intercept SMTP traffic, allowing attackers to harvest credentials and modify emails in transit.
Notably, the malware uses RFC 5322 header injection to embed exfiltrated data into outbound emails, evading network detection.
For example, stolen credentials are hidden within the “Comments” field of routine notifications:-
Received: from [Internal_User] by mail.example.com (MDaemon 23.5.2) with ESMTP; Thu, 15 May 2025 12:34:56 +0530 Comments: X-Exfil: aHR0cHM6Ly9leGFtcGxlL2V4ZmlsCg== # Base64-encoded C2 URL
To complicate analysis, the malware employs process hollowing -injecting its payload into a suspended svchost.exe instance- and encrypts C2 communications using an XOR key derived from the victim’s machine GUID.
Organizations using MDaemon Webmail are urged to disable external access to ports 3000/3001 until a patch is deployed.
WeliveSecurity recommends implementing network segmentation, enforcing strict email filtering rules, and auditing logs for abnormal HTTP POST requests exceeding 4,096 bytes.
Indicators of compromise (IoCs) include unexpected WinSock2Helper services, DNS queries to .ru domains masquerading as Microsoft Azure hosts, and PowerShell processes spawning from webmail.dll.
#Cyber_Security_News #Vulnerability #cyber_security_news #vulnerability
Оригинальная версия на сайте:
Russian Hackers Exploiting MDaemon 0-Day Vulnerability to Hack Webmail Servers
Author: Tushar Subhra DuttaA recently uncovered cyber-espionage campaign linked to Russian state-sponsored actors has been targeting enterprise webmail servers using a critical zero-day vulnerability in MDaemon, a widely used email server software.
Dubbed “MailStorm” by researchers, the campaign exploits an unpatched buffer overflow flaw (CVE-2025-36721) in MDaemon’s Webmail client versions 23.0.0 to 23.5.2.
Attackers deploy a multi-stage malware payload to exfiltrate sensitive communications, hijack administrative accounts, and establish long-term persistence in victim networks.
The vulnerability resides in how MDaemon handles HTTP POST requests during email attachment processing.
Initial attacks observed in mid-April 2025 focused on government agencies, financial institutions, and critical infrastructure providers in NATO member states.
Successful compromises have led to credential theft, lateral movement through networks, and the deployment of secondary payloads like KrisProxy, a custom backdoor linked to the APT28 group.
WeliveSecurity analysts identified that the attackers use compromised Microsoft Exchange servers as command-and-control (C2) relays, masking malicious traffic as legitimate OAuth authentication requests.
This tactic, combined with the use of LetsEncrypt TLS certificates for payload delivery, has allowed the campaign to evade traditional signature-based detection tools.
In a May 12 advisory, MDaemon’s parent company confirmed the vulnerability and is preparing an emergency patch, but thousands of servers remain unprotected.
From Exploit to Persistent Backdoor
The MailStorm attack chain begins with a reconnaissance phase, where attackers scan for MDaemon servers exposed on ports 3000 (HTTP) or 3001 (HTTPS).
Attack chain (Source – Welivesecurity)Once a vulnerable target is identified, the exploit sends a malformed HTTP POST request, overflowing the buffer and overwriting a structured exception handler (SEH) to redirect execution flow.
# Simplified exploit pseudocode import requests target = "https://[TARGET_IP]:3001/webmail.dll" headers = { "Content-Type": "A" * 4096 + "\x74\x06\x41\x00" # SEH overwrite with 0x00410674 (jmp esp) } payload = b"\x90" * 20 + shellcode # NOP sled + custom shellcode response = requests.post(target, headers=headers, data=payload, verify=False)
The shellcode downloads a first-stage PowerShell script (%Temp%\msupdate.ps1) from a compromised Exchange server.
This script disables AMSI protections, extracts a malicious DLL disguised as a Windows Update file, and registers it as a service named “WinSock2Helper” to maintain persistence.
The DLL employs API hooking to intercept SMTP traffic, allowing attackers to harvest credentials and modify emails in transit.
Notably, the malware uses RFC 5322 header injection to embed exfiltrated data into outbound emails, evading network detection.
For example, stolen credentials are hidden within the “Comments” field of routine notifications:-
Received: from [Internal_User] by mail.example.com (MDaemon 23.5.2) with ESMTP; Thu, 15 May 2025 12:34:56 +0530 Comments: X-Exfil: aHR0cHM6Ly9leGFtcGxlL2V4ZmlsCg== # Base64-encoded C2 URL
To complicate analysis, the malware employs process hollowing -injecting its payload into a suspended svchost.exe instance- and encrypts C2 communications using an XOR key derived from the victim’s machine GUID.
Organizations using MDaemon Webmail are urged to disable external access to ports 3000/3001 until a patch is deployed.
WeliveSecurity recommends implementing network segmentation, enforcing strict email filtering rules, and auditing logs for abnormal HTTP POST requests exceeding 4,096 bytes.
Indicators of compromise (IoCs) include unexpected WinSock2Helper services, DNS queries to .ru domains masquerading as Microsoft Azure hosts, and PowerShell processes spawning from webmail.dll.
#Cyber_Security_News #Vulnerability #cyber_security_news #vulnerability
Оригинальная версия на сайте:
