December 9, 2023

The Microsoft Exchange ProxyShell vulnerabilities are being exploited yet again for ransomware, this time with Babuk from the new “Tortilla” threat actor.

The security researchers discovered the new varient of Babuk Ransomware campaign in mid-October and think that the variant has been active since July 2021. The new element in this attack is an unusual infection chain technique.

The researchers think that the initial infection vector is an exploitation of ProxyShell vulnerabilities in Microsoft Exchange Server through the deployment of China Chopper web shell.

Babuk can affect several hardware and software platforms but this version is targeting Windows. The ransomware encrypts the target’s machine, interrupts the system backup process and deletes the volume shadow copies.


The infection chain works like this: A DLL or .NET executable starts the attack on the victim’s system. The DLL is a mixed mode assembly. The .NET executable version of the initial downloader is a modified variant of the EfsPotato exploit with code to download and trigger the next stage

The initial downloader module on a victim’s server runs an embedded and obfuscated PowerShell command to download a packed downloader module. This second module has encrypted .NET resources as bitmap images. The PowerShell command also executes an AMSI bypass to avoid endpoint detection.

The packed downloader module connects to a URL on (a PasteBin clone site) that contains an intermediate unpacker module. The unpacker concatenates the bitmap images from the resource section of the trojan and then decrypts the payload into the memory.


The payload is injected into the process AddInProcess32 and encrypts files on the victim’s server and all mounted drives. The Cisco Talos post has details on each phase and tool in the attack.

Cisco Talos’ telemetry also suggests that the new variant tries to exploit several other vulnerabilities in other products most commonly triggering these Snort rules:

  • Microsoft Exchange autodiscover server side request forgery attempt (57907)
  • Atlassian Confluence OGNL injection remote code execution attempt (58094)
  • Apache Struts remote code execution attempt (39190, 39191)
  • WordPress wp-config.php access via directory traversal attempt (41420)
  • SolarWinds Orion authentication bypass attempt (56916)
  • Oracle WebLogic Server remote command execution attempt (50020)
  • Liferay arbitrary Java object deserialization attempt (56800)

The researchers note the Babuk builder and its source code were leaked and that the Tortilla ransomware actor has been experimenting with different payloads. This group has low to medium skills with a decent understanding of the security concepts and the ability to create minor modifications to existing malware and offensive security tools.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.