Compare Devo vs. Splunk vs. Elastic in the Buyer's Guide to Log Management Download Now
Request Demo

The Threat

Black Kingdom is targeting Exchange servers that remain unpatched against the ProxyLogon vulnerabilities disclosed by Microsoft earlier this month. It strikes the on-premises versions of Microsoft Exchange Server, abusing the remote code execution (RCE) vulnerability also known as ProxyLogon[1] (CVE-2021-27065[2]).



BlackKingdom runs a script on all vulnerable Exchange servers via ProxyLogon vulnerability.


Executable seems to be py2exe, and if run successfully users see something like this:

The bitcoin address included in the script has a couple of transactions when these words are written (11:30 UTC, March 25th).

The encryption process includes three main stages:

  • In the first, it performs a reading of the file
  • In the second an overwriting of the file with the encrypted data
  • And in the third a name change so that the file is not associated with any application.

In the first samples found, it seems that there is a list of locations that will not be affected by file encryption. The directories are all related to the operating system in order not to affect its operation.

  • ProgramData
  • Windows
  • Program Files (x86)
  • Program Files
  • AppData\Roaming\
  • AppData\LocalLow\
  • AppData\Local\



Orchestrated from a remote server and operated from The threat actor exploited the on-premises versions of Microsoft Exchange Server, abusing the remote code execution (RCE) vulnerability also known as ProxyLogon (CVE-2021-27065).

These two IP addresses are part of the anonymous network TOR. If we get all the information related to these two TOR nodes we can show that the network usage has increased in the last few days. Also, both servers have an uptime of only almost five days.





The Devo Security Operations alert dataset includes an alert that can be used because detects anonymous connections over firewall logs.

  • SecOpsAnonymousConnection

Due to the threat type we’re trying to detect we can add a new alert to monitor all connections to our web servers from anonymous servers.

  • SecOpsWebConnectionFromAnonymousServer

Both alerts could be improved for this threat by adding some filtering:

  • IP addresses from known threat actors.

  • Owa http path to monitor only Exchange Servers.

  • Looking for ASPX resources.


Once the server compromise has occurred, the attacker installs a webshell. This webshell offers remote access to the server and allows the execution of arbitrary commands.

The process in charge of webshell creation is named “w3wp.exe.”








One of the actions that is triggered is an attempt to stop all services that include the word “sql” in their name. Surely this is done with the intention of being able to encrypt all the files in the existing databases.


Webshell deploy

Devo released a new alert to detect a command execution that appears to be in charge of creating the webshell file. This alert could be correlated with others to detect the complete or partial behaviour of the ransomware.

  • SecOpsBlackKingdomWebshellInstalation


Devo released a new alert to detect attempts to stop services that are related by name with SQL services. This alert could be correlated with others to detect the complete or partial behavior of the ransomware.

  • SecOpsStopSqlServicesRunning



The Devo security team is pushing all the indicators into a lookup that is available in all domains across the platform. Customers can use it to create new alertes, perform hunting, or create active dashboards.

Additionally, it is necessary to activate the alerts related to the ProxyLogon (HAFNIUM) threat available in Devo.











Follow the recommendations from Microsoft. They release the “Exchange On-premises Mitigation Tool (EOMT)”. This script contains mitigations to help address CVE-2021-26855 vulnerability.












Get the latest updates

Sign up to stay informed with the latest updates from Devo.

Want a live demo or have specific questions? SPEAK WITH A DEVO SPECIALIST