A recently uncovered cyber-espionage campaign linked to Russian state-sponsored actors has been targeting enterprise webmail servers using a critical zero-day vulnerability in MDaemon, a widely used email server software. WeliveSecurity analysts identified that the attackers use compromised Microsoft Exchange servers as command-and-control (C2) relays, masking malicious traffic as legitimate OAuth authentication requests. The MailStorm attack chain begins with a reconnaissance phase, where attackers scan for MDaemon servers exposed on ports 3000 (HTTP) or 3001 (HTTPS). WeliveSecurity recommends implementing network segmentation, enforcing strict email filtering rules, and auditing logs for abnormal HTTP POST requests exceeding 4,096 bytes. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Attackers deploy a multi-stage malware payload to exfiltrate sensitive communications, hijack administrative accounts, and establish long-term persistence in victim networks. Once a vulnerable target is identified, the exploit sends a malformed HTTP POST request, overflowing the buffer and overwriting a structured exception handler (SEH) to redirect execution flow. To complicate analysis, the malware employs process hollowing -injecting its payload into a suspended svchost.exe instance- and encrypts C2 communications using an XOR key derived from the victim’s machine GUID. By sending a crafted request with an oversized “Content-Type” header, attackers trigger a stack-based buffer overflow, enabling remote code execution (RCE). The vulnerability resides in how MDaemon handles HTTP POST requests during email attachment processing. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. This script disables AMSI protections, extracts a malicious DLL disguised as a Windows Update file, and registers it as a service named “WinSock2Helper” to maintain persistence. In a May 12 advisory, MDaemon’s parent company confirmed the vulnerability and is preparing an emergency patch, but thousands of servers remain unprotected. Organizations using MDaemon Webmail are urged to disable external access to ports 3000/3001 until a patch is deployed. The DLL employs API hooking to intercept SMTP traffic, allowing attackers to harvest credentials and modify emails in transit. Notably, the malware uses RFC 5322 header injection to embed exfiltrated data into outbound emails, evading network detection.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 15 May 2025 11:44:55 +0000