Iranian Hackers Use New PowerExchange Malware Against UAE

APT34, which is claimed to be supported by Iran, has attacked government institutions of the United Arab Emirates using the PowerExchange malware.

In cyber attacks organized by Iranian hackers, PowerExchange was used to open backdoors on Microsoft Exchange servers located in the targets’ companies. Hackers also deployed a web shell called ExchangeLeech that can steal users’ credentials after infiltrating respective Exchange servers via a phishing email containing an archived malicious executable.

The FortiGuard Labs research team said they found the PowerExchange backdoor in compromised systems of a government agency in the United Arab Emirates. The malware communicates with the command and control (C2) server using e-mails sent using the Exchange Web Services (EWS) API, and thus exposes the stolen information to attackers. sending.

Security researchers said that since the target Exchange server itself is used for command-and-control purposes, all backdoor traffic appears to be benign, thus avoiding virtually any network-based detection technology.

The most obvious one among the backdoor’s capabilities is that hackers can execute code on systems and steal files they want. FortiGuard Labs said the attack was linked to APT34, based on the similarities between PowerExchange and the TriFive malware that Iranian hackers had previously used to target Kuwait.

Source: Technopat by

*The article has been translated based on the content of Technopat by If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much!

*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.

*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!