This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 77%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJC%3C/text%3E%3C/svg%3E)
Hello everyone,
As per Microsoft Recommendations, we already installed all security patches earlier in the March and installed CU 20 updates. Here are the details about our issues. Any help on this will be appreciated:
Issue: High CPU utilization due to cmd.exe process
Exchange 2016 Standard
Work done so far:
All patches installed, CU 20 installed, Performed multiple scan with Microsoft Safety Scanner, every time it finds and remove "Backdoor:MSIL/Chopper.F!dha " but next day same issue occurs
Opened CMD.exe file with process explorer today and found following scripts:
C:\Windows\System32\cmd.exe -o 95.216.46.125:443 -u 44EspGiviPdeZSZyX1r3R9RhpGCkxYACEKUwbA4Gp6cVCzyiNeB21STWYsJZYZeZt63JaUn8CVxDeWWGs3f6XNxGPtSuUEX -k --tls -p MOON
Also ran Exchange Mitigation Tool and it did not found anything.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 47%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EIS%3C/text%3E%3C/svg%3E)
We just got hit with this as well. Fully patched Exchange 2016.
That said, Microsoft did put out a new cumulative update this morning for both Exchange 2016 and Exchange 2019.
https://learn.microsoft.com/en-us/Exchange/new-features/build-numbers-and-release-dates?view=exchserver-2019
Ladies and gentlemen, get to patching!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 23%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB%3C/text%3E%3C/svg%3E)
**** P.S. I just want to confirm that after almost a week no infections are detected by MSERT and Defender. So I can say the malware doesn't REGENERATE itself everyday but the server is BEING ATTACKED every single day. If you block the attack source you can survive for now.
Same problem here on a fully updated Windows 2019 running Exchange 2019 CU10.
But since this malware is related to attacks originating from China, I tried to limit access to port 443 only to domestic IP addresses on my firewall and so far infections have not come back in the last 24 hours :)
Since we have no users based abroad it worked as a feasible temporary workaround for me.
Will wait for future MS updates...
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(182.40000000000003, 13%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
Blockquote
> Since we have no users based abroad it worked as a feasible temporary workaround for me
Blockquote
Until they figure out all they need is a VPN to make it look like they're accessing from your country...
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 91%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
Hi,
Last week, users started noticing 'draft' emails they never created containing attachments. I ran MSERT and it found the two infections below:
Backdoor:MSIL/Chopper.F!dha
Backdoor:ASP/WebShell.C!MTB
Rebooted the server and no more infections found. I ran MSERT a few times since then and no infections found.
Today, users reported 'draft' emails appearing again. Ran the MSERT and it found the same infections.
At this point, I am not sure what else to do. By the way, I have Malware bytes installed and it did not detect it at all.
Any help will be greatly appreciated.
Thank you
Server 2019 STD
Exchange 2019
Fully patched and updated
We had the same issues. Running MSERT and cleanup the infected files but it kept regenerating every day (Once you are infected, Microsoft patches or MSERT does not fix this issue fully)
We end up building a new Exchange server and migrated all the mailboxes. It was a pain but resolved these issues fully.
JSSCGY-9407,
Yes, once the server is compromised is difficult to be 100% sure malware has been removed. Unfortunately, I do not have an Exchange expert in house to build a new one.
I
Thank you
I just want to confirm that after almost a week no infections are detected by MSERT and Defender. So I can say the malware doesn't REGENERATE itself everyday but the server is BEING ATTACKED every single day. If you block the attack source you can survive for now.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 68%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
How do you check your server for attacks?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(240, 25%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGD%3C/text%3E%3C/svg%3E)
Exchange Server 2016 CU21 fully patch
-We got the same issue on our server when it was running CU14 and their on premise IT didn't notice or check until user complain about the Drafts email issue. When I check on the Admin account its been creating malicious draft email for a month already. Good think no one had opened the attachment.\
2 Days after upgrading to CU21 and installing the July Patch. No one has complain yet for the same issue. so I hope it fixes the issue.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 88%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHC%3C/text%3E%3C/svg%3E)
Can you update information now? My server have the same trouble/problem like you. Thanks!
Issue was fixed after the CU21 July update. Planning to install the CU22 uodate
Thanks sir. I'll update CU22 for my Exchange Server! So many thanks!