We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Trojan:PowerShell/MachineKeyFinder.DA!amsi
Aliases: No associated aliases
Summary
Trojan:PowerShell/MachineKeyFinder.DA!amsi is a recent Trojan that targets vulnerabilities found on on-premises Microsoft SharePoint servers. It specifically aims for ASP.NET machine keys, cryptographic keys that provide a layer of authentication and data protection, to establish presence with persistence, privilege escalation, and lateral movement with compromised networks.
The trojan also uses Anti-Malware Scan Interface (AMSI) evasion techniques to avoid detection as it continue to take later actions such as web shells, and credential theft.
Threat actors from Linen Typhoon and Violet Typhoon are behind this attack.
The vulnerabilities exploited by the script are patched under KB5002768 for Sharepoint Subscription edition, KB5002741 for Sharepoint 2019, and KB5002744 for Sharepoint 2016.
For more information and guidance from Microsoft, read the following:
Refer to the Mitigation and protection guidance in the Disrupting active exploitation of on-premises SharePoint vulnerabilities blog for details.
Microsoft Defender Antivirus automatically removes threats as they are detected. However, many infections can leave remnant files and system changes. Updating your antimalware definitions and running a full scan might help address these remnant artifacts.
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
