Trojan:Win32/HijackSharePointServer.A

Trojan:Win32/HijackSharePointServer.A begins by exploiting critical SharePoint server vulnerabilities (CVE-2025-53770 and CVE-2025-53771) by submitting custom HTTP POST requests through the existing /_layouts/15/ToolPane.aspx exploitable endpoint. Trojan:Win32/HijackSharePointServer.A uses a spoofed value for the HTTP Referer header in its requests so that requests seem to be coming from /_layouts/SignOut.aspx. Once the request is allowed, Trojan:Win32/HijackSharePointServer.A creates malicious serialized .NET objects like System.Configuration.Install.AssemblyInstaller to initiate remote code execution (RCE) in the SharePoint environment.

After it gained initial access, the Trojan:Win32/HijackSharePointServer.A leverages that access to run Base64-encoded PowerShell scripts in the compromised IIS worker process (w3wp.exe). The scripts use cmd.exe to download more payloads including web shells and backdoors. One of the main goals is to exfiltrate ASP.NET cryptographic validation and decryption keys from C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys giving the threat actor the trust authentication tokens to maintain their access.

Trojan:Win32/HijackSharePointServer. It crawls the network by scanning on Port 445, and Port 1433 with internally-developed Mimikatz modules. It creates persistence using scheduled tasks and regsvr32 to load malicious DLL mshelper.dll. Then it encrypts stolen data with AES-256-CBC, with key stored in-value, and exfiltrates the information to remote command and control servers. Further, the malware also takes anti-forensics steps by killing infosec products like MsMpEng.exe, and securely deleting logs such as winlog.dat to hide its existence and activities.

PowerShell commands for rotating machine keys:

• Set-SPMachineKey -WebApplication "<URL>" 
• Update-SPMachineKey -WebApplication "<URL>" 

Trojan:Win32/HijackSharePointServer.A drops the following files:

• \Web Server Extensions\15\TEMPLATE\LAYOUTS\spinstall0.aspx (with variants: spinstall1.aspx and spinstall2.aspx)
• C:\Windows\Temp\mshelper.dll
• C:\Users\Public\Documents\winlog.dat
• \Web Server Extensions\[15-16]\TEMPLATE\LAYOUTS\ debug_dev.js

It creates and modifies the following processes:

• w3wp.exe (which launches cmd.exe or powershell.exe for command line functions to fetch payloads)
• powershell.exe -WindowStyle Hidden –ec (with a hidden flag and downloads more malware in the background)
• regsvr32.exe /s C:\Windows\Temp\mshelper.dll (to load malicious dlls)
• SharePointHealthMonitor (task under Scheduled Task for persistence)

It adds and modifies the following Windows Registry keys:

• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (added: SPHealthAgent key, value: mshelper.dll)
• HKLM\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters (modified: CacheSecurityDescriptor, value: 1)
• HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell (added: EnableScripts, value:1)

Trojan:Win32/HijackSharePointServer.A communicates to the following hosts:

• 131[.]226.2[.]6
• 134[.]199.202[.]205

It also accesses or downloads from the following URLs:

• api-cloudsync[.]net
• c34718cbb4c6.ngrok-free[.]app/file[.]ps1