TriFive
Description
(Palo Alto) TriFive is a previously unseen PowerShell-based backdoor that the xHunt actors installed on the compromised Exchange server, executing every five minutes via a scheduled task. TriFive provided backdoor access to the Exchange server by logging into a legitimate user’s inbox and obtaining a PowerShell script from an email draft within the deleted emails folder. The TriFive sample used a legitimate account name and credentials from the targeted organization. This suggests that the threat actor had stolen the account’s credentials prior to the installation of the TriFive backdoor.
Names
| Name |
|---|
| TriFive |
Category
Malware
Type
- Backdoor
Information
Other Information
Uuid
3b63f65e-6d5f-4ab4-b64f-750309ace196
Last Card Change
2021-01-20