WordPress Plugin Supply Chain Attack Gets Worse
![A flock of ostriches (or is it a troop?)](../themes/icons/grey.gif)
30,000 websites at risk: Check yours ASAP! (800 Million Ostriches Can’t Be Wrong.)
The post WordPress Plugin Supply Chain Attack Gets Worse appeared first on Security Boulevard.
30,000 websites at risk: Check yours ASAP! (800 Million Ostriches Can’t Be Wrong.)
The post WordPress Plugin Supply Chain Attack Gets Worse appeared first on Security Boulevard.
Spend more on security! Car and truck dealers fall back on pen and paper as huge SaaS provider gets hacked (again).
The post 30,000 Dealerships Down — ‘Ransomware’ Outage Outrage no. 2 at CDK Global appeared first on Security Boulevard.
While many businesses invest heavily in frontline defense tools to keep out bad actors, they spend far less time and money preparing for what happens when the criminals eventually get in.
The post Closing the Readiness Gap: How to Ensure a Fast Recovery From the Inevitable Cyber Attack appeared first on Security Boulevard.
A statewide outage of the Massachusetts 911 system was the result of a firewall that blocked calls from reaching emergency responders.
The post Massachusetts 911 Outage Caused by Errant Firewall appeared first on SecurityWeek.
The future of modeling catastrophic cyber risk hinges on our ability to move beyond misconceptions and confront the true extent of our exposure.
The post Debunking Common Myths About Catastrophic Cyber Incidents appeared first on Security Boulevard.
Or junk it if EOL: Two nasty vulnerabilities need an update—pronto.
The post ASUS Router User? Patch ASAP! appeared first on Security Boulevard.
The following analysts contributed to this blog: Thomas Elkins, Daniel Thiede, Josh Lockwood, Tyler McGraw, and Sasha Kovalev.
Rapid7 has observed a recent malvertising campaign that lures users into downloading malicious installers for popular software such as Google Chrome and Microsoft Teams. The installers were being used to drop a backdoor identified as Oyster
, aka Broomstick
. Following execution of the backdoor, we have observed enumeration commands indicative of hands-on-keyboard activity as well as the deployment of additional payloads.
In this blog post, we will examine the delivery methods of the Oyster
backdoor, provide an in-depth analysis of its components, and offer a Python script to help extract its obfuscated configuration.
In three separate incidents, Rapid7 observed users downloading supposed Microsoft Teams installers from typo-squatted websites. Users were directed to these websites after using search engines such as Google and Bing for Microsoft Teams software downloads. Rapid7 observed that the websites were masquerading as Microsoft Teams websites, enticing users into believing they were downloading legitimate software when, in reality, they were downloading the threat actor’s malicious software.
Figure 1 - Fake Microsoft Teams Website
In one case, a user was observed navigating to the URL hxxps://micrsoft-teams-download[.]com/
, which led to the download of the binary MSTeamsSetup_c_l_.exe
. Initial analysis of the binary MSTeamsSetup_c_l_.exe
showed that the binary was assigned by an Authenticode certificate issued to “Shanxi Yanghua HOME Furnishings Ltd”.
Figure 2 - MSTeamsSetup_c_l_.exe
File Information
Searching VirusTotal for other files signed by “Shanxi Yanghua HOME Furnishings Ltd” showed the following:
Figure 3 - VirusTotal Signature Search Results
The results indicated other versions of the installer, each impersonating as a legitimate software installer. We observed that the first installer was submitted to VirusTotal around mid-May 2024.
In a related incident that occurred on May 29, 2024, we observed another binary posing as a Microsoft Teams setup file, TMSSetup.exe
, which was assigned a valid certificate issued to “Shanghai Ruikang Decoration Co., Ltd”. As of May 30, 2024, that certificate has been revoked.
VirusTotal analysis of the binary MSTeamsSetup_c_l_.exe
indicates it is associated with a malware family known as Oyster, dubbed Broomstick by IBM.
Oyster aka Broomstick aka CleanUpLoader is a family of malware first spotted in September of 2023 by researchers at IBM. While not much is known about the malware, it was delivered via a loader called Oyster Installer
, which masqueraded as a browser installer. The installer was responsible for dropping the backdoor component, Oyster Main
. Oyster Main
was responsible for gathering information about the compromised host, handling communication with the hard-coded command-and-control (C2) addresses, and providing the capability for remote code execution.
In February, researchers on Twitter observed the same backdoor component and started to name the Oyster Main
backdoor, CleanUpLoader
.
In recent incidents, Rapid7 has observed Oyster Main
being delivered without the Oyster Installer
.
Initial analysis of the binary MSTeamsSetup_c_l_.exe
revealed that two binaries were stored within the resource section. During execution, a function was observed using FindResourceA
to locate the binaries, followed by LoadResource
to access them. These binaries were then subsequently dropped into the Temp folder. We observed that the intended names of the two binaries dropped by MSTeamsSetup_c_l_.exe
were CleanUp30.dll
and MSTeamsSetup_c_l_.exe
(the legitimate Microsoft Teams installer).
After dropping the binary CleanUp30.dll
into the Temp directory, the program executes the DLL, passing the string rundll32.exe %s,Test
to the function CreateProcessA
, where %s
stores the value CleanUp30.dll
.
Figure 4 - Execution of CleanUp30.dll
After the execution of CleanUp30.dll
, the program proceeds to initiate the legitimate Microsoft Teams installer, MSTeamsSetup_c_l_.exe
, also located within the Temp directory. This tactic is employed to avoid raising suspicion from the user.
During the execution of CleanUp30.dll
, Rapid7 observed that the binary starts by attempting to create the hard coded mutual exclusion (mutex) ITrkfSaV-4c7KwdfnC-Ds165XU4C-lH6R9pk1
. Mutex creation is often used by programs in order to determine if the program is already running another instance. If the program is already running, the program will terminate the new instance.
After creating the mutex, the binary determines its execution path by calling the function GetModuleFilenameA
. The value is stored as a string and used as a parameter for the creation of a scheduled task, ClearMngs
. The scheduled task is created using the function ShellExecuteExW
, passing the following as the command line:
schtasks.exe /create /tn ClearMngs /tr "rundll32 '<location of binary>\CleanUp30.dll',Test" /sc hourly /mo 3 /f
The purpose of the scheduled task ClearMngs
is to execute the binary <location of binary>\CleanUp30.dll
with the exported function of Test
using rundll32.exe every three hours.
After the creation of the scheduled task, the binary then proceeds to decode its C2 servers using a unique decoding function. The decoding function begins by taking in a string of encoded characters, and its length is in bytes. The decoding function then proceeds to read in each byte, starting from the end of the encoded string.
Figure 5 - The DLL’s Decoding Loop
Each byte of the encoded string is used as an index location to retrieve the decoded byte from a hard-coded byte map. A byte map is a byte array containing 256 bytes in a randomized order, one for each possible byte value from 1 to 256. Malware authors sometimes use this technique to obfuscate strings and other data. The iteration counter (i) used within the condition for the decoding loop is compared to half of the encoded string’s length as the decoding loop swaps two bytes at a time. The bytes of the encoded string are decoded and swapped beginning at the start and end bytes of the string and the decoding loop then progresses towards the center of the string from each end.
The loop swaps the bytes to reverse the decoded string, as the original plaintext strings stored in the malware were reversed prior to encoding. When the center of the string is reached, the decoding process is complete. Due to this algorithm, all the encoded strings that are passed must be of even length to avoid further processing. Immediately after the decoded string is loaded onto the stack, the malware then re-encodes the string using a similar loop. The final result for the first decoded string is a carriage return line feed (CRLF) delimited list of C2 domains.
We constructed a Python script that can decode all the encoded strings contained within the CleanUp.dll
binaries, including previous versions. The Python script can be found in our GitHub repository.
Figure 6 - Sample Output from Python Script
Using our Python script, it revealed some of the C2 functionality, along with several JSON fields that are used to build a fingerprint of the infected system:
Hex Encoded String | Decoded String |
---|---|
2ec6a676766fc6f4960e86 | api/connect |
50b0aea6747686b64eaef69e2ec6a64e96262ea64e | supfoundrysettlers.us |
50b0b6f6c674a646a6b6f6164ea66ea64ea616ee | whereverhomebe.com |
50b0ceae74ce4ea6362e2ea6ce9e4e2676aef6660eaece | retdirectyourman.eu |
76f6ce56f476f6962e86c696360e0e86045ca60e9e2ab42e76a62e76f6c2 | Content-Type: application/json |
76f696cece65cef4960e86 | api/session |
a61ea67426b6c63a346ceaf2eace9eca3a | \SysWOW64\cmd.exe |
a61ea6744ccc36362676ae4e3a2c6ceaf2eace9eca3a | \SysWOW64\rundll32.exe |
d2f2 | OK |
3a0eb6a62a3a | \Temp\ |
445c442696fa267686b6b6f6c6443444 | ","command_id":" |
be44 | "} |
445c44649644de | {"id":" |
445c442e36aecea64e443444 | ","result":" |
445c442696fa76f696cecea6ce443444 | ","session_id":" |
445c44ceae2e862ece443444 | ","status":" |
2e1e2e740eae7686a636c63a | \cleanup.txt |
445c44a6b68676fa4e652eae0eb6f6c6443444 | ","computer_name":" |
0ccc445c4476f696ce72a66efa363626443444 | ","dll_version":"30 |
445c44769686b6f626443444 | ","domain":" |
be44 | "} |
445c44649644de | {"id":" |
445c443686c6f636fa0e96443444 | ","ip_local":" |
445c44cef6443444 | ","os":" |
445c44263696ae46facef6443444 | ","os_build":" |
445c44a6e6a636656e964e0e443444 | ","privilege":" |
After the binary decodes the C2 addresses, the program proceeds to fingerprint the infected machine, using the following functions:
Function | Description |
---|---|
DsRoleGetPrimaryDomainInformation | Used to gather information about the domain the compromised machine resides in. In particular, the function returns the domain name. |
GetUserNameW | Provides the name of the user in which the program is running under. |
NetUserGetInfo | Provides details of the user under which the program is running. In this case, the program is querying if the user is admin or user. |
GetComputerNameW | Provides the name of the compromised machine in which the binary is running on. |
RtlGetVersion | Returns version information about the currently running operating system including name and version number. |
Figure 7 - A Selection of Contents of the CleanUp30.dll
Code that Outline the Collection of System Information
While enumerating information about the host, the information is stored in the JSON fields uncovered from the encoded strings identified above.
Figure 8 - Example of the Data Collected and Sent via HTTP POST to the Malicious Domains
The fingerprint information is encoded using the same loop previously discussed, where the data string is reversed and encoded using a byte map before being sent.
After the information is encoded, it is sent to the domains whereverhomebe[.]com/
, supfoundrysettlers[.]us/
, and retdirectyourman[.]eu/
via HTTP POST method. Rapid7 determined that CleanUp30.dll
uses the open-source C++ library Boost.Beast to communicate with the observed C2 domains via HTTP and web sockets.
Figure 9 - Captured Network Traffic Attempting to Send POST Requests to whereverhomebe[.]com/
and supfoundrysettlers[.]us/
Following the Execution of CleanUp30.dll
In one of the incidents Rapid7 observed, a PowerShell script was spawned following the execution of another version of CleanUp30.dll
, CleanUp.dll
. CleanUp.dll
, similar to CleanUp30.dll
, was originally dropped by the other fake Microsoft Teams installer, TMSSetup.exe
, which dropped the binary into the AppData/Local/Temp directory as well.
Figure 10 - PowerShell Command Creating .lnk File DiskCleanUp.lnk
The purpose of the PowerShell script was to create a shortcut LNK file named DiskCleanUp.lnk
within C:\Users\<User>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
. By doing so, this ensured that the LNK file DiskCleanUp.lnk
would be run each time the user logged in. The shortcut LNK file was responsible for executing the binary CleanUp.dll
using rundll32.exe, passing the export Test
.
Following the execution of the PowerShell script, Rapid7 observed execution of additional payloads:
Unfortunately, during the incident, we were unable to acquire the additional payloads. During the incidents, Rapid7 also observed execution of the following enumeration commands:
Enumeration | Description |
---|---|
systeminfo | Provides information about the system's software and hardware configuration |
arp -a | Shows a list of all IP addresses that the local computer has recently interacted with, along with their corresponding MAC addresses |
net group 'domain computers' /domain | Lists the "Domain Computers" group within an Active Directory domain |
"C:\Windows\system32\nslookup.exe" myip.opendns.com resolver1.opendns.com | Determines the external IP address |
whoami /all | Provides detailed information about the current user including user's privileges, group memberships, and security identifiers (SIDs) |
nltest /dclist:<domain_name> | Lists all the domain controllers (DCs) for a specific domain |
net user admin | Provides detailed information about the user 'admin' including profile information, group memberships, local group memberships, etc |
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall /s | Queries the registry to find information about installed software |
findstr "DisplayName" | Used to filter information, showing only items contained under "DisplayName" |
InsightIDR and Managed Detection and Response customers have existing detection coverage through Rapid7's expansive library of detection rules. Rapid7 recommends installing the Insight Agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage. Below is a non-exhaustive list of detections that are deployed and will alert on behavior related to this malware campaign:
Tactic | Technique | Description |
---|---|---|
Resource Development | Acquire Infrastructure: Domains (T1583.001) | Threat Actor set up typo-squatted domain micrsoft-teams-download[.]com in order to aid in the delivery of the executable MSTeamsSetup_c_l_.exe |
Execution | Command and Scripting Interpreter: Powershell (T1059.001) | Used to create .lnk file DiskCleanUp.lnk and execute the PowerShell payload k1.ps1 |
Execution | User Execution: Malicious File (T1204.002) | User executes the binary MSTeamsSetup_c_l_.exe |
Persistence | Scheduled Task (T1053.005) | CleanUp30.DLL and CleanUp.DLL create scheduled task ClearMngs |
Defense Evasion | Masquerading: Match Legitimate Name or Location (T1036.005) | MSTeamsSetup_c_l_.exe masquerades as legitimate Microsoft Teams installer |
Defense Evasion | Virtualization/Sandbox Evasion: Time Based Evasion (T1497.003) | Execution delays are performed by several stages throughout the attack flow |
Collection | Data from Local System (T1005) | Threat Actors enumerated information about compromised hosts using the backdoor CleanUp DLL's |
Command and Control | Data Encoding - Non Standard Encoding (T1132.002) | CleanUp DLL's send encoded data to C2's using unique encoding function |
IOC | Hash | Description |
---|---|---|
TMSSetup.exe | 9601f3921c2cd270b6da0ba265c06bae94fd7d4dc512e8cb82718eaa24accc43 | The malicious executable downloaded from prodfindfeatures[.]com/ |
MSTeamsSetup_c_l_.exe | 574C70E84ECDAD901385A1EBF38F2EE74C446034E97C33949B52F3A2FDDCD822 | The malicious executable downloaded from prodfindfeatures[.]com/ |
CleanUp30.dll | CFC2FE7236DA1609B0DB1B2981CA318BFD5FBBB65C945B5F26DF26D9F948CBB4 | The .dll file that is run by run32dll.exe following the execution of MSTeamsSetup_c_l_.exe |
CleanUp.dll | 82B246D8E6FFBA1ABAFFBD386470C45CEF8383AD19394C7C0622C9E62128CB94 | The .dll file that is run by run32dll.exe following the execution of TMSSetup.exe |
DiskCleanUp.lnk | An .lnk file that was created following the execution of CleanUp30.dll | |
prodfindfeatures[.]com/ | - | The domain hosting the malicious files TMSSetup (1).exe and MSTeamsSetup_c_l_.exe |
micrsoft-teams-download[.]com/ | - | The typo-squatted domain that users visited |
impresoralaser[.]pro/ | - | Part of the domain redirect chain for downloads of TMSSetup (1).exe and MSTeamsSetup_c_l_.exe |
whereverhomebe[.]com/ | - | Domain that CleanUp30.dll and CleanUp.dll attempts to communicate with |
supfoundrysettlers[.]us/ | - | Domain that CleanUp30.dll and CleanUp.dll attempts to communicate with |
retdirectyourman[.]eu/ | - | Domain that CleanUp30.dll and CleanUp.dll attempts to communicate with |
149.248.79[.]62 | - | Resolving IP for whereverhomebe[.]com/ |
64.95.10[.]243 | - | Resolving IP for supfoundrysettlers[.]us/ |
206.166.251[.]114 | - | Resolving IP for retdirectyourman[.]eu/ |
Article | URL |
---|---|
Broomstick Malware Profile | https://exchange.xforce.ibmcloud.com/malware-analysis/guid:08822f57c12416bc3e74997c473d1889 |
Twitter Mention of CleanUpLoader | https://x.com/RussianPanda9xx/status/1757932257765945478 |
Be the first to learn about the latest vulnerabilities and cybersecurity news.
Subscribe NowThe US cybersecurity agency CISA has conducted a tabletop exercise with the private sector focused on AI cyber incident response.
The post CISA Conducts First AI Cyber Incident Response Exercise appeared first on SecurityWeek.
Copilot Plus? More like Copilot Minus: Redmond realizes Recall requires radical rethink.
The post Recall ‘Delayed Indefinitely’ — Microsoft Privacy Disaster is Cut from Copilot+ PCs appeared first on Security Boulevard.
Location tracking service leaks PII, because—incompetence? Seems almost TOO easy.
The post Tile/Life360 Breach: ‘Millions’ of Users’ Data at Risk appeared first on Security Boulevard.
Not our fault, says CISO: “UNC5537” breached at least 165 Snowflake instances, including Ticketmaster, LendingTree and, allegedly, Advance Auto Parts.
The post Ticketmaster is Tip of Iceberg: 165+ Snowflake Customers Hacked appeared first on Security Boulevard.
Fortinet, known for network security capabilities within its Fortinet Security Fabric cybersecurity platform, is bolstering its AI and cloud security capabilities with the planned acquisition of Lacework and its AI-based offerings. The companies announced the proposed deal on Monday, with expectations that it will close in the second half of the year. The plan is..
The post Fortinet to Expand AI, Cloud Security with Lacework Acquisition appeared first on Security Boulevard.
U.S. Senator Ron Wyden, who late last month asked federal agencies to investigate flaws in UnitedHealth Group’s cybersecurity measures that led to the massive ransomware attack that disrupted hundreds of hospital and pharmacy operations, now is pushing the Health and Human Services (HHS) Department to require such large health care organizations to immediately implement protections...
The post Senator: HHS Needs to Require Security Measures for Health Sector appeared first on Security Boulevard.
Spy warez: Assistant director of the FBI’s Cyber Division Bryan Vorndran (pictured) might have the key to unscramble your files.
The post LockBit Victim? Ask FBI for Your Ransomware Key appeared first on Security Boulevard.
Stress? What stress? 43% of IT professionals report that their organization had experienced a security breach that caused downtime and cost $1-10 million.
The post CDW Survey Surfaces Cybersecurity Tool Sprawl Challenges appeared first on Security Boulevard.
Log tampering is an almost inevitable part of a compromise. Why and how do cybercriminals target logs, and what can be done to protect them?
The post Why Hackers Love Logs appeared first on SecurityWeek.
Train people. It makes a difference. In organizations without security awareness training, 34% of employees are likely to click on malicious links or comply with fraudulent requests.
The post Cybersecurity Training Reduces Phishing Threats – With Numbers to Prove It appeared first on Security Boulevard.
Snowflake, Inc. says NO, threatening legal action against those who say it was. But reports are coming in of several more massive leaks from other Snowflake customers.
The post Was the Ticketmaster Leak Snowflake’s Fault? appeared first on Security Boulevard.
Security experts have been frustrated because no one was managing the Common Vulnerabilities and Exposures security reports. Good news: The NIST has hired a company to manage the backlog. Bad news: The company has no experience with this kind of security work.
The post The NIST Finally Hires a Contractor to Manage CVEs appeared first on Security Boulevard.
As DDoS attackers become more sophisticated and the attack surface grows exponentially, businesses must expand beyond an ideology of prevention to include a focus on early detection and response.
The post Adaptive DDoS Defense’s Value in the Security Ecosystem appeared first on Security Boulevard.
Senator Ron Wyden wants the FTC and SEC to investigate the ransomware attack on UnitedHealth's Change subsidiary to see if there was criminal negligence by the CEO or board.
The post Senator Calls for FTC, SEC Probe Into UnitedHealth’s ‘Negligence’ in Breach appeared first on Security Boulevard.
Daft name, serious risk: Kit from ActionTec and Sagemcom remotely ruined and required replacement.
The post ‘Pumpkin Eclipse’ — 600,000+ Rural ISP Routers Bricked Beyond Repair appeared first on Security Boulevard.
Source: securityboulevard.com – Author: Wajahat Raja Recent reports claim that the Microsoft Threat Intelligence team stated that a cybercriminal group, identified as Storm-1811, has been exploiting Microsoft’s Quick Assist tool in a series of social engineering attacks. This group is known for deploying the Black Basta ransomware attack. On May 15, 2024, Microsoft released details […]
La entrada Black Basta Ransomware Attack: Microsoft Quick Assist Flaw – Source: securityboulevard.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.
Views: 0Source: www.securityweek.com – Author: Eduard Kovacs MITRE has published another blog post describing the recent cyberattack, focusing on how the hackers abused its VMware systems for persistence and detection evasion. MITRE, a not-for-profit company operating R&D centers on behalf of US government sponsors, revealed one month ago that state-sponsored hackers had exploited zero-day vulnerabilities […]
La entrada VMware Abused in Recent MITRE Hack for Persistence, Evasion – Source: www.securityweek.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.
Source: www.cybertalk.org – Author: slandau EXECUTIVE SUMMARY: Email is the #1 means of communication globally. It’s simple, affordable and easily available. However, email systems weren’t designed with security in mind. In the absence of first-rate security measures, email can become a hacker’s paradise, offering unfettered access to a host of tantalizingly lucrative opportunities. Optimize your […]
La entrada 7 best practices for tackling dangerous emails – Source: www.cybertalk.org se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.
Views: 0Source: securelist.com – Author: Cristian Souza, Eduardo Ovalle, Ashley Muñoz, Christopher Zachor Introduction Attackers always find creative ways to bypass defensive features and accomplish their goals. This can be done with packers, crypters, and code obfuscation. However, one of the best ways of evading detection, as well as maximizing compatibility, is to use the […]
La entrada ShrinkLocker: Turning BitLocker into ransomware – Source: securelist.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.
MITRE has shared information on how China-linked hackers abused VMware for persistence and detection evasion in the recent hack.
The post VMware Abused in Recent MITRE Hack for Persistence, Evasion appeared first on SecurityWeek.
Co-authored by Rapid7 analysts Tyler McGraw, Thomas Elkins, and Evan McCann
Rapid7 has identified an ongoing social engineering campaign that has been targeting multiple managed detection and response (MDR) customers. The incident involves a threat actor overwhelming a user's email with junk and calling the user, offering assistance. The threat actor prompts impacted users to download remote monitoring and management software like AnyDesk or utilize Microsoft's built-in Quick Assist feature in order to establish a remote connection. Once a remote connection has been established, the threat actor moves to download payloads from their infrastructure in order to harvest the impacted users credentials and maintain persistence on the impacted users asset.
In one incident, Rapid7 observed the threat actor deploying Cobalt Strike beacons to other assets within the compromised network. While ransomware deployment was not observed in any of the cases Rapid7 responded to, the indicators of compromise we observed were previously linked with the Black Basta ransomware operators based on OSINT and other incident response engagements handled by Rapid7.
Since late April 2024, Rapid7 identified multiple cases of a novel social engineering campaign. The attacks begin with a group of users in the target environment receiving a large volume of spam emails. In all observed cases, the spam was significant enough to overwhelm the email protection solutions in place and arrived in the user’s inbox. Rapid7 determined many of the emails themselves were not malicious, but rather consisted of newsletter sign-up confirmation emails from numerous legitimate organizations across the world.
With the emails sent, and the impacted users struggling to handle the volume of the spam, the threat actor then began to cycle through calling impacted users posing as a member of their organization’s IT team reaching out to offer support for their email issues. For each user they called, the threat actor attempted to socially engineer the user into providing remote access to their computer through the use of legitimate remote monitoring and management solutions. In all observed cases, Rapid7 determined initial access was facilitated by either the download and execution of the commonly abused RMM solution AnyDesk, or the built-in Windows remote support utility Quick Assist.
In the event the threat actor’s social engineering attempts were unsuccessful in getting a user to provide remote access, Rapid7 observed they immediately moved on to another user who had been targeted with their mass spam emails.
Once the threat actor successfully gains access to a user’s computer, they begin executing a series of batch scripts, presented to the user as updates, likely in an attempt to appear more legitimate and evade suspicion. The first batch script executed by the threat actor typically verifies connectivity to their command and control (C2) server and then downloads a zip archive containing a legitimate copy of OpenSSH for Windows (ultimately renamed to ***RuntimeBroker.exe***), along with its dependencies, several RSA keys, and other Secure Shell (SSH) configuration files. SSH is a protocol used to securely send commands to remote computers over the internet. While there are hard-coded C2 servers in many of the batch scripts, some are written so the C2 server and listening port can be specified on the command line as an override.
The script then establishes persistence via run key entries in the Windows registry. The run keys created by the batch script point to additional batch scripts that are created at run time. Each batch script pointed to by the run keys executes SSH via PowerShell in an infinite loop to attempt to establish a reverse shell connection to the specified C2 server using the downloaded RSA private key. Rapid7 observed several different variations of the batch scripts used by the threat actor, some of which also conditionally establish persistence using other remote monitoring and management solutions, including NetSupport and ScreenConnect.
In all observed cases, Rapid7 has identified the usage of a batch script to harvest the victim’s credentials from the command line using PowerShell. The credentials are gathered under the false context of the “update” requiring the user to log in. In most of the observed batch script variations, the credentials are immediately exfiltrated to the threat actor’s server via a Secure Copy command (SCP). In at least one other observed script variant, credentials are saved to an archive and must be manually retrieved.
In one observed case, once the initial compromise was completed, the threat actor then attempted to move laterally throughout the environment via SMB using Impacket, and ultimately failed to deploy Cobalt Strike despite several attempts. While Rapid7 did not observe successful data exfiltration or ransomware deployment in any of our investigations, the indicators of compromise found via forensic analysis conducted by Rapid7 are consistent with the Black Basta ransomware group based on internal and open source intelligence.
In one incident, Rapid7 observed the threat actor attempting to deploy additional remote monitoring and management tools including ScreenConnect and the NetSupport remote access trojan (RAT). Rapid7 acquired the Client32.ini file, which holds the configuration data for the NetSupport RAT, including domains for the connection. Rapid7 observed the NetSupport RAT attempt communication with the following domains:
After successfully gaining access to the compromised asset, Rapid7 observed the threat actor attempting to deploy Cobalt Strike beacons, disguised as a legitimate Dynamic Link Library (DLL) named 7z.DLL, to other assets within the same network as the compromised asset using the Impacket toolset.
In our analysis of 7z.DLL, Rapid7 observed the DLL was altered to include a function whose purpose was to XOR-decrypt the Cobalt Strike beacon using a hard-coded key and then execute the beacon.
The threat actor would attempt to deploy the Cobalt Strike beacon by executing the legitimate binary 7zG.exe and passing a command line argument of `b`, i.e. `C:\Users\Public\7zG.exe b`. By doing so, the legitimate binary 7zG.exe side-loads 7z.DLL, which in turn executes the embedded Cobalt Strike beacon. This technique is known as DLL side-loading, a method Rapid7 previously discussed in a blog post on the IDAT Loader.
Upon successful execution, Rapid7 observed the beacon inject a newly created process, choice.exe.
Rapid7 recommends baselining your environment for all installed remote monitoring and management solutions and utilizing application allowlisting solutions, such as AppLocker or Microsoft Defender Application Control, to block all unapproved RMM solutions from executing within the environment. For example, the Quick Assist tool, quickassist.exe, can be blocked from execution via AppLocker. As an additional precaution, Rapid7 recommends blocking domains associated with all unapproved RMM solutions. A public GitHub repo containing a catalog of RMM solutions, their binary names, and associated domains can be found here.
Rapid7 recommends ensuring users are aware of established IT channels and communication methods to identify and prevent common social engineering attacks. We also recommend ensuring users are empowered to report suspicious phone calls and texts purporting to be from internal IT staff.
Tactic | Technique | Procedure |
---|---|---|
Denial of Service | T1498: Network Denial of Service | The threat actor overwhelms email protection solutions with spam. |
Initial Access | T1566.004: Phishing: Spearphishing Voice | The threat actor calls impacted users and pretends to be a member of their organization’s IT team to gain remote access. |
Execution | T1059.003: Command and Scripting Interpreter: Windows Command Shell | The threat actor executes batch script after establishing remote access to a user’s asset. |
Execution | T1059.001: Command and Scripting Interpreter: PowerShell | Batch scripts used by the threat actor execute certain commands via PowerShell. |
Persistence | T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | The threat actor creates a run key to execute a batch script via PowerShell, which then attempts to establish a reverse tunnel via SSH. |
Defense Evasion | T1222.001: File and Directory Permissions Modification: Windows File and Directory Permissions Modification | The threat actor uses cacls.exe via batch script to modify file permissions. |
Defense Evasion | T1140: Deobfuscate/Decode Files or Information | The threat actor encrypted several zip archive payloads with the password “qaz123”. |
Credential Access | T1056.001: Input Capture: Keylogging | The threat actor runs a batch script that records the user’s password via command line input. |
Discovery | T1033: System Owner/User Discovery | The threat actor uses whoami.exe to evaluate if the impacted user is an administrator or not. |
Lateral Movement | T1570: Lateral Tool Transfer | Impacket was used to move payloads between compromised systems. |
Command and Control | T1572: Protocol Tunneling | An SSH reverse tunnel is used to provide the threat actor with persistent remote access. |
InsightIDR and Managed Detection and Response customers have existing detection coverage through Rapid7's expansive library of detection rules. Rapid7 recommends installing the Insight Agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage. Below is a non-exhaustive list of detections that are deployed and will alert on behavior related to this malware campaign:
Detections |
---|
Attacker Technique - Renamed SSH For Windows |
Persistence - Run Key Added by Reg.exe |
Suspicious Process - Non Approved Application |
Suspicious Process - 7zip Executed From Users Directory (*InsightIDR product only customers should evaluate and determine if they would like to activate this detection within the InsightIDR detection library; this detection is currently active for MDR/MTC customers) |
Attacker Technique - Enumerating Domain Or Enterprise Admins With Net Command |
Network Discovery - Domain Controllers via Net.exe |
Domain/IPv4 Address | Notes |
---|---|
upd7[.]com | Batch script and remote access tool host. |
upd7a[.]com | Batch script and remote access tool host. |
195.123.233[.]55 | C2 server contained within batch scripts. |
38.180.142[.]249 | C2 server contained within batch scripts. |
5.161.245[.]155 | C2 server contained within batch scripts. |
20.115.96[.]90 | C2 server contained within batch scripts. |
91.90.195[.]52 | C2 server contained within batch scripts. |
195.123.233[.]42 | C2 server contained within batch scripts. |
15.235.218[.]150 | AnyDesk server used by the threat actor. |
greekpool[.]com | Primary NetSupport RAT gateway. |
rewilivak13[.]com | Secondary NetSupport RAT gateway. |
77.246.101[.]135 | C2 address used to connect via AnyDesk. |
limitedtoday[.]com | Cobalt Strike C2 domain. |
thetrailbig[.]net | Cobalt Strike C2 domain. |
File | SHA256 | Notes |
---|---|---|
s.zip | C18E7709866F8B1A271A54407973152BE1036AD3B57423101D7C3DA98664D108 | Payload containing SSH config files used by the threat actor. |
id_rsa | 59F1C5FE47C1733B84360A72E419A07315FBAE895DD23C1E32F1392E67313859 | Private RSA key that is downloaded to impacted assets. |
id_rsa_client | 2EC12F4EE375087C921BE72F3BD87E6E12A2394E8E747998676754C9E3E9798E | Private RSA key that is downloaded to impacted assets. |
authorized_keys | 35456F84BC88854F16E316290104D71A1F350E84B479EEBD6FBB2F77D36BCA8A | Authorized key downloaded to impacted assets by the threat actor. |
RuntimeBroker.exe | 6F31CF7A11189C683D8455180B4EE6A60781D2E3F3AADF3ECC86F578D480CFA9 | Renamed copy of the legitimate OpenSSH for Windows utility. |
a.zip | A47718693DC12F061692212A354AFBA8CA61590D8C25511C50CFECF73534C750 | Payload that contains a batch script and the legitimate ScreenConnect setup executable. |
a3.zip | 76F959205D0A0C40F3200E174DB6BB030A1FDE39B0A190B6188D9C10A0CA07C8 | Contains a credential harvesting batch script. |
Be the first to learn about the latest vulnerabilities and cybersecurity news.
Subscribe Now*Rapid7 Incident Response consultants Noah Hemker, Tyler Starks, and malware analyst Tom Elkins contributed analysis and insight to this blog.*
Rapid7 Incident Response was engaged to investigate an incident involving unauthorized access to two publicly-facing Confluence servers that were the source of multiple malware executions. Rapid7 identified evidence of exploitation for CVE-2023-22527 within available Confluence logs. During the investigation, Rapid7 identified cryptomining software and a Sliver Command and Control (C2) payload on in-scope servers. Sliver is a modular C2 framework that provides adversarial emulation capabilities for red teams; however, it’s also frequently abused by threat actors. The Sliver payload was used to action subsequent threat actor objectives within the environment. Without proper security tooling to monitor system network traffic and firewall communications, this activity would have progressed undetected leading to further compromise.
Rapid7 consistently monitors emergent threats to identify areas for new detection opportunities. The recent appearance of Sliver C2 malware prompted Rapid7 teams to conduct a thorough analysis of the techniques being utilized and the potential risks. Rapid7 InsightIDR has an alert rule Suspicious Web Request - Possible Atlassian Confluence CVE-2023-22527 Exploitation
available for all IDR customers to detect the usage of the text-inline.vm
consistent with the exploitation of CVE-2023-22527. A vulnerability check is also available to InsightVM and Nexpose customers. A Velociraptor artifact to hunt for evidence of Confluence CVE-2023-22527 exploitation is available on the Velociraptor Artifact Exchange here. Read Rapid7’s blog on CVE-2023-22527.
Rapid7 IR began the investigation by triaging available forensic artifacts on the two affected publicly-facing Confluence servers. These servers were both running vulnerable Confluence software versions that were abused to obtain Remote Code Execution (RCE) capabilities. Rapid7 reviewed server access logs to identify the presence of suspicious POST
requests consistent with known vulnerabilities, including CVE-2023-22527
. This vulnerability is a critical OGNL injection vulnerability that abuses the text-inline.vm
component of Confluence by sending a modified POST request to the server.
Evidence showed multiple instances of exploitation of this CVE, however, evidence of an embedded command would not be available within the standard header information logged within access logs. Packet Capture (PCAP) was not available to be reviewed to identify embedded commands, but the identified POST
requests are consistent with the exploitation of the CVE.
The following are a few examples of the exploitation of the Confluence CVE found within access logs:
Access.log Entry |
---|
POST /template/aui/text-inline.vm HTTP/1.0 200 5961ms 7753 - Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36 |
POST /template/aui/text-inline.vm HTTP/1.0 200 70ms 7750 - Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 |
POST /template/aui/text-inline.vm HTTP/1.0 200 247ms 7749 - Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 |
Evidence showed the execution of a curl
command post-exploitation of the CVE resulting in the dropping of cryptomining malware to the system. The IP addresses associated with the malicious POST requests to the Confluence servers matched the IP addresses of the identified curl
command. This indicates that the dropped cryptomining malware was directly tied to Confluence CVE exploitation.
As a result of the executed curl
command, file w.sh
was written to the /tmp/
directory on the system. This file is a bash script used to enumerate the operating system, download cryptomining installation files, and then execute the cryptomining binary. The bash script then executed the wget
command to download javs.tar.gz
from the IP address 38.6.173[.]11
over port 80
. This file was identified to be the XMRigCC
cryptomining malware which caused a spike in system resource utilization consistent with cryptomining activity. Service javasgs_miner.service
was created on the system and set to run as root to ensure persistence.
The following is a snippet of code contained within w.sh
defining communication parameters for the downloading and execution of the XMRigCC binary.
Rapid7 found additional log evidence within Catalina.log
that references the download of the above file inside of an HTTP response header. This response registered as ‘invalid’ as it contained characters that could not be accurately interpreted. Evidence confirmed the successful download and execution of the XMRigCC miner, so the above Catalina log may prove useful for analysts to identify additional proof of attempted or successful exploitation.
Catalina Log Entry |
---|
WARNING [http-nio-8090-exec-239 url: /rest/table-filter/1.0/service/license; user: Redacted ] org.apache.coyote.http11.Http11Processor.prepareResponse The HTTP response header [X-Cmd-Response] with value [http://38.6.173.11/xmrigCC-3.4.0-linux-generic-static-amd64.tar.gz xmrigCC-3.4.0-linux-generic-static-amd64.tar.gz... ] has been removed from the response because it is invalid |
Rapid7 then shifted focus to begin a review of system network connections on both servers. Evidence showed an active connection with known-abused IP address 193.29.13[.]179
communicating over port 8888
from both servers. netstat
command output showed that the network connection’s source program was called X-org
and was located within the system’s /tmp
directory. According to firewall logs, the first identified communication from this server to the malicious IP address aligned with the timestamps of the identified X-org
file creation. Rapid7 identified another malicious file residing on the secondary server named X0
Both files shared the same SHA256 hash, indicating that they are the same binary. The hash for these files has been provided below in the IOCs section.
A review of firewall logs provided a comprehensive view of the communications between affected systems and the malicious IP address. Firewall logs filtered on traffic between the compromised servers and the malicious IP address showed inbound and outbound data transfers consistent with known C2 behavior. Rapid7 decoded and debugged the Sliver payload to extract any available Indicators of Compromise (IOCs). Within the Sliver payload, Rapid7 confirmed the following IP address 193.29.13[.]179
would communicate over port 8888
using the mTLS
authentication protocol.
After Sliver first communicated with the established C2, it checked the username associated with the current session on the local system, read etc/passwd
and etc/machine-id
and then communicated back with the C2 again. The contents of passwd
and machine-id
provide system information such as the hostname and any account on the system. Cached credentials from the system were discovered to be associated with outbound C2 traffic further supporting this credential access. This activity is consistent with the standard capabilities available within the GitHub release of Sliver hosted here.
The Sliver C2 connection was later used to execute wget
commands used to download Kerbrute
, Traitor
, and Fscan
to the servers. Kerbute
was executed from dev/shm
and is commonly used to brute-force and enumerate valid Active Directory accounts through Kerberos pre-authentications. The Traitor
binary was executed from the var/tmp
directory which contains the functionality to leverage Pwnkit
and Dirty Pipe
as seen within evidence on the system. Fscan
was executed from the var/tmp
directory with the file name f
and performed scanning to enumerate systems present within the environment. Rapid7 performed containment actions to deny any further threat actor activity. No additional post-exploitation objectives were identified within the environment.
To mitigate the attacker behavior outlined in this blog, the following mitigation techniques should be considered:
Ensure that unnecessary ports and services are disabled on publicly-facing servers.
All publicly-facing servers should regularly be patched and remain up-to-date with the most recent software releases.
Environment firewall logs should be aggregated into a centralized security solution to allow for the detection of abnormal network communications.
Firewall rules should be implemented to deny inbound and outbound traffic from unapproved geolocations.
Publicly-facing servers hosting web applications should implement a restricted shell, where possible, to limit the capabilities and scope of commands available when compared to a standard bash shell.
Tactics | Techniques | Details |
---|---|---|
Command and Control | Application Layer Protocol (T1071) | Sliver C2 connection |
Discovery | Domain Account Discovery (T1087) | Kerbrute enumeration of Active Directory |
Reconnaissance | Active Scanning (T1595) | Fscan enumeration |
Privilege Escalation | Setuid and Setgid (T1548.001) | Traitor privilege escalation |
Execution | Unix Shell (T1059.004) | The Sliver payload and follow-on command executions |
Credential Access | Brute Force (T1110) | Kerbrute Active Directory brute force component |
Credential Access | OS Credential Dumping (T1003.008) | Extracting the contents of /etc/passwd file |
Impact | Resource Hijacking (T1496) | Execution of cryptomining software |
Initial Access | Exploit Public-Facing Application (T1190) | Evidence of text-inline abuse within Confluence logs |
Attribute | Value | Description |
---|---|---|
Filename and Path | /dev/shm/traitor-amd64 | Privilege escalation binary |
SHA256 | fdfbfc07248c3359d9f1f536a406d4268f01ed63a856bd6cef9dccb3cf4f2376 | Hash for Traitor binary |
Filename and Path | /var/tmp/kerbrute_linux_amd64 | Kerbrute enumeration of Active Directory |
SHA256 | 710a9d2653c8bd3689e451778dab9daec0de4c4c75f900788ccf23ef254b122a | Hash for Kerbrute binary |
Filename and Path | /var/tmp/f | Fscan enumeration |
SHA256 | b26458a0b60f4af597433fb7eff7b949ca96e59330f4e4bb85005e8bbcfa4f59 | Hash for Fscan binary |
Filename and Path | /tmp/X0 | Sliver binary |
SHA256 | 29bd4fa1fcf4e28816c59f9f6a248bedd7b9867a88350618115efb0ca867d736 | Hash for Sliver binary |
Filename and Path | /tmp/X-org | Sliver binary |
SHA256 | 29bd4fa1fcf4e28816c59f9f6a248bedd7b9867a88350618115efb0ca867d736 | Hash for Sliver binary |
IP Address | 193.29.13.179 | Sliver C2 IP address |
Filename and Path | /tmp/w.sh | Bash script for XMrigCC cryptominer |
SHA256 | 8d7c5ab5b2cf475a0d94c2c7d82e1bbd8b506c9c80d5c991763ba6f61f1558b0 | Hash for bash script |
Filename and Path | /tmp/javs.tar.gz | Compressed crypto installation files |
SHA256 | ef7c24494224a7f0c528edf7b27c942d18933d0fc775222dd5fffd8b6256736b | Hash for crypto installation files |
Log-Based IOC | "POST /template/aui/text-inline.vm HTTP/1.0 200" followed by GET request containing curl | Exploit behavior within Confluence access.log |
IP Address | 195.80.148.18 | IP address associated with exploit behavior of text-inline followed by curl |
IP Address | 103.159.133.23 | IP address associated with exploit behavior of text-inline followed by curl |