RSS Analysis Reports from National Cyber Awareness System
NotificationThis report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise. This document is marked TLP:CLEAR--Recipients may share this information without restriction. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp. SummaryDescriptionResponding to the recently disclosed CVE-2023-4966, affecting Citrix NetScaler ADC and NetScaler Gateway appliances, CISA received four files for analysis that show files being used to save registry hives, dump the Local Security Authority Subsystem Service (LSASS) process memory to disk, and attempts to establish sessions via Windows Remote Management (WinRM). The files include:
For more information about this vulnerability, see Joint Cybersecurity Advisory #StopRansomware: LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability. Download the PDF version of this report:
MAR-10478915-1.v1 Citrix Bleed
(PDF, 547.33 KB
)
For a downloadable copy of IOCs associated with this MAR in JSON format, see:
AR23-325A JSON
(JSON, 37.22 KB
)
Submitted Files (4)17a27b1759f10d1f6f1f51a11c0efea550e2075c2c394259af4d3f855bbcc994 (a.dll) 906602ea3c887af67bcb4531bbbb459d7c24a2efcb866bcb1e3b028a51f12ae6 (a.py) 98e79f95cf8de8ace88bf223421db5dce303b112152d66ffdf27ebdfcdf967e9 (a.bat) e557e1440e394537cca71ed3d61372106c3c70eb6ef9f07521768f23a0974068 (a.exe) Findings98e79f95cf8de8ace88bf223421db5dce303b112152d66ffdf27ebdfcdf967e9Details-->
AntivirusNo matches found. YARA Rules
ssdeep MatchesNo matches found. Relationships
DescriptionThis file is a Windows batch file called a.bat that is used to execute the file called a.exe with the file called a.dll as an argument. The output is printed to a file named 'z.txt' located in the path C:WindowsTasks. Next, a.bat pings the loop back internet protocol (IP) address 127.0.0[.]1 three times. The next command it runs is reg save to save the HKLMSYSTEM registry hive into the C:Windowstasksem directory. Again, a.bat pings the loop back address 127.0.0[.]1 one time before executing another reg save command and saves the HKLMSAM registry hive into the C:WindowsTaskam directory. Next, a.bat runs three makecab commands to create three Cabinet (.cab) files from the previously mentioned saved registry hives and one file named C:UsersPublica.png. The names of the .cab files are as follows: --Start names and paths of .cab files created-- Screenshotse557e1440e394537cca71ed3d61372106c3c70eb6ef9f07521768f23a0974068Tagstrojan Details-->
Antivirus
YARA Rules
ssdeep MatchesNo matches found. Relationships
DescriptionThis file is a 64-bit Windows command-line executable called a.exe that is executed by a.bat. This file issues the Remote Procedure Call (RPC) ncalrpc:[lsasspirpc] to the RPC end point to provide a file path to the LSASS on the infected machine. Once the file path is returned, the malware loads the accompanying DLL file called a.dll into the running LSASS process. If the DLL is correctly loaded, then the malware outputs the message "[*]success" in the console. 17a27b1759f10d1f6f1f51a11c0efea550e2075c2c394259af4d3f855bbcc994Tagstrojan Details-->
Antivirus
YARA Rules
ssdeep MatchesNo matches found. Relationships
DescriptionThis file is a 64-bit Windows DLL called a.dll that is executed by a.bat as a parameter for the file a.exe. The file a.exe loads this file into the running LSASS process on the infected machine. The file a.dll calls the Windows API CreateFileW to create a file called a.png in the path C:UsersPublic. Next, a.dll loads DbgCore.dll then utilizes MiniDumpWriteDump function to dump LSASS process memory to disk. If successful, the dumped process memory is written to a.png. Once this is complete, the file a.bat specifies that the file a.png is used to create the cabinet file called a.cab in the path C:WindowsTasks. Screenshots906602ea3c887af67bcb4531bbbb459d7c24a2efcb866bcb1e3b028a51f12ae6Details-->
AntivirusNo matches found. YARA Rules
ssdeep MatchesNo matches found. DescriptionThis file is a Python script called a.py that attempts to leverage WinRM to establish a session. The script attempts to authenticate to the remote machine using NT LAN Manager (NTLM) if the keyword "hashpasswd" is present. If the keyword "hashpasswd" is not present, then the script attempts to authenticate using basic authentication. Once a WinRM session is established with the remote machine, the script has the ability to execute command line arguments on the remote machine. If there is no command specified, then a default command of “whoami” is run. ScreenshotsRelationship Summary
RecommendationsCISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.
Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops". Contact Information
CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.cisa.gov/forms/feedback/ Document FAQWhat is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis. What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis. Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk. Can I submit malware to CISA? Malware samples can be submitted via three methods:
CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov. |
NotificationThis report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise. This document is marked TLP:CLEAR--Recipients may share this information without restriction. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp. SummaryDescriptionCISA obtained five malware samples - including artifacts related to SUBMARINE, SKIPJACK, SEASPRAY, WHIRLPOOL, and SALTWATER backdoors. The device was compromised by threat actors exploiting CVE-2023-2868, a former zero-day vulnerability affecting versions 5.1.3.001-9.2.0.006 of Barracuda Email Security Gateway (ESG). For information about related malware, specifically information on the initial exploit payload, SEASPY backdoor, WHIRLPOOL backdoor, and the SUBMARINE backdoor, see CISA Alert: CISA Releases Malware Analysis Reports on Barracuda Backdoors. Download the PDF version of this report:
AR23-250A_PDF
(PDF, 1.05 MB
)
For a downloadable copy of IOCs associated with this MAR in JSON format, see:
AR23-250A_JSON
(JSON, 41.77 KB
)
Submitted Files (5)4183edae732506a18b5c802cbf0a471a77c3f1e4336a32ccb4958671e404493c (machineecho_-n_Y2htb2QgK3ggL3J...) 44e1fbe71c9fcf9881230cb924987e0e615a7504c3c04d44ae157f07405e3598 (mod_sender.lua) 63788797919985d0e567cf9133ad2ab7a1c415e81598dc07c0bfa3a1566aeb90 (get_fs_info.pl) 9f04525835f998d454ed68cfc7fcb6b0907f2130ae6c6ab7495d41aa36ad8ccf (saslautchd) caab341a35badbc65046bd02efa9ad2fe2671eb80ece0f2fa9cf70f5d7f4bedc (mod_rft.so) Findings4183edae732506a18b5c802cbf0a471a77c3f1e4336a32ccb4958671e404493cDetails-->
AntivirusNo matches found. YARA RulesNo matches found. ssdeep MatchesNo matches found. DescriptionThis file is a SUBMARINE artifact, an empty text/data file. The name of the file is designed to exploit a vulnerability on the target environment where the base64 string within the file name will be executed on the Linux shell. The code in Figure 1 will change the permissions of any directory/file/path with that begins with '/root/mac' to executable. Then, anything containing the string 'mach*' in the directory/file/path '/root/mach' are executed. Screenshots
63788797919985d0e567cf9133ad2ab7a1c415e81598dc07c0bfa3a1566aeb90Details-->
AntivirusNo matches found. YARA Rules
ssdeep MatchesNo matches found. DescriptionThis artifact, belonging to the SKIPJACK malware family, is a Perl script that enumerates file system information. This script first checks the file system by opening '/etc/fstab.main/,' then checks the value against the array 'ARGV[0]', which perl automatically provides to hold all values from the command line in. The script will print either 'xfs' or hda depending on the type of file system it finds. The script contains a second if statement that gathers more information about the type of file system. This second if statement contains the regular expression '/^/dev/(S+)d+s+/s+(S+)/,' which translates to '/etc/fstab.' The script uses this second half of the code to check for file system type or information about the partition, which it then prints based on the value of '$requested_data.' Screenshots
44e1fbe71c9fcf9881230cb924987e0e615a7504c3c04d44ae157f07405e3598Details-->
AntivirusNo matches found. YARA Rules
ssdeep MatchesNo matches found. Relationships
DescriptionThis artifact is a trojanized Lua module that has been identified as a "SEASPRAY" variant. SEASPRAY registers an event handler for all incoming email attachments. This variant checks for the sender and the string “obt”, which is hard coded in the lua file. If that string is found the malware uses os.execute to execute the file “saslautchd”, see Figure 3. Screenshots
9f04525835f998d454ed68cfc7fcb6b0907f2130ae6c6ab7495d41aa36ad8ccfTagstrojan Details-->
Antivirus
YARA Rules
ssdeep MatchesNo matches found. Relationships
DescriptionThis artifact, belonging to the WHIRLPOOL malware family, is a 64-bit Linux Executable and Linkable Format (ELF) file. The malware checks processor hardware and architecture, to include if the target system uses AMD or Intel, see Figure 4. Figure 5 shows the malware determining the kernel version by invoking the 'uname' command line function and exploring the contents of the '/proc/sys/kernel/osrelease' file. Figures 6, 7, and 8 show the malware's capacity to connect to a remote address, and then create a new process with the command line argument '/bin/sh.' The connection to a remote host and the invocation of a bash shell are the two components/phases used by reverse shells. Figure 9 shows the malware's capacity to interact with the Name Service Cache Daemon by creating and connecting to a Unix socket at ./var/run/nscd/socket.' This socket can cache Domain Name System (DNS) requests. Rather than listening on port 53, it listens on the socket file itself, for data from other programs/processes. Figure 10 shows the malware's capacity to perform DNS resolution, using the system call 'sys_getpeername.' The malware accesses the target's environment variables. See below list below: --Begin Accessed Environment Variables-- The malware further access the following files at runtime: --Begin Accessed Files-- Screenshots
caab341a35badbc65046bd02efa9ad2fe2671eb80ece0f2fa9cf70f5d7f4bedcTagstrojan Details-->
Antivirus
YARA Rules
ssdeep MatchesNo matches found. DescriptionThis artifact, belonging to the SALTWATER malware family, is a 32-bit Linux Shared Object (.so) file. The malware can intake data over the network, using a previously established socket, with the 'recv' function as shown in Figure 11. Figure 12 shows the malware creating a new thread, within the calling process. This is thread injection and it can inject two different functions. Figure 13 shows the first function that can perform DNS resolution. Figures 14 and 15 show the second function. The second function can establish communications, over the network, using a TLS version 1 connection. Lastly, using 'popen', the malware can execute any shell command with the same privileges as its calling process. ScreenshotsRelationship Summary
RecommendationsCISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.
Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops". Contact Information
CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.cisa.gov/forms/feedback/ Document FAQWhat is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis. What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis. Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk. Can I submit malware to CISA? Malware samples can be submitted via three methods:
CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov. |
NotificationThis report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise. This document is marked TLP:CLEAR--Recipients may share this information without restriction. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp. SummaryDescriptionCISA received 4 files for analysis from an incident response engagement conducted at an Aeronautical Sector organization. 2 files (bitmap.exe, wkHPd.exe) are identified as variants of Metasploit (Meterpreter) and designed to connect and receive unencrypted payloads from their respective command and control (C2) servers. Note: Metasploit is an open source penetration testing software; Meterpreter is a Metasploit attack payload that runs an interactive shell. These executables are used as attack payloads to run interactive shells, allowing a malicious actor the ability to control and execute code on a system. 2 files (resource.aspx, ConfigLogin.aspx) are Active Server Pages (ASPX) web shells designed to execute remote JavaScript code on the victim server. CISA has provided indicators of compromise (IOCs) and YARA rules for detection within this Malware Analysis Report (MAR). For more information about this compromise, see Joint Cybersecurity Advisory Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475. Download the PDF version of this report: For a downloadable copy of IOCs associated with this MAR in JSON format, see:
AR23-250A JSON
(JSON, 57.41 KB
)
Submitted Files (4)334c2d0af191ed96b15095a4a098c400f2c0ce6b9c66d1800f6b74554d59ff4b (bitmap.exe) 47dacb8f0b157355a4fd59ccbac1c59b8268fe84f3b8a462378b064333920622 (resource.aspx) 6dcc7b5e913154abac69687fcfb6a58ac66ec9b8cc7de7afd8832a9066b7bdde (ConfigLogin.aspx) 79a9136eedbf8288ad7357ddaea3a3cd1a57b7c6f82adffd5a9540e1623bfb63 (wkHPd.exe) IPs (2)108[.]62[.]118[.]160 179[.]60[.]147[.]4 Findings334c2d0af191ed96b15095a4a098c400f2c0ce6b9c66d1800f6b74554d59ff4bTagsdownloaderobfuscatedtrojan Details-->
Antivirus
YARA Rules
ssdeep MatchesNo matches found. Relationships
DescriptionThis artifact is a malicious Windows executable file. The file is designed to connect to a remote Internet Protocol (IP) address "179[.]60[.]147[.]4" on Transmission Control Protocol (TCP) port 58731 and waits for a response. The response payload from the remote server is not encrypted and will be executed in memory. The payload was not available for analysis. 179[.]60[.]147[.]4Tagscommand-and-control Ports
Whoisinetnum: 179.60.147.0/24 nic-hdl: ALS317 Relationships
DescriptionThe malware C2 server IP address. 79a9136eedbf8288ad7357ddaea3a3cd1a57b7c6f82adffd5a9540e1623bfb63Tagsobfuscatedtrojan Details-->
Antivirus
YARA Rules
ssdeep MatchesNo matches found. Relationships
DescriptionThis file is a malicious 64-bit Windows Portable Executable (PE) that has been identified as a variant of the Metasploit Meterpreter application. The file is designed to connect to a remote Internet Protocol (IP) address 108[.]62[.]118[.]160. 108[.]62[.]118[.]160Tagscommand-and-control WhoisNetRange: 108.62.0.0 - 108.62.255.255 OrgName: Leaseweb USA, Inc. Relationships
DescriptionThe malware attempts to connect to this IP address. 47dacb8f0b157355a4fd59ccbac1c59b8268fe84f3b8a462378b064333920622Tagsbackdoorwebshell Details-->
Antivirus
YARA Rules
ssdeep MatchesNo matches found. DescriptionThis artifact is an ASPX webshell that is designed to execute remote JavaScript code on the system. The attacker must authenticate to the webshell client with the key "OWAwebconfig" before executing the remote code. The 'unsafe' context keyword is intentionally obfuscated to bypass security protocols. Screenshots
6dcc7b5e913154abac69687fcfb6a58ac66ec9b8cc7de7afd8832a9066b7bddeTagsbackdoorwebshell Details-->
Antivirus
YARA Rules
ssdeep MatchesNo matches found. DescriptionThis artifact is an ASPX webshell that is designed to execute remote JavaScript code on the system. The attacker must authenticate to the webshell client with the key "TUCSON" before executing the remote code. The 'unsafe' context keyword is intentionally obfuscated to bypass security protocols. Screenshots
Relationship Summary
RecommendationsCISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.
Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops". Contact Information
CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.cisa.gov/forms/feedback/ Document FAQWhat is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis. What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis. Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk. Can I submit malware to CISA? Malware samples can be submitted via three methods:
CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov. |
NotificationThis report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise. This document is marked TLP:CLEAR--Recipients may share this information without restriction. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp. SummaryDescriptionCISA obtained four malware samples - including SEASPY and WHIRLPOOL backdoors. The device was compromised by threat actors exploiting CVE-2023-2868, a former zero-day vulnerability affecting versions 5.1.3.001-9.2.0.006 of Barracuda Email Security Gateway (ESG). SEASPY is a persistent and passive backdoor that masquerades as a legitimate Barracuda service “BarracudaMailService” that allows the threat actors to execute arbitrary commands on the ESG appliance. WHIRLPOOL is a backdoor that establishes a Transport Layer Security (TLS) reverse shell to the Command-and-Control (C2) server. For information about related malware, specifically information on the initial exploit payload, a second SEASPY backdoor variant, and the SUBMARINE backdoor, see CISA Alert: CISA Releases Malware Analysis Reports on Barracuda Backdoors. Download the PDF version of this report:
AR23-221A PDF
(PDF, 382.40 KB
)
For a downloadable copy of IOCs associated with this MAR in JSON format, see:
AR23-221A JSON
(JSON, 49.40 KB
)
Submitted Files (4)29a41174eb9a39e0ad712ed5063c561e9c2e1db1f8f6b04b2ca369a6efc3ac9b (QuoVadis_Root_CA_1_G3.pem) 3f26a13f023ad0dcd7f2aa4e7771bba74910ee227b4b36ff72edc5f07336f115 (BarracudaMailService.old) 83ca636253fd1eb898b244855838e2281f257bbe8ead428b69528fc50b60ae9c (rverify) 9bb7addd96f99a29658aca9800b66046823c5ef0755e29012983db6f06a999cf (resize_reisertab) Findings3f26a13f023ad0dcd7f2aa4e7771bba74910ee227b4b36ff72edc5f07336f115Tagstrojan Details-->
Antivirus
YARA Rules
ssdeep MatchesNo matches found. Relationships
DescriptionThis artifact is a 64-bit Executable and Linkable Format (ELF) file that has been identified as a "SEASPY" malware variant installed as a system service. The malware is a persistent backdoor that masquerades as a legitimate Barracuda Networks service. The malware is designed to listen to commands received from the Threat Actor's (TA's) C2 through TCP packets. When executed, the malware uses libpcap sniffer to monitor traffic for a magic packet on TCP port 25 (Simple Mail Transfer Protocol (SMTP)) and TCP port 587. It checks the network packet captured for a hard-coded string "oXmp". When the right sequence of packets is captured, it establishes a TCP reverse shell to the TA's C2 server for further exploitation. This allows the TA to execute arbitrary commands on the compromised system. The malware is based on an open-source backdoor program named "cd00r" and it is executed using the parameter below: --Begin argument-- 29a41174eb9a39e0ad712ed5063c561e9c2e1db1f8f6b04b2ca369a6efc3ac9bDetails-->
AntivirusNo matches found. YARA Rules
ssdeep MatchesNo matches found. Relationships
DescriptionThis artifact is an initialization script. Upon its execution it sets terminal settings to default using the 'stty sane' command. It then runs through the process of setting a runlevel variable and stops other services that were started by a previous runlevel. It also kills any services that are running on the current runlevel. Next, the script will start its associated services at the current runlevel. After logging functionalities are started, the script will then check if the runlevel is 3, which will result in the terminal screen being cleared using /usr/bin/clear. Finally, the script contains the command “/sbin/BarracudaMailService eth0” at the end. BarracudaMailService will be started automatically when the initialization script is run on the network interface eth0. BarracudaMailService is a known name for the SEASPY backdoor. Screenshots
Figure 1. - At the end of the script the string "/sbin/BarracudaMailService eth0" is specified. 9bb7addd96f99a29658aca9800b66046823c5ef0755e29012983db6f06a999cfTagstrojan Details-->
Antivirus
YARA Rules
ssdeep MatchesNo matches found. DescriptionThis artifact is a 64-bit ELF file that has been identified as a "SEASPY" malware variant installed as a system service. This variant of SEASPY has had its symbols stripped. The malware is a persistent backdoor that masquerades as a legitimate Barracuda Networks service. The malware is designed to listen to commands received from the TA's C2 through TCP packets. When executed, the malware uses libpcap sniffer to monitor traffic for a magic packet on TCP port 25 (SMTP) and TCP port 587. It checks the network packet captured for a hard-coded string "TfuZ". When the right sequence of packets is captured this SEASPY variant launches an authentication sequence prior to launching the reverse shell. Once the TA authenticates, the malware starts a reverse shell on the infected system. This allows the TA to execute arbitrary commands on the compromised system. The malware is based on an open-source backdoor program named "cd00r" and it is executed using the parameter below: --Begin argument-- 83ca636253fd1eb898b244855838e2281f257bbe8ead428b69528fc50b60ae9cTagstrojan Details-->
Antivirus
YARA Rules
ssdeep MatchesNo matches found. DescriptionThis artifact is a 32-bit ELF file that has been identified as a malware variant named "WHIRLPOOL". The malware takes two arguments (C2 IP and port number) from a module to establish a Transport Layer Security (TLS) reverse shell. The module that passes the arguments was not available for analysis. Relationship Summary
RecommendationsCISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.
Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops". Contact Information
CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.cisa.gov/forms/feedback/ Document FAQWhat is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis. What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis. Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk. Can I submit malware to CISA? Malware samples can be submitted via three methods:
CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov. |
NotificationThis report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise. This document is marked TLP:CLEAR--Recipients may share this information without restriction. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp. SummaryDescriptionCISA obtained two SEASPY malware samples. The malware was used by threat actors exploiting CVE-2023-2868, a former zero-day vulnerability affecting versions 5.1.3.001-9.2.0.006 of Barracuda Email Security Gateway (ESG). SEASPY is a persistent and passive backdoor that masquerades as a legitimate Barracuda service “BarracudaMailService” that allows the threat actors to execute arbitrary commands on the ESG appliance. For information about related malware, specifically information on the initial exploit payload and other backdoors, see CISA Alert: CISA Releases Malware Analysis Reports on Barracuda Backdoors. Download the PDF version of this report:
AR23-209B PDF
(PDF, 354.36 KB
)
For a downloadable copy of IOCs associated with this MAR in JSON format, see:
AR23-209B JSON
(JSON, 19.83 KB
)
Submitted Files (2)3e21e547cf94cb07c010fe82d6965e5bd52dbdd9255b4dd164f64addfaa87abb (BarracudaMailService.1) 69935a1ce0240edf42dbe24535577140601bcf3226fa01e4481682f6de22d192 (6931018-BarracudaMailService.2) Findings69935a1ce0240edf42dbe24535577140601bcf3226fa01e4481682f6de22d192Tagstrojan Details-->
Antivirus
YARA Rules
ssdeep MatchesNo matches found. DescriptionThis artifact is a 64-bit ELF file that has been identified as a "SEASPY" malware variant installed as a system service. The sample is a persistent backdoor that masquerades as a legitimate Barracuda Networks service. The malware is designed to listen to commands received from the Threat Actor’s (TA) Command-and-Control (C2) through Transmission Control Protocol (TCP) packets. When executed, the malware uses libpcap sniffer to monitor traffic for a magic packet on TCP port 25 (SMTP) and TCP port 587. It checks the network packet captured for a hard-coded string "oXmp". Note: This hard-coded string may change for other SEASPY variants. When the right sequence of packet is captured, it establishes a TCP reverse shell to the TA's C2 server for further exploitation. This allows the TA to execute arbitrary commands on the compromised system. The malware is based on an open-source backdoor program named "cd00r" and it is executed using the parameter below: --Begin argument— ScreenshotsFigure 1. - This is disassembler output showing how the malware checks the parameters that the malware was executed with. 3e21e547cf94cb07c010fe82d6965e5bd52dbdd9255b4dd164f64addfaa87abbTagstrojan Details-->
Antivirus
YARA Rules
ssdeep MatchesNo matches found. DescriptionThis artifact is a 64-bit ELF file that has been identified as a "SEASPY" malware variant installed as a system service. This sample has the sample malicious capabilities as BarracudaMailService.2 (5d6cba7909980a7b424b133fbac634ac). The only difference between the binaries is located in the function named "start_pcap_listener". In the function "start_pcap_listener" both binaries call a function named "reverse shell" to start the reverse shell functionality of the malware. The difference is that BarracudaMailService.1 (32ffe48d1a8ced49c53033eb65eff6f3) jumps directly to the set of instructions that start the reverse shell, as opposed to BarracudaMailService.2 (5d6cba7909980a7b424b133fbac634ac), which contains an extra set of instructions before jumping to the instructions that start the reverse shell. RecommendationsCISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.
Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops". Contact Information
CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.cisa.gov/forms/feedback/ Document FAQWhat is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis. What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis. Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk. Can I submit malware to CISA? Malware samples can be submitted via three methods:
CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov. AcknowledgmentsMandiant contributed to this report. |
||||||||||||||||||||||||||||||||||||||||||||||||
NotificationThis report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise. This document is marked TLP:CLEAR--Recipients may share this information without restriction. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp. SummaryDescriptionCISA obtained seven malware samples related to a novel backdoor CISA has named SUBMARINE. The malware was used by threat actors exploiting CVE-2023-2868, a former zero-day vulnerability affecting certain versions 5.1.3.001 - 9.2.0.006 of Barracuda Email Security Gateway (ESG). SUBMARINE is a novel persistent backdoor that lives in a Structured Query Language (SQL) database on the ESG appliance. SUBMARINE comprises multiple artifacts that, in a multi-step process, enable execution with root privileges, persistence, command and control, and cleanup. In addition to SUBMARINE, CISA obtained associated Multipurpose Internet Mail Extensions (MIME) attachment files from the victim. These files contained the contents of the compromised SQL database, which included sensitive information. For information about related malware, specifically information on the initial exploit payload and other backdoors, see CISA Alert: CISA Releases Malware Analysis Reports on Barracuda Backdoors. Download the PDF version of this report:
AR23-209A PDF
(PDF, 1.18 MB
)
For a downloadable copy of IOCs associated with this MAR in JSON format, see:
AR23-209A JSON
(JSON, 48.51 KB
)
Submitted Files (5)6dd8de093e391da96070a978209ebdf9d807e05c89dba13971be5aea2e1251d0 (r) 81cf3b162a4fe1f1b916021ec652ade4a14df808021eeb9f7c81c8d2326bddab (libutil.so) 8695945155d3a87a5733d31bf0f4c897e133381175e1a3cdc8c73d9e38640239 (machineecho_-n_Y2htb2QgK3ggL3J...) b98f8989e8706380f779bfd464f3dea87c122651a7a6d06a994d9a4758e12e43 (sedO4CWZ9) cc131dd1976a47ee3b631a136c3224a138716e9053e04d8bea3ee2e2c5de451a (smtpctl) Additional Files (2)2a353e9c250e5ea905fa59d33faeaaa197d17b4a4785456133aab5dbc1d1d5d5 (config.TRG) bbbae0455f8c98cc955487125a791052353456c8f652ddee14f452415c0b235a (run.sh) Findings2a353e9c250e5ea905fa59d33faeaaa197d17b4a4785456133aab5dbc1d1d5d5Details-->
AntivirusNo matches found. YARA Rules
ssdeep MatchesNo matches found. DescriptionThe file 'config.TRG' is a SUBMARINE artifact. The presence of the filename, 'config.TRG' does not indicate that the ESG is infected. Instead, it is the actual contents of the file that determine whether it is infected or not. The contents of 'config.TRG' is contained within the SQL database file called 'config.snapshot' and the MIME attachments. Presence of the contents of the file 'config.TRG' within the SQL database is indicative of an infection of SUBMARINE. The file contains a malicious SQL trigger called ‘cuda_trigger’ (Figure 1). This SQL trigger is set to run as root on the local host before a row is deleted from the database. After the trigger parameters are met, two actions occur. First a compressed, base64 encoded blob containing 2 files is written into a file called ‘r’ in the ‘/var/tmp’ directory (Figure 2). Second, a base64 encoded command is executed (Figure 3). --Begin Base64 Decoded Command-- The commands will decode the base64 encoded string and execute the decoded result as a shell command. The commands will pass the contents of the file 'r' to be decoded then decompressed with the 'tar' command. Then, the file 'run.sh' executes with the 'nohup' parameter. The 'nohup' parameter allows the process launched on the shell to continue executing even if the shell is closed. The 'BSMTP_ID' is passed and all errors redirected and discarded to the '/dev/null' directory. Lastly, the contents of the '/root/machine' directory will be removed, permissions are set to executable, and shell scripts containing a name with the string 'mach*' in the root directory are executed. ScreenshotsFigure 1. - The malicious SQL trigger called 'cuda_trigger'. Figure 2. - A small snippet of the base64 blob being written into the file 'r'. Figure 3. - A small snippet of the base64 encoded command found after 'r' is written. 8695945155d3a87a5733d31bf0f4c897e133381175e1a3cdc8c73d9e38640239Details-->
AntivirusNo matches found. YARA Rules
ssdeep MatchesNo matches found. DescriptionThe file 'machineecho -n Y2htb2QgK3ggL3Jvb3QvbWFjKgpzaCAvcm9vdC9tYWNoKlxgKgoK _ base64 -d _sh`_' is a SUBMARINE artifact. The file is a shell script identified in the '/root' directory and contains base64 encoded commands. The name of the file is designed to exploit a vulnerability on the target environment where the base64 string within the file name will be executed on the Linux shell. --Begin Base64 Decoded Name/Command-- The above commands will change the permissions of the directory, '/root/mac*', to executable. The file contains a series of operations, such as decoding a base64 encoded string and executing the decoded result as a shell command. The decoded base64 string represents a series of commands that will be executed by the shell. ~Begin Base64 Decoded Command~ cat /var/tmp/r | base64 -d -i | tar -zx -C /var/tmp ~End Base64 Decoded Command~ This command is identical to the decoded base64 commands found in the SQL trigger identified in the file 'config.snapshot'. 6dd8de093e391da96070a978209ebdf9d807e05c89dba13971be5aea2e1251d0Details-->
AntivirusNo matches found. YARA Rules
ssdeep MatchesNo matches found. Relationships
DescriptionThe file 'r' is a SUBMARINE artifact. The file is a Base64 encoded GNU Zip (GZIP) archive. When the 'cat /*/*/r | base64 -d -i | tar -zx -C /*/*' Linux Shell command is applied to 'r', it decompresses two files. The aforementioned Linux Shell command is contained in 'config.snapshot' as a Base64 encoded SQL trigger. --Begin Decompressed Files-- bbbae0455f8c98cc955487125a791052353456c8f652ddee14f452415c0b235aDetails-->
AntivirusNo matches found. YARA Rules
ssdeep MatchesNo matches found. Relationships
DescriptionThe file 'run.sh' is a SUBMARINE loader. The file is a shell script located at within the archive 'r' in the '/var/tmp' directory. The purpose of 'run.sh' is to perform a combination of file manipulation, script generation and execution (Figure 4). There are 4 variables within 'run.sh': --Begin Variable List-- B1=$1 --End Variable List-- The script begins by moving SUBMARINE from the '/var/tmp/' directory to the '/boot/os_tools/' directory for persistence. The variable "B" is declared as a 'sed' command that replaces all occurrences of the string 'exec' with `BSMTP_ID=$1 LD_PRELOAD=/boot/os_tools/libutil.so exec /home/product/code/firmware/current/sbin/smtpctl'. This 'sed' command is then base64 encoded. A new file called 'hw-set' is created in the '/boot/os_tools/' directory. A line is appended to the 'smtpctl' file which checks for the string 'LD_PRELOAD'. If the string is not found, the base64 encoded string stored in variable "B" is decoded and executed as a shell command and 'smtpctl' is restarted. The 'chmod' command is used to set executable permissions for 'hw-set'. The 'sed' command is used with a '-i' flag to modify the file 'update_version' within the '/boot/os_tools/' directory with an appended string to line 44. The appended string, "system('/boot/os_tools/hw-set 2>&1 >/dev/null &');", will run the file 'hw-set' in the background and redirect both output and errors to 'dev/null' whenever the file 'update_version' is executed. The file 'hw-set' is executed and the 'sed' command with the '-i' flag is used to insert the string 'sleep 2m' on line 1 to set a sleep duration of 2 minutes. Finally, all files and directories within '/var/tmp/' directory are removed. ScreenshotsFigure 4. - The contents of the file, 'run.sh.' b98f8989e8706380f779bfd464f3dea87c122651a7a6d06a994d9a4758e12e43Details-->
AntivirusNo matches found. YARA Rules
ssdeep MatchesNo matches found. DescriptionThe file 'hw-set' is a SUBMARINE artifact. The file is a shell script located in the '/boot/os_tools/' directory and contains shell commands as well as a base64 encoded string (Figure 5). The shell script is set to sleep for 2 minutes prior to execution. The 'grep' command checks if the string 'LD_PRELOAD' is contained within the 'smtpctl' file located at '/home/product/code/firmware/current/sbin/'. The exclamation point (!) prepending the script is used to check for success or failure of the 'grep' command. If the string 'LD_PRELOAD' is not identified, a base64 encoded 'sed' command is used to modify the 'smtpctl' file (Figure 6). ScreenshotsFigure 5. - The contents of the shell script in the file 'hw-set'. Figure 6. - The decoded base64 string contained in the shell script of the file 'hw-set'. cc131dd1976a47ee3b631a136c3224a138716e9053e04d8bea3ee2e2c5de451aDetails-->
AntivirusNo matches found. YARA Rules
ssdeep MatchesNo matches found. DescriptionThe file 'smtpctl' is a SUBMARINE loader. The file is a maliciously modified shell script used to remove mail files in 2 directories as well as load SUBMARINE as a shared library for the Batched Simple Mail Transfer Protocol (BSMTP) daemon. ~Begin File Removal Commands~ Appended malicious code at the bottom of 'smtpctl.sh' sets the BSMTP_ID and SUBMARINE is preloaded as a shared library from the '/boot/os_tools' directory. It then executes the BSMTP daemon. If the BSMTPD_PID variable is set, debug mode is enabled. If the BSMTPD_PID variable is not set, execution continues without enabling debug mode. Additionally, any instances of the string 'reload' in the command are replaced with 'restart' and all errors are redirected to '/dev/null' (Figure 7). ScreenshotsFigure 7. - The appended malicious code loading SUBMARINE as the shared library for the BSMTP daemon. The BSMTP_ID value will be unique per device. 81cf3b162a4fe1f1b916021ec652ade4a14df808021eeb9f7c81c8d2326bddabDetails-->
AntivirusNo matches found. YARA Rules
ssdeep MatchesNo matches found. Relationships
DescriptionThe file 'libutil.so' is the SUBMARINE payload. 'libutil.so' is preloaded into the BSMTP daemon, the Linux executable responsible for receiving emails, and processing Simple Mail Transfer Protocol (SMTP) reply messages. Linux Shared Object Preloading is analogous to Dynamic-Link Library (DLL) side loading and DLL injection in the Windows OS. This file is preloaded using the 'LD_PRELOAD' parameter, applied to 'bsmtpd', the BSMTP daemon executable. The preload parameter is added to two configuration files, files that control the behavior of 'bsmtpd.' When the configuration files restart the daemon, 'libutil.so' is loaded into its process memory, giving it the same privileges and access as 'bsmtpd.' The malware obtains the BSMTP_ID environment variable from the infected system. The BSMTP_ID has the capacity to be used as a port for malicious traffic. (Figure 8). The process this shared object file is running in, 'bsmtpd', is duplicated and launched using the 'fork' Linux function (Figure 9). The malware opens a connection to 127.0.0.1 on the victim machine it is running on (Figure 10). The 'recv' function is called after the connection is opened, showing that the malware has the capacity to obtain information from the context/environment its executed on. Figure 11, Pane 1, shows configuration settings for the BSMTP daemon, that allows any email traffic for the address range of 127/8 and multiple actions including 'ehlo.' Pane 2 shows the malware intaking data, and loading the 'ehlo' action into memory. Figure 12, Pane 1, shows the malware, in conjunction with 'snprintf_chk', printing the string 'echo -n '%s' | base64 -d | openssl aes-256-cbc -d -K 66833b26%d -iv 69822b6c%d 2>/dev/null | sh', to the Linux shell. The string is a command that accepts input '%s', decodes it with Base64, decrypts it with AES, pipes errors to std_out and executes it on the target with the 'sh' bash command and 'system' Linux function. Lastly, the malware has the capacity to print the SMTP string, '250-mail2.eccentric.duck Hello %s [%s], pleased to meet you' . Therefore, given this information, the malware has the capacity to accept encoded and encrypted inputs from 'bsmtpd', execute them, and print a message. ScreenshotsFigure 8. - Depicts the Linux function 'getenv' "BSMTP_ID" and setting the variable named "SRC_PORT". Figure 9. - Depicts the Linux function 'fork.' Figure 10. - Depicts the initialization of a connection using the Berkeley Sockets API. Figure 11. - Pane 1 shows configuration settings for the BSMTP daemon, not in the malware. Pane 2 shows part of that configuration in the malware. Figure 12. - Pane 1 shows the Linux functions 'snprintf_chk' and 'system.' Pane 2 shows configuration settings, for the BSMTP daemon. Relationship Summary
RecommendationsCISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.
Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops". Contact Information
CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.cisa.gov/forms/feedback/ Document FAQWhat is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis. What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis. Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk. Can I submit malware to CISA? Malware samples can be submitted via three methods:
CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov. AcknowledgmentsMandiant contributed to this report. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
NotificationThis report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise. This document is marked TLP:CLEAR--Recipients may share this information without restriction. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp. SummaryDescriptionCISA received one Windows Portable Executable (PE) file for analysis. The file is a variant of TrueBot malware. It is designed to collect system information and report it to a command-and-control (C2). The bot is also capable of downloading and executing additional payloads. For more information about this compromise, see Joint Cybersecurity Advisory Increased Truebot Activity Infects U.S. and Canada Based Networks. Download the PDF version of this report: For a downloadable copy of IOCs, see
AA23-187A STIX XML
(XML, 204.54 KB
)
For a downloadable copy of IOCs associated with this MAR in JSON format, see
MAR-10445155-1.v1 STIX JSON
(JSON, 16.51 KB
)
Submitted Files (1)7d75244449fb5c25d8f196a43a6eb9e453652b2185392376e7d44c21bd8431e7 (3LXJyAv6Gf.exe) Domains (2)dremmfyttrred[.]com droogggdhfhf[.]com Findings7d75244449fb5c25d8f196a43a6eb9e453652b2185392376e7d44c21bd8431e7Tagstrojan Details
Antivirus
YARA Rules
ssdeep MatchesNo matches found. Relationships
DescriptionThis artifact is a variant of the TrueBot downloader. The file is padded with over one gigabyte (Gb) of junk code, designed to hinder analysis. When the bot is executed on the system, it will check the current Operating System (OS) version (RtlGetVersion) and the processor architecture (GetNativeSystemInfo). From this information the bot will create a unique ID for the compromised system. It will store the ID in C:ProgramData as a randomly named 13 character file with a .JSONIP extension, e.g. ‘IgtyXEQuCEvAM.JSONIP’. The malware proceeds to enumerate all running processes on the system. The bot configuration contains a list of common Windows processes that are excluded from its list. The remaining process names are concatenated into a base64 encoded string. The malware specifically looks for the presence of the following disassembly and debugging tools: —Begin Disassembly & Debugging Tools— The presence of these tools does not change the execution of the malware. They are also concatenated into a base64 encoded string and sent along with the system information. Next, the malware will collect the ComputerName and Domain name of the system. All of the collected information and the unique ID is sent to a hard-coded Uniform Resource Locator (URL) in a POST request using a unique User-agent string: —Begin POST Request— The malware uses a second obfuscated domain to accept commands and receive additional payloads. The configuration contains two base64 encoded strings that the malware will decode and run through a string operation to generate a unique hexadecimal string. The hexadecimal string is decoded using the embedded RC4 key ‘YiPumybosaWiWexy’. The following URL was decoded from the strings: —Begin Decoded URL— dremmfyttrred[.]comTagscommand-and-control HTTP Sessions
Relationships
Description3LXJyA6Gf.exe attempts to send the collected system information to this domain. droogggdhfhf[.]comTagscommand-and-control Relationships
Description3LXJyA6Gf.exe receives commands and payloads from this domain. Relationship Summary
RecommendationsCISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.
Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops". Contact Information
CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.cisa.gov/forms/feedback/ Document FAQWhat is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis. What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis. Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk. Can I submit malware to CISA? Malware samples can be submitted via three methods:
CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov. |
SummaryDescriptionCISA received three files for analysis. The files included three webshells written in PHP: Hypertext Preprocessor (PHP), Active Server Pages Extended (ASPX), and .NET Dynamic-Link Library (DLL). The sample “sd.php” is highly obfuscated and uses rot13 algorithm, zlib for compression and base64 encoding for obfuscation. The “osker.aspx” webshell code was padded with junk code. The .NET DLL webshell is a .NET compiled version of osker.aspx. The samples are interactive webshells and have the ability to upload and manage files, create directories and files, and execute commands on the target machine. For more information about this compromise, see Joint Cybersecurity Advisory Threat Actors Exploit Progress Telerik Vulnerabilities in Multiple U.S. Government IIS Servers Download the PDF version of this report:
MAR-10443863.r1.v1
(PDF, 864.35 KB
)
For a downloadable copy of IOCs, see below or the JSON file.
AA23-074A.stix
(XML, 38.86 KB
)
Submitted Files (3)6ce087b904af8a01aae73ac77d81822ad41799f89a5d301dce45191c897012aa (osker.aspx) b63c95300c8e36b5e6d3393da12931683796f88fd4601ba8364658b4d12ac05b (App_Web_jl37rjxu.dll) ea98368f6ecb5281654a6a9e4c649ef9b53860f1ee32340145b61e0e42e1072a (sd.php) Findingsea98368f6ecb5281654a6a9e4c649ef9b53860f1ee32340145b61e0e42e1072aTagsobfuscatedtrojanuploaderwebshell Details-->
Antivirus
YARA Rules
ssdeep MatchesNo matches found. DescriptionThis sample is an obfuscated PHP interactive webshell. This webshell is encoded and obfuscated using rot13, gzinflate and base64 as seen in the following code: “eval(str_rot13(gzinflate(str_rot13(base64_decode(($sym))))));” The obfuscated code is a string and is stored in the $sym variable from where it is read and decoded upon execution (Figure 1). The webshell requires the password "pass" for authentication and uses the string “$xyn='tunafeesh';” as a cookie to authenticate. This webshell enumerates the local system it infects including the operating system, current user, directories, files and permissions. The webshell has the ability to create, rename, and delete files and directories. Furthermore, it has the ability to upload additional files to the affected webserver, run in Safe Mode and execute commands via cmd.exe (Figure 2). The webshell provides a Graphical User Interface (GUI) to the operator to perform these operations on the infected machine. ---Notable Strings Begin--- ScreenshotsFigure 1. - $sym variable with obfuscated code. Figure 2. - sd.php webshell interface. Threat Actor (TA) would have access to this interface remotely to conduct various actions like upload additional files, create directories and files, run commands and more. 6ce087b904af8a01aae73ac77d81822ad41799f89a5d301dce45191c897012aaTagsbackdoor trojan webshell Details-->
Antivirus
YARA Rules
ssdeep MatchesNo matches found. Relationships
DescriptionThis sample is an ASP .NET webshell. The webshell code was padded with junk code for detection evasion. The beginning of the webshell code can be seen in Figure 3. It is possible to access the webshell interactively via browser to view the GUI as seen in Figure 4. This webshell has the ability to enumerate drive name and type, software, operating system versions, processes, and users, and has ability to copy, create and delete files, directories and databases. Furthermore, this webshell is able to upload, download, run and execute commands using cmd.exe and sqlcmd.exe. This webshell has the ability to interact with and manipulate SQL databases. Furthermore, this webshell uses Windows Management Instrumentation (WMI) Management Objects to query processes, users and network domains. It is also able to encode and decode data using base64. ---Notable Strings Begin--- ScreenshotsFigure 3. - Beginning of osker.aspx webshell code. Figure 4. - Web interface for osker.aspx webshell. The webshell interface password is “321”. b63c95300c8e36b5e6d3393da12931683796f88fd4601ba8364658b4d12ac05bTagsbackdoortrojanwebshell Details-->
Antivirus
YARA Rules
ssdeep MatchesNo matches found. Relationships
DescriptionThis is a 32-bit .NET Dynamic-Link Library (DLL) file. This sample is a ASP .NET webshell and is related to the osker.aspx file. These webshells may affect Microsoft Exchange Servers and IIS services exploited by the ProxyLogon vulnerability. This sample is a .NET DLL file that is created by the ASP.NET Runtime when ASPX script is seen for the first time on the system. The capabilities and functions are identical to the osker.aspx file. Relationship Summary
RecommendationsCISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.
Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops". Contact Information
CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.cisa.gov/forms/feedback/ Document FAQWhat is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis. What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis. Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk. Can I submit malware to CISA? Malware samples can be submitted via three methods:
CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
NotificationThis report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise. This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp. SummaryDescriptionThis Malware Analysis Report (MAR) is the result of analytic efforts by the Cybersecurity and Infrastructure Security Agency (CISA) to provide detailed analysis of files associated with HyperBro, a Remote Access Trojan (RAT). CISA obtained HyperBro malware samples during an on-site incident response engagement at a Defense Industrial Base (DIB) Sector organization compromised by advanced persistent threat (APT) actors. CISA analyzed 4 files associated with HyperBro malware. The files creates a backdoor program that is capable of uploading and downloading files to and from the system. The RAT is also capable of logging keystrokes and executing commands on the system. For more information on the confirmed compromise, see Joint CSA: Impacket and Exfiltration Tool Used to Steal Sensitive Information from Defense Industrial Base Organization. Download the STIX version of this report: MAR-10365227-2.v1 249B Submitted Files (4)52072a8f99dacd5c293fccd051eab95516d8b880cd2bc5a7e0f4a30d008e22a7 (vftrace.dll) df847abbfac55fb23715cde02ab52cbe59f14076f9e4bd15edbe28dcecb2a348 (msmpeng.exe) f1a2791eebaea183f399110c9e8ae11c67f5bebf93a5573d1ac3c56fc71b2230 (config.ini) f2ba8b8aabf73020febd3a925276d52ce88f295537fe57723df714c13f5a8780 (thumb.dat) IPs (1)104.168.236.46 Findingsdf847abbfac55fb23715cde02ab52cbe59f14076f9e4bd15edbe28dcecb2a348Tagsloader Details
AntivirusNo matches found. YARA RulesNo matches found. ssdeep MatchesNo matches found. PE Metadata
PE Sections
Packers/Compilers/Cryptors
Relationships
DescriptionThis artifact is a version of vf_host.exe from Viewfinity. The file is used to side-load the malicious dynamic-link library (DLL), vftrace.dll. The program is also capable of bypassing User Account Controls (UAC) on the system by disabling Admin Approval Mode in User Account Controls Group Policy in HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem. This can allow the malware to run with Admin privileges, or allow remote logon (RDP) with full Admin privileges. 52072a8f99dacd5c293fccd051eab95516d8b880cd2bc5a7e0f4a30d008e22a7Tagstrojan Details
Antivirus
YARA RulesNo matches found. ssdeep MatchesNo matches found. PE Metadata
PE Sections
Packers/Compilers/Cryptors
Relationships
DescriptionThis DLL is side-loaded by df847abbfac55fb23715cde02ab52cbe59f14076f9e4bd15edbe28dcecb2a348 detailed in this report. When the DLL is executed it will create a Globally Unique Identifier (GUID) to identify the system to the command and control (C2) during communication. The GUID is written to a file called 'Config.ini' and placed in the current directory. The program will decrypt and read a configuration file called 'thumb.dat' that instructs it to spawn a new instance of the Service Host Process (svchost.exe) and inject itself into the new instance. Svchost.exe is run with the -k netsvcs parameter to allow the malware to connect to its C2. The malware collects the following information to send to the C2 via POST when establishing a connection. ---Begin Collected Information--- During analysis, the malware attempted to connect to the Uniform Resource Identifier (URI), hxxps[:]//104.168.236.46/api/v2/ajax using the fixed User-Agent string Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36. To achieve persistence on the system, the program creates a service in the registry called ‘Windows Defenders Service’ that starts automatically when the user logs on. ---Begin Registry Settings--- It may also create an autorun entry in the registry at HKLMSoftwareMicrosoftWindowsCurrent VersionRun. The malware creates a hidden folder called ‘windefenders’ in the path C:Program Files (x86)Common Files where it will copy the PE file ‘msmpeng.exe’ along with the GUID file, ‘config.ini’, the malicious library ‘vftrace.dll’, and the encrypted configuration file ‘thumb.dat’. A second hidden folder called ‘windefenders’ is also created in the path C:ProgramData. This folder holds another instance of the PE file. The program is capable of logging keystrokes, uploading and downloading files, and will also invoke RpcServerListen to wait for incoming Remote Procedure Call (RPC) connections. It will also open a pipe called ‘DeviceNamedPipetestpipe’ that it uses to pass commands from its daemon to any worker processes it may set up. 104.168.236.46Tagscommand-and-control URLs
Ports
WhoisDomain Name: HOSTWINDSDNS.COM Domain name: hostwindsdns.com Relationships
DescriptionDuring analysis, the file vftrace.dll attempted to connect to this domain. f1a2791eebaea183f399110c9e8ae11c67f5bebf93a5573d1ac3c56fc71b2230Details
AntivirusNo matches found. YARA RulesNo matches found. ssdeep MatchesNo matches found. Relationships
DescriptionThis artifact contains a GUID that is generated by the malware to uniquely identify the system during communication with the C2. f2ba8b8aabf73020febd3a925276d52ce88f295537fe57723df714c13f5a8780Tagsbackdoorkeylogger Details
AntivirusNo matches found. YARA RulesNo matches found. ssdeep MatchesNo matches found. Relationships
DescriptionThis artifact is the encrypted configuration data that is read by 52072a8f99dacd5c293fccd051eab95516d8b880cd2bc5a7e0f4a30d008e22a7 detailed in this report. The decrypted strings in the configuration are listed below: ---Begin Decrypted Strings--- ---End Decrypted Strings--- This configuration allows the malware to connect to its C2, create persistence on the system, log keystrokes and telemetry data, and execute commands from the command line. Relationship Summary
ConclusionThe following MITRE ATT&CK tactics and techniques were observed during analysis of these samples. T1543.003 Persistence: Create or Modify System Process. Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions. Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg. T1574.002 Hijack Execution Flow: DLL Side-Loading. Adversaries may execute their own malicious payloads by side-loading DLLs. Side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s). T1567.000 Exfiltration: Exfiltration Over Web Service. Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services. T1560.000 Collection: Archive Collected Data. An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender. RecommendationsCISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.
Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops". Contact Information
CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.cisa.gov/forms/feedback/ Document FAQWhat is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis. What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis. Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk. Can I submit malware to CISA? Malware samples can be submitted via three methods:
CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov. |
Initial Publication: September 29, 2022
Cookie | Duration | Description |
---|---|---|
cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |