Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers Webshells, Trojan and Stealer

Exploitation and Initial Payload Deployment

Upon obtaining scan results, the threat actor transitioned to exploitation, focusing on CVE-2021-40539. This vulnerability allows for a REST API authentication bypass, leading to remote code execution in vulnerable devices. To exploit this, the attackers delivered uniquely crafted POST statements to the REST API LicenseMgr.

Following the initial exploitation, the attackers uploaded a payload to the victim network, which installed a Godzilla webshell. This activity was consistent across all victims, although a smaller subset of compromised organizations received a modified version of a new backdoor called NGLite.

Command Execution and Lateral Movement

Using either the Godzilla webshell or the NGLite payload, the threat actors executed commands and moved laterally across systems within the network. Their activities included exfiltrating files of interest by downloading them directly from the web server.

Once they pivoted to a domain controller, they installed a novel credential-stealing tool known as KdcSponge. This tool enabled them to gather credentials while maintaining access to the network.

Tools Deployed During the Attack

Godzilla Webshell

The Godzilla webshell played a central role in the attack. It is a functionality-rich tool designed to parse inbound HTTP POST requests, decrypt the data using a secret key, execute the decrypted content, and return the results via HTTP response.

This webshell, developed by a user named BeichenDream, was specifically created to avoid detection during red team engagements. It employs AES encryption to evade network detection and has a very low static detection rate across security vendor products.

The lightweight design of Godzilla ensures minimal impact on compromised systems while providing attackers with advanced capabilities. These include dynamically executing malicious code only when necessary, reducing the risk of early detection.

NGLite Backdoor

NGLite is characterized by its author as an “anonymous cross-platform remote control program based on blockchain technology.” It uses the New Kind of Network (NKN) infrastructure for command-and-control (C2) communications, offering attackers theoretical anonymity. While NKN is a legitimate networking service, its use as a C2 channel is rare, making this attack unique.

KdcSponge Credential Stealer

After gaining access to domain controllers, the attackers deployed KdcSponge, a credential-stealing tool. It injects into the Local Security Authority Subsystem Service (LSASS) process and hooks specific Kerberos API functions to intercept usernames and passwords.

KdcSponge identifies the Kerberos module version using the TimeDateStamp in the PE file’s IMAGE_FILE_HEADER section. With this information, it hooks relevant API functions and logs stolen credentials, which are encrypted using a simple XOR algorithm with the key 0x55 and stored in the system.dat file.

Attack Progression and Goals

After compromising the initial server, the attackers focused on gathering and exfiltrating sensitive information from domain controllers, including the Active Directory database file (ntds.dit) and the SYSTEM hive from the registry. These files provide a wealth of information for further attacks and maintaining long-term access.

Once these files were secured, the attackers shifted their attention to credential theft, using KdcSponge to harvest and store stolen authentication details. The ultimate objectives of the threat actors were to:

1. Steal credentials for privileged accounts.
2. Maintain persistent access to high-value systems.
3. Exfiltrate sensitive data from victim networks.

Redundancy and Sophistication in Tool Use

Both Godzilla and NGLite were publicly available tools, developed with Chinese instructions and distributed via GitHub. Analysts believe the attackers deployed these tools in combination to ensure redundancy, maintaining access even if one tool was detected or disrupted.

Godzilla stood out for its advanced evasion capabilities, making it a preferred choice for regional threat groups. Its use of AES encryption for network traffic and low detection rates allowed attackers to bypass many security measures, while its functionality surpassed similar tools like ChinaChopper.

A Unique Threat Landscape

This attack demonstrated the sophistication and resourcefulness of the threat actors. By exploiting a known vulnerability, they quickly transitioned from initial access to credential theft and data exfiltration, leveraging a combination of advanced and publicly available tools.

The use of tools like Godzilla, NGLite, and KdcSponge highlights the evolving tactics employed by cybercriminals to achieve their goals while evading detection. Organizations must remain vigilant, applying timely patches and adopting robust security validation processes to mitigate such threats.