US Cert Alert – Threat Actors Exploit Progress Telerik Vulnerability in U.S. Government IIS Server

In addition to CVE-2019-18935, this version (2013.2.717) of Telerik UI for ASP.NET AJAX contains the following known vulnerabilities: CVE-2017-11357, CVE-2017-11317, and CVE-2017-9248.
Analysis suggests that cyber threat actors exploited CVE-2019-18935 in conjunction with either CVE-2017-11357 or CVE-2017-11317.
Australian Cyber Security Centre (ACSC) Advisory 2020-004 assesses that exploitation of CVE-2019-18935 is only possible with knowledge of Telerik RadAsyncUpload encryption keys.
Threat actors can obtain these keys through either prior knowledge or exploitation of vulnerabilities—CVE-2017-11357 or CVE-2017-11317—present in older, unpatched versions of Telerik released between 2007 and 2017.
Forensic evidence is not available to definitively confirm exploitation of either CVE-2017-11357 or CVE-2017-11317.

Threat Actor Activity
CISA and authoring organizations observed multiple cyber threat actors, including an APT actor—hereafter referred to as Threat Actor 1 (TA1)—and known cybercriminal actor XE Group—hereafter referred to as Threat Actor 2 (TA2)—conducting reconnaissance and scanning activities [T1595.002] that correlate to the successful exploitation of CVE-2019-18935 in the agency’s IIS server running Telerik UI for ASP.NET AJAX [T1190].

When exploiting the vulnerability, the threat actors uploaded malicious dynamic-link library (DLL) files (some masqueraded as portable network graphics [PNG] files) [T1105] to the C:WindowsTemp directory.
The malicious files were then executed from the C:WindowsTemp directory via the w3wp.exe process—a legitimate process that runs on IIS servers.
This process is routine for handling requests sent to web servers and delivering content.
The review of antivirus logs identified that some DLL files were created [T1055.001] and detected as early as August 2021.

CISA and authoring organizations confirmed that some malicious files dropped on the IIS server are consistent with a previously reported file naming convention that threat actors commonly use when exploiting CVE-2019-18935.
The threat actors name the files in the Unix Epoch time format and use the date and time as recorded on the target system.
The file naming convention follows the pattern [10 digits].[7 digits].dll (e.g., a file created on October 31, 2022, could be 1667203023.5321205.dll).

The names of some of the PNG files were misleading.
For example, file 1596835329.5015914.png, which decodes to August 7, 2020, 21:22:09 UTC, first appeared on October 13, 2022, but the file system shows a creation date of August 7, 2020.
The uncorrelated Unix Epoch time format may indicate that the threat actors used the timestomping [T1070.006] technique.
This file naming convention is a primary IOC used by the threat actors.

In many cases, malicious artifacts were not available for analysis because the threat actors’ malware—that looks for and removes files with the .dll file extension—removed files [T1070.004] from the C:WindowsTemp directory.
Through full packet data capture analysis and reverse engineering of malicious DLL files, no indications of additional malicious activity or sub-processes were found executed by the w3wp.exe process.
CISA observed error messages being sent to the threat actors’ command and control (C2) server when permission restraints prevented the service account from executing the malicious DLLs and writing new files.

Network activity analysis was consistent with the artifacts provided for review.
Analysts did not observe evidence of privilege escalation or lateral movement.

Threat Actor 1
CISA and authoring organizations observed TA1 exploiting CVE-2019-18935 for system enumeration beginning in August 2022.
The vulnerability allows a threat actor to upload malicious DLLs on a target system and execute them by abusing a legitimate process, e.g., the w3wp.exe process.
In this instance, TA1 was able to upload malicious DLL files to the C:WindowsTemp directory and then achieve remote code execution, executing the DLL files via the w3wp.exe process.

At least nine DLL files used for discovery [TA0007], C2 [TA0011], and defense evasion [TA0005].
All of the analyzed samples have network parameters, including host name, domain name, Domain Name System (DNS) server Internet Protocol (IP) address and machine name, Network Basic Input/Output System (NetBIOS) ID, adapter information, IP address, subnet, gateway IP, and Dynamic Host Configuration Protocol (DHCP) server [T1016].
All analyzed samples communicate this collected data to a C2 server at IP address 137.184.130[.]162 or 45.77.212[.]12.
The C2 traffic to these IP addresses uses a non-application layer protocol [T1095] by leveraging Transmission Control Protocol (TCP) clear text (i.e., unencrypted) over port 443.
Analysis also identified that:

Some of the analyzed samples can load additional libraries; enumerate the system, processes, files, directories [T1083]; and write files.
Other analyzed samples can delete DLL files ending with the .dll extension in the C:WindowsTemp directory on the server.
TA1 may use this capability to hide additional malicious activity on the network.

Threat Actor 2
TA2—identified as likely the cybercriminal actor XE Group—often includes xe[word] nomenclature in original filenames and registered domains.
Volexity lists this naming convention and other observed TTPs as common for this threat actor group.

As early as August 2021, CISA and authoring organizations observed TA2 delivering malicious PNG files that, following analysis, were masqueraded DLL files to avoid detection [T1036.005].
Similar to TA1, TA2 exploited CVE-2019-18935 and was able to upload at least three unique DLL files into the C:WindowsTemp directory that TA2 executed via the w3wp.exe process.
These DLL files drop and execute reverse (remote) shell utilities for unencrypted communication with C2 IP addresses associated with the malicious domains.

Analysis of DLL files determined the files were dropped, decoded, and attempted to connect to the respective malicious domains.
Embedded payloads dropped by the DLL files were observed using the command line utility certutil[.]exe and writing new files as xesvrs[.]exe to invoke reverse shell utilities execution.

When the TA2 malware is executed a DLL file drops an executable (XEReverseShell.exe) that attempts to pull a C2 IP address and port number from xework[.]com or xegroups[.]com.

If no port or IP address is found, the program will exit.
If a port and IP address are found, the program will establish a listener and wait for further commands.
If communication is established between the TA2 malware and the C2:

The malware will identify the operating system (Windows or Linux) and create the appropriate shell (cmd or bash), sending system information back to the C2.
The C2 server may send the command xesetshell, causing the malware to connect to the server and download a file called small.txt—a base64-encoded webshell that the malware decodes and places in the C:WindowsTemp directory.
The C2 server may send the command xequit, causing the malware to sleep for a period of time determined by the threat actors.
The two files xesmartshell.tmp and SortVistaCompat have the capability to drop an Active Server Pages (ASPX) webshell—a base64 encoded text file small.txt decoded [T1140] as small.aspx [T1505.003]—to enumerate drives; to send, receive, and delete files; and to execute incoming commands.
The webshell contains an interface for easily browsing files, directories, or drives on the system, and allows the user to upload or download files to any directory.
No webshells were observed to be dropped on the target system, likely due to the abused service account having restrictive write permissions.

Sign Up For Threat Alerts

Loading...
Threats Icon

Mar 23, 2023

HiatusRAT Targets SOHO Routers

Business grade routers are being infected with the HiatusRAT Remote Access Trojan a variant of...

Threats Icon

Mar 23, 2023

HiatusRAT Targets SOHO Routers

Business grade routers are being infected with the HiatusRAT Remote Access Trojan a variant of...

Threats Icon

Mar 21, 2023

Dotrunpex – Demystifying new virtualized .net injector...

DotRunpeX is a new injector written in .NET using the Process Hollowing technique and used...

Threats Icon

Mar 21, 2023

GlobeImposter Ransomware With MedusaLocker Spreading Via RDP

A GlobeImposter ransomware campaign was discovered being carried out by the attackers behind MedusaLocker. The...

Threats Icon

Mar 20, 2023

Common credential stealers

FortiGuard Threat Research has observed an increasing threat arising from credential stealers. The most common...

Threats Icon

Mar 20, 2023

Sirattacker And ALC Ransomware Analysis

The Sirattacker and ALC ransomware families continue to gain traction and compromise Microsoft Windows devices....

Threats Icon

Mar 19, 2023

Google Advertising Used To Distribute RedLine Stealer

A malvertising campaign was discovered mimicking websites belonging to well-known software such as Notepad++ and...

Threats Icon

Mar 16, 2023

Microsoft Outlook Elevation of Privilege Vulnerability Exploit

Microsoft has posted a security vulnerability CVE-2023-23397, exploiting it allows attackers to gain elevated privileges...

Threats Icon

Mar 16, 2023

ImBetter Information Stealer Targets Cryptocurrency Users

Threat actors are targeting cryptocurrency users with the ImBetter information stealer malware. Adversaries are hosting...

Threats Icon

Mar 16, 2023

ImBetter Information Stealer Targets Cryptocurrency Users

Threat actors are targeting cryptocurrency users with the ImBetter information stealer malware. Adversaries are hosting...

Threats Icon

Mar 15, 2023

Threat Actors Use ParallaxRAT For Targeting Cryptocurrency...

Threat actors are targeting organization in the cryptocurrency sector with spam and phishing campaigns that...

Threats Icon

Mar 13, 2023

Exposing The Lazarus Arsenal WinorDLL64 Backdoor

In 2021 the researchers discovered and dissected a tool from the Lazarus APTs arsenal named...

Threats Icon

Mar 12, 2023

Clasiopa New Group Targets Materials Research

A campaign targeting the materials research sector with custom and commodity utilities and malware is...

Threats Icon

Mar 09, 2023

New Emotet campaign

Emotet is a type of malware that is designed to steal sensitive information from infected...

Threats Icon

Mar 09, 2023

How sys01 stealer will get your sensitive...

Morphisec has been tracking an advanced info stealer Analysts have named "SYS01 stealer." SYS01 stealer...