This article is contributed. See the original author and article here.
Notification
This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.
This document is marked TLP:WHITE–Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp.
Summary
Description
Since December 2021, multiple threat actor groups have exploited Log4Shell on unpatched, public-facing VMware Horizon and Unified Access Gateway (UAG) servers. From May through June 2022, CISA provided remote incident support at an organization where CISA observed suspected Log4Shell PowerShell downloads. During remote support, CISA confirmed the organization was compromised by malicious cyber actors who exploited Log4Shell in a VMware Horizon server that did not have patches or workarounds applied. CISA analyzed five malware samples obtained from the organization’s network: two malicious PowerShell files, two Extensible Markup Language (XML) files, and a 64-bit compiled Python Portable Executable (PE) file.
The two PowerShell files are Trojan downloaders designed to download malicious files from a command and control (C2) server and install them on the compromised system. One of the scripts also checks for and installs Nmap if it is not installed on the compromised system. The two XML files are for scheduling tasks for persistence. The 64-bit compiled Python PE file is designed to perform scans for IP addresses of live hosts, open ports, and services running on those hosts.
For more information on Log4Shell, see:
For a downloadable copy of IOCs, see: MAR-10386789-1.v1.stix.
Submitted Files (5)
1d459b9909adf98690635c62ea005009ede8eb9a665b8703fe2ad0b0c414816b (this.ps1)
4cdd06a36858ac32a09606bfecb54b517ad41a6aac1e37ca56bb1c193f8174cf (RuntimeService.exe)
76a2979d965d42f99558ca6ecd97734697249667291a3013d611e310a03f550e (ps.ps1)
c357879e2c1013dcf999bcdc65372eacf0895af4a4b4bad2b7d28108d3e7c46a (this.xml)
e3d2e6b5cd422de1be7e6aa830b91115d204ba5e87c77b6431f3313e0930a697 (that.xml)
Additional Files (8)
3b4d726bd366e7439367fa78a186dfa9b641d3b2ad354fd915581b6567480f94 (nmap.exe)
407d60626707baee29fb9f2597dd32cfd544ff46df7f76e51ff0b79b3ffce3f2 (this.xml)
42c844c62ad1b7ae1925973a9b6845b40d4f626a4895cba9ae9e3e3de3f7973a (n.zip)
6408217e10fac9f6549ffaaab328bcfeed4a7ebea71f3dcf60f6186e1b21b501 (that.xml)
817046c4fe89cd44dbb613cdac2f0c165e2b47d2b5245911ca6fabdda89d1691 (this.ps1)
b050749c87399f9978cc6eaea7d25405fc0d099a14c169f5c5f63b8b6ec98b0f (RuntimeService.exe)
e6bc8aa44233312058704b4d5954c45b4160841f470dd7f6d13c08940e61a7bb (ps.ps1)
fb833ecd1b1050304f364f879b8b1f7b7136e9c4a21aaf0a6c6b3f419e892d6d (elasticsearch.nse)
IPs (1)
66.70.238.65
Findings
1d459b9909adf98690635c62ea005009ede8eb9a665b8703fe2ad0b0c414816b
Tags
downloaderloadertrojan
Details
Name | this.ps1 |
---|---|
Size | 7962 bytes |
Type | ASCII text, with very long lines, with CRLF line terminators |
MD5 | 8aedb094121903a3bfc3dade34f48126 |
SHA1 | ed1aad906c2d63c8593708fb685655b891a02854 |
SHA256 | 1d459b9909adf98690635c62ea005009ede8eb9a665b8703fe2ad0b0c414816b |
SHA512 | 2c09fb3defdd4810c89d3acaa57fdf3fd1ca9cffe6db43bab73bc629db817d273254be9c35d9cdb161cd0f9c35f5537efafe68bf83d7adb7d022600fd26e6e89 |
ssdeep | 192:Ki17MYm59jl5VlxN17MYmoFW2SvjkrvVlxN17MYm7rY2E2/:KIwZ99wnZ2wbrY9W |
Entropy | 5.256359 |
Path | C:UsersPublicDownloadsthis.ps1 |
Antivirus
ESET | PowerShell/TrojanDownloader.Agent.EQN trojan |
---|
YARA Rules
- rule CISA_10386789_01 : downloader
{
meta:
Author = “CISA Code & Media Analysis”
Incident = “10386789”
Date = “2022-06-08”
Last_Modfied = “20220613_1130”
Actor = “n/a”
Category = “Downloader”
Family = “n/a”
Description = “Detects PowerShell downloader samples”
MD5_1 = “8aedb094121903a3bfc3dade34f48126”
SHA256_1 = “1d459b9909adf98690635c62ea005009ede8eb9a665b8703fe2ad0b0c414816b”
MD5_2 = “1940ddb77882162f898bc3aae9c67d94”
SHA256_2 = “817046c4fe89cd44dbb613cdac2f0c165e2b47d2b5245911ca6fabdda89d1691”
MD5_3 = “84aadb11699f0c3ed062f484aa0a622e”
SHA256_3 = “e6bc8aa44233312058704b4d5954c45b4160841f470dd7f6d13c08940e61a7bb”
MD5_4 = “a439e7a030d52c8d31bf2c140ccf216b”
SHA256_4 = “76a2979d965d42f99558ca6ecd97734697249667291a3013d611e310a03f550e”
strings:
$s0 = { 44 6F 63 75 6D 65 6E 74 73 5C 70 73 2E 70 73 31 }
$s1 = { 44 6F 77 6E 6C 6F 61 64 73 5C 65 6C 61 73 74 69 63 73 65 61 72 63 68 2E 6E 73 65 }
$s2 = { 5C 55 6E 69 6E 73 74 61 6C 6C 5C 4E 70 63 61 70 49 6E 73 74 }
$s3 = { 5C 55 6E 69 6E 73 74 61 6C 6C 5C 4E 6D 61 70 }
$s4 = { 2F 44 65 6C 65 74 65 20 2F 74 6E 20 22 52 75 6E 74 69 6D 65 20 53 65 72 76 69 63 65 22 }
$s5 = { 44 6F 77 6E 6C 6F 61 64 73 5C 6E 2E 7A 69 70 22 }
$s6 = { 5C 4D 69 63 72 6F 73 6F 66 74 5C 57 69 6E 64 6F 77 73 5C 52 75 6E 74 69 6D 65 20 55 70 64 61 74 65 20 53 65 72 76 69 63 65 }
$s7 = { 44 6F 77 6E 6C 6F 61 64 73 5C 6E 6D 61 70 2E 65 78 65 22 }
$t8 = { 6D 61 74 63 68 20 22 73 79 73 74 65 6D 70 72 6F 66 69 6C 65 }
$t9 = { 2D 6E 6F 74 6D 61 74 63 68 20 22 41 70 70 44 61 74 61 }
$t10 = { 20 6B 69 6C 6C 20 2D 49 64 20 }
$t11 = { 2F 52 75 6E 20 2F 74 6E 20 22 52 75 6E 74 69 6D 65 20 53 65 72 76 69 63 65 }
$t12 = { 44 6F 77 6E 6C 6F 61 64 73 5C 74 68 69 73 2E 70 73 31 }
condition:
all of ($s*) or all of ($t*)
}
ssdeep Matches
No matches found.
Relationships
1d459b9909… | Contains | 66.70.238.65 |
1d459b9909… | Connected_To | 66.70.238.65 |
1d459b9909… | Downloaded | e3d2e6b5cd422de1be7e6aa830b91115d204ba5e87c77b6431f3313e0930a697 |
1d459b9909… | Downloaded | c357879e2c1013dcf999bcdc65372eacf0895af4a4b4bad2b7d28108d3e7c46a |
1d459b9909… | Downloaded | 4cdd06a36858ac32a09606bfecb54b517ad41a6aac1e37ca56bb1c193f8174cf |
1d459b9909… | Downloaded | 42c844c62ad1b7ae1925973a9b6845b40d4f626a4895cba9ae9e3e3de3f7973a |
1d459b9909… | Downloaded | 76a2979d965d42f99558ca6ecd97734697249667291a3013d611e310a03f550e |
Description
This artifact is a malicious PowerShell script file downloaded and installed by “ps.ps1” (a439e7a030d52c8d31bf2c140ccf216b) . When executed, it stops and deletes the running scheduled tasks below if they exist on the compromised system:
–Begin task name–
“Runtime Service”
“MicrosoftWindowsRuntime Update Service”
–End task name–
It downloads and installs a scheduled task XML file and a PowerShell file below if the file “C:Program Files (x86)NmapRuntimeService.exe” is installed on the compromised system:
–Begin files–
C:UsersPublicDownloadsthat.xml ==> “9bf865e73bb0bf021af2d4a2ce1abdfe”
C:UsersPublicDocumentsps.ps1 ==> “a439e7a030d52c8d31bf2c140ccf216b”
–End files–
It creates a scheduled task named “MicrosoftWindowsRuntime Update Service” from the task specified in the above XML file to execute the file “C:UsersPublicDocumentsps.ps1” at a specified time of each day for persistence, and then exits it code execution.
Displayed below is the command used to install the scheduled task named “MicrosoftWindowsRuntime Update Service”:
–Begin scheduled task–
“schtasks.exe /Create /XML “C:UsersPublicDownloadsthat.xml” /tn “MicrosoftWindowsRuntime Update Service”
–End scheduled task–
If not, it checks if the Nmap file path “C:Program Files (x86)Nmap” is installed on the victim’s system. If the file path exists, it will search for the running process named “RuntimeService”, which is the 64-bit Python compiled PE file. It will attempt to terminate and delete it from “C:Program Files (x86)NmapRuntimeService.exe” if the file is running. It downloads and installs a scheduled task XML file and the Python compiled PE file. It copies the PE file from “C:UsersPublicDownloadsRuntimeService.exe” to the Nmap installed folder “C:Program Files (x86)NmapRuntimeService.exe”.
Displayed below are the scheduled task XML file and PE file installed at runtime:
–Begin files–
C:UsersPublicDownloadsthis.xml ==> “e4ea99b9a35807bae6bc2885b220c498”
C:UsersPublicDownloadsRuntimeService.exe ==> copied to C:Program Files (x86)NmapRuntimeService.exe. ==> “eda057d006561e28563813b2e81b9fd0”
–End files–
It creates a scheduled task named “Runtime Service” from the task specified in the above “this.xml” file on the victim’s system to execute the PE file “C:Program Files (x86)NmapRuntimeService.exe” with predefined arguments in every system reboot for persistence.
Displayed below is the command used to install the scheduled task named “Runtime Service”:
–Begin scheduled task–
“schtasks.exe /Create /XML “C:UsersPublicDownloadsthis.xml” /tn “Runtime Service”
–End scheduled task–
If the Nmap file path “C:Program Files (x86)Nmap” is not installed on the victim’s system, it will download a zip file from its C2 server to “C:UsersPublicDownloadsn.zip”. The zip file contains the Nmap installer and the NSE file. It installs the Nmap installer on the compromised system with the command below:
–Begin command–
start “C:UsersPublicDownloadsNmap.exe” “/S”
–End command–
It will download the these files RuntimeService.exe, this.xml, that.xml, and ps.ps1 files from its C2 server into “C:UsersPublicDownloads”.
It copies the NSE file from the current directory “C:UsersPublicDownloadselasticsearch.nse” to “C:Program Files (x86)Nmapscriptselasticsearch.nse”, and the Python PE file “C:UsersPublicDownloadsRuntimeService.exe” to “C:Program Files (x86)NmapRuntimeService.exe”. It creates scheduled tasks named “Runtime Service” and “Runtime Update Service” from the task specified in the above XML files on the victim’s system for persistence.
It deletes the command line for removing the Nmap application and the Nmap project’s packet capture (Npcap) installed from the registry by changing the “UninstallString” registry value to a null string under the following registry keys:
–Begin registry entries–
“HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionUninstallNpcapInst”
“UninstallString”=”C:Program FilesNpcapuninstall.exe”
“HKEY_LOCAL_MACHINESOFTWAREWOW6432NodeMicrosoftWindowsCurrentVersionUninstallNmap”
“UninstallString” = “C:Program Files (x86)Nmapuninstall.exe”
–End registry entries–
It deletes the files below from the victim’s system:
–Begin files–
C:UsersPublicDownloadsnmap.exe
C:UsersPublicDownloadselasticsearch.nse
C:UsersPublicDownloadsn.zip
C:UsersPublicDownloadsRuntimeService.exe
C:UsersPublicDownloadsthis.xml
C:UsersPublicDownloadsthat.xml”
–End files–
Displayed below are the list of Uniform Resource Identifiers (URIs) used to download the files above:
–Begin URIs–
http[:]//66[.]70[.]238[.]65/RuntimeService.exe
http[:]//66[.]70[.]238[.]65/this.xml
http[:]//66[.]70[.]238[.]65/that.xml
http[:]//66[.]70[.]238[.]65/ps.ps1
http[:]//66[.]70[.]238[.]65/n.zip
–End URIs–
Screenshots