MAR-10443863-1.v1 CVE-2017-9248 Exploitation in U.S. Government IIS Server
Post published:June 16, 2023
Summary
Description
CISA received three files for analysis. The files included three webshells written in PHP: Hypertext Preprocessor (PHP), Active Server Pages Extended (ASPX), and .NET Dynamic-Link Library (DLL). The sample “sd.php” is highly obfuscated and uses rot13 algorithm, zlib for compression and base64 encoding for obfuscation. The “osker.aspx” webshell code was padded with junk code. The .NET DLL webshell is a .NET compiled version of osker.aspx. The samples are interactive webshells and have the ability to upload and manage files, create directories and files, and execute commands on the target machine.
This sample is an obfuscated PHP interactive webshell. This webshell is encoded and obfuscated using rot13, gzinflate and base64 as seen in the following code: “eval(str_rot13(gzinflate(str_rot13(base64_decode(($sym))))));” The obfuscated code is a string and is stored in the $sym variable from where it is read and decoded upon execution (Figure 1). The webshell requires the password “pass” for authentication and uses the string “$xyn=’tunafeesh’;” as a cookie to authenticate.
This webshell enumerates the local system it infects including the operating system, current user, directories, files and permissions. The webshell has the ability to create, rename, and delete files and directories. Furthermore, it has the ability to upload additional files to the affected webserver, run in Safe Mode and execute commands via cmd.exe (Figure 2). The webshell provides a Graphical User Interface (GUI) to the operator to perform these operations on the infected machine.
Figure 2. – sd.php webshell interface. Threat Actor (TA) would have access to this interface remotely to conduct various actions like upload additional files, create directories and files, run commands and more.
This sample is an ASP .NET webshell. The webshell code was padded with junk code for detection evasion. The beginning of the webshell code can be seen in Figure 3. It is possible to access the webshell interactively via browser to view the GUI as seen in Figure 4.
This webshell has the ability to enumerate drive name and type, software, operating system versions, processes, and users, and has ability to copy, create and delete files, directories and databases. Furthermore, this webshell is able to upload, download, run and execute commands using cmd.exe and sqlcmd.exe. This webshell has the ability to interact with and manipulate SQL databases. Furthermore, this webshell uses Windows Management Instrumentation (WMI) Management Objects to query processes, users and network domains. It is also able to encode and decode data using base64.
—Notable Strings Begin—
osker
321
base64Decode
Select * from Win32_Process
Select * from Win32_Process Where ProcessID
Add_Table_Row(tbl, “Server IP”, Request.ServerVariables[“LOCAL_ADDR”]);
Add_Table_Row(tbl, “Host Name”, Dns.GetHostName() );//Environment.MachineName);
Add_Table_Row(tbl, “IIS Version”, Request.ServerVariables[“SERVER_SOFTWARE”]);
Add_Table_Row(tbl, “IIS APPPOOL Identity”, Environment.UserName);
Add_Table_Row(tbl, “OS Version”, Environment.OSVersion.ToString());
myconn = new SqlConnection(connections.Text);
myconn.Open();
string command = query;
mycomm = new SqlCommand(command, myconn);
SqlDataReader dr = mycomm.ExecuteReader();
string query = “Select * from Win32_Process Where ProcessID = “” + processName + “””;
ManagementObjectSearcher searcher = new ManagementObjectSearcher(query);
ManagementObjectCollection processList = searcher.Get();
ManagementObjectSearcher QS=new ManagementObjectSearcher(new SelectQuery(query));
—Notable Strings End—
Screenshots
Figure 3. – Beginning of osker.aspx webshell code.
Figure 4. – Web interface for osker.aspx webshell. The webshell interface password is “321”.
This is a 32-bit .NET Dynamic-Link Library (DLL) file. This sample is a ASP .NET webshell and is related to the osker.aspx file. These webshells may affect Microsoft Exchange Servers and IIS services exploited by the ProxyLogon vulnerability. This sample is a .NET DLL file that is created by the ASP.NET Runtime when ASPX script is seen for the first time on the system. The capabilities and functions are identical to the osker.aspx file.
CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization’s systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.
Maintain up-to-date antivirus signatures and engines.
Keep operating system patches up-to-date.
Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
Enforce a strong password policy and implement regular password changes.
Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
Disable unnecessary services on agency workstations and servers.
Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
Scan all software downloaded from the Internet prior to executing.
Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).
Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, “Guide to Malware Incident Prevention & Handling for Desktops and Laptops”.
CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.cisa.gov/forms/feedback/
Document FAQ
What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.
What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.
Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk.
Can I submit malware to CISA? Malware samples can be submitted via three methods:
CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA’s homepage at www.cisa.gov.
XWe use cookies in our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of the cookies explicitly. Visit Cookie Settings to know more about the cookies used on our website. Read More RejectACCEPTCookie settings
Privacy & Cookies Policy
Privacy Overview
This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are as essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
This category contains the advertising cookie that is set by Google, when embeding one of its services. CYNET embeds a Google Map, showing its location in the Homepage and in Contact sections. The cookies that are set are the following:
NID
This website uses Google Analytics (with IP Anonymization) in order to track the visitor's performance. The cookies that are set by the service are the following:
_ga
_gat
_gid
This category contains all the cookies that are closely related to the functionality of the Website, such as the prefered language, whether the user has read and/or accepted the Cookie Consent in the various categories.
The following cookies are set:
pll_language
viewed_cookie_policy
cookielawinfo-checkbox-preferences
cookielawinfo-checkbox-advertisement