GET TO THE CHOPPAH

A new variant of this tool, previously reported in 2013 by TrendLabs, was submitted to VirusTotal from the Philippines on March 27th, 2017. Its original filename, 2017.exe, was prescient since it has the ability to exploit CVE-2017-5638 and other previous Apache STRUTS vulnerabilities.

File Details
File Name: 2017.exe

File Size: 107008 bytes

MD5:         3b405c30a7028e05742d0fbf0961e6b2

SHA1:         1d69338543544b31444d0173c08e706d57f148cb

PE Time:   0x58D24651 [Wed Mar 22 09:39:29 2017 UTC]

PEID Sig:   Microsoft Visual C# / Basic .NET

PEID Sig:   Microsoft Visual Studio .NET

PEID Sig:   .NET executable .NET executable compressor

Sections (3):

Name     Entropy     MD5

.text         5.29          85cb592ad6f0d2a47a2d873db6c587af
.rsrc         4.08         3b438fb713ec89f2430e8100a3a25e04
.reloc       0.1            efd52c048dfc4249799144c25a9a6239

Table 1 Tool Details

The application decompiles cleanly with a tool like ILSpy and contains no real surprises. When the C# app is executed it runs a GUI, presenting the user with a static header (vulnerability selection and execution portion) and footer (log output box). The middle section comprises four tabs, shown in Figure 1 below.

Fig1_Tool

Figure 1 Tool Overview

The first tab provides an overview of the vulnerabilities it is configured to exploit, along with handy links to documentation for each one. To use the application, you enter the URL you’d like to target and then select the exploit in a dropdown box. Then you select an HTTP Method and hit the button underneath it. If successful, the information from the targeted application will show up in the log and replace the contents of this first window.

Fig2_VulnServer

Figure 2 Query Vulnerable Server

The second tab includes a dropdown menu of canned commands to run on the target machine, Windows and Linux shell commands are supported. Alternatively, you may select to run a batched cmd.txt from the same local directory to run on the remote target.

Fig3_

Figure 3 Preconfigured Queries

Fig4_ExecutedCommand

Figure 4 Executed Command Output

This behavior is detectable via RSA NetWitness® Endpoint and Packets. The HTML.lua parser for Packets contains code that enables finding this behavior in either the GET or POST HTTP Methods.

Fig5_IOC

Figure 5 IOC Metadata

When seeing this alert, you can pivot into RSA NetWitness Endpoint, searching in Tracking Data to determine if the Apache Tomcat process executed the requested command. If so, the server is vulnerable and should be handled according to your Incident Response plan as the actors likely ran additional commands. This can be verified by hitting ctl-f and searching within NetWitness Endpoint for ‘Tomcat’ to filter on those events. The Event “Create Process” is where you’ll find the attackers command history.

Fig6_NW-Endpoint

Figure 6 RSA NetWitness Endpoint Event

You may also follow-up in Packets. The HTTP response will not be HTML, rather it will be raw output from the command that was run.

Fig7_NW-packet

Figure 7 NetWitness Packets Command Execution

The third tab (Figure 8) is a webshell installer function. By default it is configured to install the JSP version of China Chopper with the default password ‘chopper’. This can be controlled with a customized version of caidao.exe or cknife. Alternatively, you can paste in your own JSP code and choose the webshell of your liking. This simple webshell is a perfect fit as the application errors on larger, fuller function webshells. Figure 9 displays the remote command execution and output. This is more of a half shell and won’t allow interactive applications such as powershell or mimikatz to properly execute.

Fig8_webshell

Figure 8 Webshell Installation

Fig9_webshell

Figure 9 Simple Webshell Output

The final tab (Figure 10) allows you to add a list of URL’s manually, or via a text file, in order to perform bulk scans. Anyone searching for vulnerable applications can use google dorking to find and scrape vulnerable URL’s and then bulk scan using this tool.

Fig10_bulk-scanning-utility

Figure 10 Bulk Scanning Utility

This simple tool, an evolution of a previously released tool, keeps pace with recently released vulnerabilities. When only using signature-based tools to detect and defend your network, you can easily fall prey to zero-day exploits, such as CVE-2017-5638. With comprehensive network and endpoint forensics tools that deliver data in near-real time, such as the RSA NetWitness Suite, defenders can proactively search for this behavior and find new techniques. RSA recommends proactive security; hunting versus fishing.

No Comments