A new variant of this tool, previously reported in 2013 by TrendLabs, was submitted to VirusTotal from the Philippines on March 27th, 2017. Its original filename, 2017.exe, was prescient since it has the ability to exploit CVE-2017-5638 and other previous Apache STRUTS vulnerabilities.
|File Name: 2017.exe
File Size: 107008 bytes
PE Time: 0x58D24651 [Wed Mar 22 09:39:29 2017 UTC]
PEID Sig: Microsoft Visual C# / Basic .NET
PEID Sig: Microsoft Visual Studio .NET
PEID Sig: .NET executable .NET executable compressor
Name Entropy MD5
.text 5.29 85cb592ad6f0d2a47a2d873db6c587af
Table 1 Tool Details
The application decompiles cleanly with a tool like ILSpy and contains no real surprises. When the C# app is executed it runs a GUI, presenting the user with a static header (vulnerability selection and execution portion) and footer (log output box). The middle section comprises four tabs, shown in Figure 1 below.
Figure 1 Tool Overview
The first tab provides an overview of the vulnerabilities it is configured to exploit, along with handy links to documentation for each one. To use the application, you enter the URL you’d like to target and then select the exploit in a dropdown box. Then you select an HTTP Method and hit the button underneath it. If successful, the information from the targeted application will show up in the log and replace the contents of this first window.
Figure 2 Query Vulnerable Server
The second tab includes a dropdown menu of canned commands to run on the target machine, Windows and Linux shell commands are supported. Alternatively, you may select to run a batched cmd.txt from the same local directory to run on the remote target.
Figure 3 Preconfigured Queries
Figure 4 Executed Command Output
This behavior is detectable via RSA NetWitness® Endpoint and Packets. The HTML.lua parser for Packets contains code that enables finding this behavior in either the GET or POST HTTP Methods.
Figure 5 IOC Metadata
When seeing this alert, you can pivot into RSA NetWitness Endpoint, searching in Tracking Data to determine if the Apache Tomcat process executed the requested command. If so, the server is vulnerable and should be handled according to your Incident Response plan as the actors likely ran additional commands. This can be verified by hitting ctl-f and searching within NetWitness Endpoint for ‘Tomcat’ to filter on those events. The Event “Create Process” is where you’ll find the attackers command history.
Figure 6 RSA NetWitness Endpoint Event
You may also follow-up in Packets. The HTTP response will not be HTML, rather it will be raw output from the command that was run.
Figure 7 NetWitness Packets Command Execution
The third tab (Figure 8) is a webshell installer function. By default it is configured to install the JSP version of China Chopper with the default password ‘chopper’. This can be controlled with a customized version of caidao.exe or cknife. Alternatively, you can paste in your own JSP code and choose the webshell of your liking. This simple webshell is a perfect fit as the application errors on larger, fuller function webshells. Figure 9 displays the remote command execution and output. This is more of a half shell and won’t allow interactive applications such as powershell or mimikatz to properly execute.
Figure 8 Webshell Installation
Figure 9 Simple Webshell Output
The final tab (Figure 10) allows you to add a list of URL’s manually, or via a text file, in order to perform bulk scans. Anyone searching for vulnerable applications can use google dorking to find and scrape vulnerable URL’s and then bulk scan using this tool.
Figure 10 Bulk Scanning Utility
This simple tool, an evolution of a previously released tool, keeps pace with recently released vulnerabilities. When only using signature-based tools to detect and defend your network, you can easily fall prey to zero-day exploits, such as CVE-2017-5638. With comprehensive network and endpoint forensics tools that deliver data in near-real time, such as the RSA NetWitness Suite, defenders can proactively search for this behavior and find new techniques. RSA recommends proactive security; hunting versus fishing.