NotificationThis report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise. This document is marked TLP:CLEAR–Disclosure is not limited. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp. SummaryDescriptionCISA received 18 files for analysis from a forensic analysis engagement conducted at a Federal Civilian Executive Branch (FCEB) agency. When 11 of the dynamic link library (DLL) files are loaded, the files can read, create, and delete files. If the DLL contains a hardcoded Internet Protocol (IP) address, status messages will be sent to the IP. One DLL file will attempt to collect the target system’s Transmission Control Protocol (TCP) connection table, and exfiltrate it to a remote Command and Control server (C2). Five of the files drop and decode a reverse shell utility that can send and receive data and commands. In addition, the files drop and decode an Active Server Pages (ASPX) webshell. Two DLL files are capable of loading and executing payloads. CISA has provided Indicators of Compromise (IOCs) and YARA rules for detection within this Malware Analysis Report (MAR). For more information about this compromise, see Joint Cybersecurity Advisory Threat Actors Exploit Progress Telerik Vulnerability in U.S. Government IIS Server. Download the PDF version of this report: For a downloadable copy of IOCs, see Submitted Files (18)11415ac829c17bd8a9c4cef12c3fbc23095cbb3113c89405e489ead5138384cd (1597974061[.]4531896[.]png) 144492284bcbc0110d34a2b9a44bef90ed0d6cda746df6058b49d3789b0f851d (1666006114[.]5570521[.]txt) 508dd87110cb5bf5d156a13c2430c215035db216f20f546e4acec476e8d55370 (xesmartshell[.]tmp) 707d22cacdbd94a3e6dc884242c0565bdf10a0be42990cd7a5497b124474889b (1665130178[.]9134793[.]dll) 72f7d4d3b9d2e406fa781176bd93e8deee0fb1598b67587e1928455b66b73911 (1594142927[.]995679[.]png) 74544d31cbbf003bc33e7099811f62a37110556b6c1a644393fddd0bac753730 (1665131078[.]6907752[.]dll) 78a926f899320ee6f05ab96f17622fb68e674296689e8649c95f95dade91e933 (1596686310[.]434117[.]png) 833e9cf75079ce796ef60fc7039a0b098be4ce8d259ffa53fe2855df110b2e5d (1665128935[.]8063045[.]dll) 853e8388c9a72a7a54129151884da46075d45a5bcd19c37a7857e268137935aa (1667466391[.]0658665[.]dll) 8a5fc2b8ecb7ac6c0db76049d7e09470dbc24f1a90026a431285244818866505 (1596923477[.]4946315[.]png) a14e2209136dad4f824c6f5986ec5d73d9cc7c86006fd2ceabe34de801062f6b (1665909724[.]4648924[.]dll) b4222cffcdb9fb0eda5aa1703a067021bedd8cf7180cdfc5454d0f07d7eaf18f (1665129315[.]9536858[.]dll) d69ac887ecc2b714b7f5e59e95a4e8ed2466bed753c4ac328931212c46050b35 (1667465147[.]4282858[.]dll) d9273a16f979adee1afb6e55697d3b7ab42fd75051786f8c67a6baf46c4c19c2 (SortVistaCompat) dedf082f523dfcb75dee0480a2d8a087e3231f89fa34fcd2b7f74866a7b6608f (1665214140[.]9324195[.]dll) e044bce06ea49d1eed5e1ec59327316481b8339c3b6e1aecfbb516f56d66e913 (1667465048[.]8995082[.]dll) e45ad91f12188a7c3d4891b70e1ee87a3f23eb981804ea72cd23f1d5e331ff5a (1596835329[.]5015914[.]png) f5cafe99bccb9d813909876fa536cc980c45687d0f411c5f4b5346dcf6b304e4 (1665132690[.]6040645[.]dll) Additional Files (6)08375e2d187ee53ed263ee6529645e03ead1a8e77afd723a3e0495201452d415 (small[.]aspx) 11d8b9be14097614dedd68839c85e3e8feec08cdab675a5e89c5b055a6a68bad (XEReverseShell[.]exe) 1fed0766f564dc05a119bc7fa0b6670f0da23504e23ece94a5ae27787b674cd2 (xesvrs[.]exe) 5cbba90ba539d4eb6097169b0e9acf40b8c4740a01ddb70c67a8fb1fc3524570 (small[.]txt) 815d262d38a26d5695606d03d5a1a49b9c00915ead1d8a2c04eb47846100e93f (XEReverseShell[.]exe) a0ab222673d35d750a0290db1b0ce890b9d40c2ab67bfebb62e1a006e9f2479c (Multi-OS_ReverseShell[.]exe) Domains (3)hivnd[.]com xegroups[.]com xework[.]com IPs (4)137[.]184[.]130[.]162 144[.]96[.]103[.]245 184[.]168[.]104[.]171 45[.]77[.]212[.]12 Findings144492284bcbc0110d34a2b9a44bef90ed0d6cda746df6058b49d3789b0f851dTagswiper Details
AntivirusNo matches found. YARA Rules
ssdeep MatchesNo matches found. DescriptionThis file is a malicious .NET DLL, which contains malicious unmanaged 64-bit Intel code. This DLL deletes files that end in “.dll” from C:windowstemp. e044bce06ea49d1eed5e1ec59327316481b8339c3b6e1aecfbb516f56d66e913Tagsinformation-stealer Details
AntivirusNo matches found. YARA Rules
ssdeep MatchesNo matches found. Relationships
DescriptionThis file is a malicious .NET DLL, which contains malicious unmanaged 64-bit Intel code. Loading this DLL will send “+_+_+” to 45[.]77[.]212[.]12 over port 443. Then, C:inetpubtemp, D:inetpubtemp, and E:inetpubtemp are scanned recursively for files that end in .config. When a .config file is found, the DLL will look for the strings “physicalPath=” and “/>” within the file. If there is data between those two strings, it will be sent to the IP. If there was an error calling CreateFileA, “Errorcode: {Error_Code}” will be sent to the IP. If there was an error calling VirtualAlloc, “VirtualAlloc failed” will be sent to the IP. If there was an error while calling ReadFile, “read file failed” will be sent to the IP. 45[.]77[.]212[.]12Tagscommand-and-control Ports
WhoisNetRange: 45[.]76[.]0[.]0 – 45[.]77[.]255[.]255 OrgName: The Constant Company, LLC OrgNOCHandle: NETWO1159-ARIN OrgAbuseHandle: ABUSE1143-ARIN OrgTechHandle: NETWO1159-ARIN NetRange: 45[.]77[.]212[.]0 – 45[.]77[.]213[.]255 OrgName: Vultr Holdings, LLC OrgAbuseHandle: VULTR-ARIN OrgTechHandle: VULTR-ARIN Relationships
DescriptionThis IP was utilized by multiple malicious applications in this report as a C2 server. It is utilized by the malware to send status information from commands executed on system, as well as a location to exfiltrate sensitive system and network information. d69ac887ecc2b714b7f5e59e95a4e8ed2466bed753c4ac328931212c46050b35Tagsinformation-stealer Details
AntivirusNo matches found. YARA Rules
ssdeep MatchesNo matches found. Relationships
DescriptionThis file is a malicious .NET DLL, which contains malicious unmanaged 64-bit Intel code. The file has the same functionality as “1667465048[.]8995082[.]dll” (e044bce06e…). 853e8388c9a72a7a54129151884da46075d45a5bcd19c37a7857e268137935aaTagsinformation-stealer Details
AntivirusNo matches found. YARA Rules
ssdeep MatchesNo matches found. Relationships
DescriptionThis file is a malicious .NET DLL, which contains malicious unmanaged 64-bit Intel code. Loading this DLL will send “+_+_+” to 45[.]77[.]212[.]12 over port 443. The DLL will then create E:websites\ico[.]txt and write “111” to that file. If there was an error creating the file, “CreateFile Error code: {Error_Code}” will be sent to the IP and execution ends. If there was an error writing to the file, “WriteFile Error code: {Error_Code}” will be sent to the IP and execution ends. If there are no errors, “CreateFileA OK” will be sent. The DLL will then delete E:websites\ico[.]txt. If successful, “DeleteFileA OK” will be sent to the IP. If there was an error “DeleteFileA failed” will be sent to the IP. Analysis indicates the purpose of this application is to provide a remote operator the ability to determine whether or not they can write files to the system’s web server directory. This capability will likely allow the operator to determine whether or not they can remotely install a webshell to allow convenient and persistent remote access to the compromised system. Screenshots
Figure 1 – This code illustrates the malware attempting to create a file on the targeted system within the E:\websites directory. This appears to be a test to ensure the remote operator can remotely install web application code onto the target. a14e2209136dad4f824c6f5986ec5d73d9cc7c86006fd2ceabe34de801062f6bTagstrojan Details
AntivirusNo matches found. YARA RulesNo matches found. ssdeep MatchesNo matches found. Relationships
DescriptionThis file is a malicious .NET DLL, which contains malicious unmanaged 64-bit Intel code. Static analysis indicates that the primary purpose of this code is to obtain a copy of the targeted system’s TCP connection table via the GetTcpTable API, and export it to the malware’s remote C2 server 45[.]77[.]212[.]12. The purpose of this application is to allow a remote operator to determine what systems the targeted system currently has an established TCP session with. This capability will allow the operator to more efficiently profile the targeted network. Screenshots
Figure 2 – The malicious binary loading its C2 IP 45[.]77[.]212[.]12 onto the stack.
|