Read the original article: MAR-10297887-1.v1 – Iranian Web Shells
Original release date: September 15, 2020
NotificationThis report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise. This document is marked TLP:WHITE–Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp. SummaryDescriptionThe Iranian-based malicious cyber actor associated to this report is known to target industries associated to information technology, government, healthcare, financial, and insurance across the US. The threat actor has been observed exploiting several publicly known Common Vulnerabilities and Exposures (CVEs) dealing with Pulse Secure virtual private network (VPN), Citrix NetScaler, and F5 vulnerabilities. Once the actor exploits these vulnerabilities, open source web shells and/or modified versions of the web shells are used to further entrench into a victim network. The web shells are publicly known as ChunkyTuna, Tiny, and China Chopper web shells. This product details the functionality of 19 malicious files including multiple components of the China Chopper web shell, including an application service provider (ASP) application that listens for incoming Hypertext Transfer Protocol (HTTP) connections from a remote operator. The China Chopper web shell will allow the operator to pass and execute JavaScript code on to a victim’s system. The report also details additional China Chopper web shell components that allow the operator more specific command and control (C2) capabilities including the ability to enumerate directories, upload and execute additional payloads, and exfiltrate data. In addition, a program data (PDB) file and a binary, which has been identified as a compiled version of the open source project known as “FRP”, was also analyzed. FRP allows an adversary to tunnel various types of connections to a remote operator sitting outside of the victim’s network perimeter. In addition, a PowerShell shell script was analyzed that is part of the open source project known as “KeeThief”. This code will allow the operator to access encrypted password credentials stored by the Microsoft “KeePass” password management software. It appears this adversary utilized these malicious tools to maintain persistent remote access and data exfiltration from the victim’s network. The adversary may have used the “FRP” utility to tunnel outbound Remote Desktop Protocol (RDP) sessions, allowing persistent access to the network from outside the firewall perimeter. The China Chopper web shell also provides the persistent ability to navigate throughout the victim’s network when inside the perimeter. Leveraging the “KeeThief” utility allows access to sensitive user password credentials and potentially the ability to pivot to user accounts outside of the victim’s network. An additional 7 files contain malicious Hypertext Preprocessor (PHP) code designed to function as malicious web shells, which were identified as ChunkyTuna and Tiny web shells. The purpose of these web shells is to accept commands and data from a remote operator, providing the operator C2 capabilities over a compromised system. For a downloadable copy of IOCs, see MAR-10297887-1.v1.stix. Submitted Files (18)134ef25d48b8873514f84a0922ec9d835890bda16cc7648372e014c1f90a4e13 (site.aspx) 17f5b6d74759620f14902a5cc8bba8753df8a17da33f4ea126b98c7e2427e79c (vti_cnf.aspx.33154034.compiled) 28bc161df8406a6acf4b052a986e29ad1f60cbb19983fc17931983261b18d4ea (App_Web_tcnma5bs.pdb) 2944ea7d0045a1d64f3584e5803cbf3a026bd0e22bdf2e4ba1d28c6ad9e57849 (prev_sh) 3b14d5eafcdb9e90326cb4146979706c85a58be3fc4706779f0ae8d744d9e63c (content) 40d54609acb3f1024ea91b79ca12ecf855e24ebb46d48db86a7bf34edb91b2db (httpgetbin_encoded.vbs) 4a1fc30ffeee48f213e256fa7bff77d8abd8acd81e3b2eb3b9c40bd3e2b04756 (content) 51e9cadeab1b33260c4ccb2c63f5860a77dd58541d7fb0840ad52d0a1abedd21 (df5bd34799e200951fcce77c1c0b42…) 547440bd037a149ac7ac58bc5aaa65d079537e7a87dc93bb92edf0de7648761c (df5bd34799e200951fcce77c1c0b42…) 553f355f62c4419b808e078f3f71f401f187a9ac496b785e81fbf087e02dc13f (ui-bg.aspx) 55b9264bc1f665acd94d922dd13522f48f2c88b02b587e50d5665b72855aa71c (svchost.exe) 5e0457815554574ea74b8973fc6290bd1344aac06c1318606ea4650c21081f0a (App_Web_tcnma5bs.0.js) 8c9aeedeea37ee88c84b170d9cd6c6d83581e3a57671be0ba19f2c8a17bd29f3 (content) 913ee2b048093162ff54dca050024f07200cdeaf13ffd56c449acb9e6d5fbda0 (kee.ps1) 99344d862e9de0210f4056bdf4b8045ab9eabe1a62464d6513ed16208ab068fc (App_Web_tcnma5bs.dll) b36288233531f7ac2e472a689ff99cb0f2ac8cba1b6ea975a9a80c1aa7f6a02a (tiny_webshell) b443032aa281440017d1dcc3ae0a70d1d30d4f2f2b3f064f95f285e243559249 (df5bd34799e200951fcce77c1c0b42…) f7ddf2651faf81d2d5fe699f81315bb2cf72bb14d74a1c891424c6afad544bde (dllhost.dll) Additional Files (1)10836bda2d6a10791eb9541ad9ef1cb608aa9905766c28037950664cd64c6334 (KeeTheft.dll) Findings40d54609acb3f1024ea91b79ca12ecf855e24ebb46d48db86a7bf34edb91b2dbDetails
AntivirusNo matches found. YARA RulesNo matches found. ssdeep MatchesNo matches found. DescriptionThis file is a small JavaScript file, which contains the following code: —Begin JavaScript Code— Analysis indicates this file is part of a larger application, which contains the ability to communicate with a remote server. An HTTP request will be sent and received from the remote server. The data received from the server will be written to a file on disk. The output file name and remote server name will be received as arguments to the script. It is believed this script is a component of the China Chopper web shell framework. 553f355f62c4419b808e078f3f71f401f187a9ac496b785e81fbf087e02dc13fTagstrojanwebshell Details
Antivirus
YARA RulesNo matches found. ssdeep MatchesNo matches found. DescriptionThis file is a small JavaScript file, which contains the following code: —Begin JavaScript Code— Analysis indicates this file might serve as part of a larger application. The code within the file decodes and executes data using the JavaScript “eval” function. The data is attained via the JavaScript “Request” function indicating the data is pulled from a remote server using the HTTP protocol. It is believed this script is a component of the China Chopper web shell framework. 134ef25d48b8873514f84a0922ec9d835890bda16cc7648372e014c1f90a4e13Tagstrojanwebshell Details
Antivirus
YARA RulesNo matches found. ssdeep MatchesNo matches found. DescriptionThis file is a small JavaScript file, which contains the following embedded code: —Begin Embedded JavaScript— This script is designed to pull JavaScript from an existing “Request Object”, Base64 decode and execute it. The contents of the retrieved JavaScript code were not available for analysis. It is believed this web shell is a component of the China Chopper web shell framework. 17f5b6d74759620f14902a5cc8bba8753df8a17da33f4ea126b98c7e2427e79cDetails
AntivirusNo matches found. YARA RulesNo matches found. ssdeep Matches[…] Read the original article: MAR-10297887-1.v1 – Iranian Web Shells |