Scans Attempting to use PowerShell to Download PHP Script

Published: 2018-05-06
Last Updated: 2018-05-07 01:08:59 UTC
by Guy Bruneau (Version: 1)
4 comment(s)

A few days ago I started seeing in my honeypot traffic attempting to use PowerShell to download a php script as a test. The script might look like this.

Using Cyberchef, I decoder the base64 URL but the php script was no longer available.

Have you seen a similar query in your logs? We would be interested in getting a copy of the php script.You can use our contact page to submit a copy.

[1] https://isc.sans.edu/forums/diary/CyberChef+a+Must+Have+Tool+in+your+Tool+bag/22458/

[2] https://isc.sans.edu/forums/diary/WebLogic+Exploited+in+the+Wild+Again/23617/

-----------
Guy Bruneau IPSS Inc.
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

Keywords: PHP PowerShell Scans
4 comment(s)

Comments

Guy,

Thanks for posting about this. However, there is so much information missing from your post. I've been seeing this attack coming from multiple IP addresses and took the deep dive. I've been compiling a thorough report about this attack, the payload, the malware, the infrastructure and this is no ordinary attack. The file DL.php is not what it looks like, in fact is another powershell script that contains a base64 compressed file that is extracted into memory, then another powershell script is downloaded/executed. There is a malicious exe that gets written to Windows/Temp called "lsass.eXe" and detectable by around 6 AV engines in virustotal. The other interesting thing about this attack is that more attacks originate from the victims themselves after successful compromise, this is a clear indication of botnet. I have been able to confirm multiple (100+) IP addresses have been compromised and the pattern of the attacks to follow begins with CVE-2017-7269 (IIS 6.0 exploit attempt) followed by Weblogic (CVE-2018-7600) if none are successful then a scan for several files like (config, setup.php, etc.) is performed. Not sure what type of honeypot you use, but pay attention and you should be able to see the pattern. The payload is the same on all attacks, but the attacking IP is different. The attacking IP addresses are from compromised machines, and the infrastructure is in China. To be able to obtain the malware, the request must match a format for the server to respond with it, otherwise you get a 404 error, and your IP is blacklisted. This is the type of intelligence I'm trying to produce for the community, and should be available soon at https://cyberintelsec.com. Want to team up? Hit me up!

***Correction*** removed druppalgeddon as this doesn't have anything to do with Drupal. Will be submitting a report very soon with all details.
Thanks for the additional information. A previous diary was written by Renato in April https://isc.sans.edu/forums/diary/WebLogic+Exploited+in+the+Wild+Again/23617/ that was exploiting different CVE than the 2 you have listed. Any IOCs you can provide would be greatly appreciated?
Guy!

I sent you an email with details regarding my findings. The file is called "CyberIntelSec Threat Analysis by krypt0byt3.pdf" You'll see this extend of this attack as it is definitely APT style. I had to omit a lot of information due to report becoming way too long. I have much more details on changes to the infected host (registry changes, actual event logs, the malware, etc.) and wouldn't mind working as a team.

Sincerely
krypt0byt3
Hey!

What are the chances of sharing your report with the rest of us?

I am interested to see more on this attack.

Thanks!

Diary Archives