Principal Security Engineer

Delivering Ransomware Via Apache Struts (CVE-2017-5638)

April 7, 2017 by Chuck McAuley

A few weeks ago, we discussed the new Apache Struts vulnerability and how it was exploited in the wild. Since then, these drive-by style attacks haven't let up, but the intent has changed. Initially, we saw scans fingerprinting vulnerable servers. Soon after, we started seeing attempts to drop Linux and Windows malware and crypto currency mining software. Recently, we've started seeing attempts to just drop Windows-based ransomware on these hosts. As I'm writing this, we've noticed other locations have seen similar attempts.

Rather than rehash the mechanisms that make the exploit work again, we will quickly examine the ransomware itself. First, let's look at what one of the requests looks like in our honeypot logs:


Let's clean that up a bit to make it more readable:


No real effort for obfuscation or subtlety with this attack. The tool BITSAdmin comes preinstalled on Windows and is described by Microsoft as "a command-line tool that you can use to create download or upload jobs and monitor their progress." BITSAdmin is used to download a copy of the binary labeled UnInstall.exe into the temporary directory as defined by the environment variable %TEMP%. That binary is then executed by chaining the previous command with the ampersand (& %TEMP%/UnInstall.exe).

Our Rapsheet engine not only marks the attacking location as malicious (the IP address that sent this malicious request), but it also then harvests the location serving the malicious content—in this instance, the website hosting UnInstall.exe. We take this binary and perform sandbox execution and analysis, as well as run it through a collection of A/V engines. If the URL returns HTML instead, we'll analyze it for phishing attempts. In this case, it was detected as a variant of the Cerber ransomware. Since we've been monitoring this URL, we've detected three changes in its SHA-256 hash. It appears that as antivirus engines detect the malware, a newer recompiled, repacked, and altered piece of ransomware replaces the same location.

To date, we've detected the following binaries hosted there:
4/5/2017: 89e5cd34fc349ba0791ee42fc68b84c69f8b579bcb2207b2925762e14b36048e

4/6/2017: 5952963708e4cf2e13c29ced6451a52284afb3f45a11ba4087c3c438dad2427d

4/7/2017: 4570fd53f92d28fefb8c8c437ed7cd85f52e643921afd197c332707a45c08326

Executing the binary seen on April 7th, we get ourselves the standard set of Cerber ransom notes and encrypted files. It's fun to see that Cerber still has the goofy smiley face captchas, nothing like taking your money with a smile.





Since we can identify both the drive-by attack and the location hosting Cerber, it gives us two chances to prevent ThreatARMOR customers from becoming infected with ransomware. We also leverage this intelligence to collect new malware for testing with the BreakingPoint platform, so you can verify your network-based antivirus is working accurately and is up to date. CVE-2017-5638 looks like it'll be around for quite a while.

Leverage Subscription Service to Stay Ahead of Attacks

The Ixia BreakingPoint Application and Threat Intelligence (ATI) Subscription provides bi-weekly updates of the latest application protocols and attacks for use with Ixia platforms.