F5 threat researchers recently noticed a new campaign that targets Apache Struts 2 (CVE-2017-5638)1 and WebLogic (CVE-2017-10271) servers.2 This also appears to be the first Struts campaign to use a VBScript payload to deliver malware to the exploited server.
Apache Struts, WebLogic, and Executables
On May 27, we started seeing malicious requests targeting vulnerable Apache Struts 2 servers with a previously unseen payload. The threat actor was attempting to download and install a Windows executable file on vulnerable Apache Struts 2 servers that use the Jakarta Multipart Parser.
Figure 1: Apache Struts 2 campaign attempting to download and execute Windows executable
Around the same timeframe, the same threat actor added the Oracle WebLogic WLS-WSAT RCE exploit while trying to download the same Windows executable file to vulnerable machines.
Figure 2: Weblogic WLS-WSAT campaign attempting to download and execute the same Windows executable file
This attempt to download the same file immediately indicated to us that the same attacker was using different exploits in the operation. Unfortunately, these files weren’t available to download from the original server nor from other malware repositories, so they could not be analyzed.
Investigating the IP addresses generating the campaign requests revealed various server systems such as Apache Tomcat, MySQL, FTP, and NTP servers, which indicated these machines were not serving as bots but instead were probably machines owned or hacked by the threat actor. Most of the servers’ software versions had known exploits, which further strengthen this assumption.
Unavailable malware files combined with the fact that these were non-bot machines indicates the possibility that this operation is still under development and a full botnet infrastructure has not been deployed yet.
While VBScript is commonly used by attackers to lure victims into opening malicious Microsoft Word documents, it’s typically not used by attackers who target web servers via code execution vulnerabilities to download malware to machines. Those attackers usually prefer using PowerShell or other Windows built-in command line tools like bitsadmin and, for more creative attackers, regsvr32 and certutil, which we described in a previous blog. Once the Struts 2 vulnerability is triggered, malicious Java payload constructs the VBScript on the fly by creating an empty file in the “temp” directory and appending the VBScript code row by row.
Figure 3: Attack payload that creates the VBScript file and runs the script
Multi-Exploit Campaigns Trend
Recently, the Muhstik botnet3 was found to target Drupal, Wordpress, Oracle WebLogic, IIS WebDAV, ClipBucket streaming server, and GPON routers. The operation Prowli campaign4 actively targets Joomla K2, WordPress, HP Data Protector, and a variety of DSL modems. With the vast availability of new exploits and the competition for victims’ resources following the crypto-currency mining boom, it’s no wonder the multi-exploit trend is still popular. Because the resources scavenge continuously, we expect more multi-exploit operations to be unveiled in the upcoming months. Businesses need to be vigilant with vulnerability management, ensuring their Apache Struts and WebLogic servers are up to date with patches. If it’s not possible to patch these systems, a web application firewall can be configured to block these attacks.