June 21, 2018
3 min. read

New Campaign Targeting Apache Struts 2, WebLogic Deploys Malware Using VBScript

By Liron Segal

F5 threat researchers recently noticed a new campaign that targets Apache Struts 2 (CVE-2017-5638)1 and WebLogic (CVE-2017-10271) servers.2 This also appears to be the first Struts campaign to use a VBScript payload to deliver malware to the exploited server.

Apache Struts, WebLogic, and Executables

On May 27, we started seeing malicious requests targeting vulnerable Apache Struts 2 servers with a previously unseen payload. The threat actor was attempting to download and install a Windows executable file on vulnerable Apache Struts 2 servers that use the Jakarta Multipart Parser.


Figure 1: Apache Struts 2 campaign attempting to download and execute Windows executable


Around the same timeframe, the same threat actor added the Oracle WebLogic WLS-WSAT RCE exploit while trying to download the same Windows executable file to vulnerable machines.


Figure 2: Weblogic WLS-WSAT campaign attempting to download and execute the same Windows executable file


This attempt to download the same file immediately indicated to us that the same attacker was using different exploits in the operation. Unfortunately, these files weren’t available to download from the original server nor from other malware repositories, so they could not be analyzed.

Investigating the IP addresses generating the campaign requests revealed various server systems such as Apache Tomcat, MySQL, FTP, and NTP servers, which indicated these machines were not serving as bots but instead were probably machines owned or hacked by the threat actor. Most of the servers’ software versions had known exploits, which further strengthen this assumption.

Unavailable malware files combined with the fact that these were non-bot machines indicates the possibility that this operation is still under development and a full botnet infrastructure has not been deployed yet.

Spearhead VBScript

While VBScript is commonly used by attackers to lure victims into opening malicious Microsoft Word documents, it’s typically not used by attackers who target web servers via code execution vulnerabilities to download malware to machines. Those attackers usually prefer using PowerShell or other Windows built-in command line tools like bitsadmin and, for more creative attackers, regsvr32 and certutil, which we described in a previous blog. Once the Struts 2 vulnerability is triggered, malicious Java payload constructs the VBScript on the fly by creating an empty file in the “temp” directory and appending the VBScript code row by row.


Figure 3: Attack payload that creates the VBScript file and runs the script


Multi-Exploit Campaigns Trend

Recently, the Muhstik botnet3 was found to target Drupal, Wordpress, Oracle WebLogic, IIS WebDAV, ClipBucket streaming server, and GPON routers. The operation Prowli campaign4 actively targets Joomla K2, WordPress, HP Data Protector, and a variety of DSL modems. With the vast availability of new exploits and the competition for victims’ resources following the crypto-currency mining boom, it’s no wonder the multi-exploit trend is still popular. Because the resources scavenge continuously, we expect more multi-exploit operations to be unveiled in the upcoming months. Businesses need to be vigilant with vulnerability management, ensuring their Apache Struts and WebLogic servers are up to date with patches. If it’s not possible to patch these systems, a web application firewall can be configured to block these attacks.


Expertly picked stories on threat intelligence

Hundreds of apps will be attacked by the time you read this.

So, we get to work. We obsess over effective attack methods. We monitor the growth of IoT and its evolving threats. We dive deep into the latest crypto-mining campaigns. We analyze banking Trojan targets. We dissect exploits. We hunt for the latest malware. And then our team of experts share it all with you. For more than 20 years, F5 has been leading the app delivery space. With our experience, we are passionate about educating the security community-providing the intel you need to stay informed so your apps can stay safe.


9 hrs

a critical vulnerability—with the potential for remote code execution—is released.