What We Do
How We Do
Resources
Company
Partners
Get Started
Blog

WinSock File Transfer Protocol Vulnerability Exploited

BY eSentire Threat Response Unit (TRU)

October 31, 2023 | 6 MINS READ

Attacks/Breaches

Threat Intelligence

Threat Response Unit

TRU Positive/Bulletin

Want to learn more on how to achieve Cyber Resilience?

TALK TO AN EXPERT

Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.

We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.

Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.

In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.

Here’s the latest from our TRU Team…

What did we find?

We recently detected active exploitation attempts targeting the WinSock File Transfer Protocol (WS_FTP) vulnerability, identified as CVE-2023-40044. These observed attacks resulted in the attempted deployment of the Metasploit payload Meterpreter and the adversary simulation tool Cobalt Strike.

CVE-2023-40044 (CVSS: 10) is classified as a WS_FTP .NET Deserialization vulnerability within the Ad Hoc Transfer Module. Exploiting this vulnerability could allow an unauthorized threat actor to achieve remote command execution on the underlying operating system of the WS_FTP Server. The vulnerability was publicly disclosed, along with security patches, on September 27th, 2023. We first observed exploitation attempts beginning on September 30th.

As exploitation is currently ongoing, it is of utmost importance that organizations promptly apply the relevant security patches.

During the investigation, our Incident Handling team identified the initial command executed by the threat actor(s) under the w3wp.exe process:

The command is similar to the one used as an example of arbitrary command execution through deserialization in the proof of concept from Assetnote.

In some instances, the threat actor(s) additionally ran the following commands:

We were not able to retrieve the executables at the time of analysis from the C2s. However, we found a similar binary on VirusTotal (MD5: 5bf7426379fe5eb5d0cd2ed13aa9a101). The binary is a Metasploit payload.

The payload iterates through the loaded modules listed in the Windows Process Environment Block (PEB), specifically the 'InMemoryOrderModuleList.' This list comprises all the dynamically linked libraries (DLLs) loaded by the current process.

The payload further enhances its obfuscation by converting the module names from lowercase to uppercase and subsequently incorporating each character into a hash computation using the ROR13 (Rotate Right by 13 bits) hashing algorithm.

It's important to note that the utilization of the ROR13 hashing algorithm for APIs and DLL names is a common obfuscation technique observed in both Cobalt Strike and Metasploit payloads. The binary eventually establishes a connection to the C2 server 103.163.187[.]12 over port 49900.

Figure 1: ROR13 hashing algorithm

On one of the affected machines, the threat actor(s) executed a PowerShell one-liner command, which was base64-encoded. Upon decoding this command, it becomes evident that it performs the decoding and execution of a block of XOR-encoded shellcode, based on Metasploit (MD5: 11939b0f83537612cab531630a981da7).

This shellcode is stored in the variable `$var_code`. The execution takes place by allocating memory, copying the shellcode into that allocated memory space, and then invoking it.

In Figure 2, we observe the presence of the C2 server at 95.214.24[.]238, along with the User-Agent (Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; NP07; NP07)) used for communications. Further investigation reveals that this C2 server also functions as a Cobalt Strike server, hosting the Cobalt Strike payload (MD5: 9c313be764ad631490a8029e5a411523). For additional details, please refer to the Indicators of Compromise section for the Cobalt Strike configuration.

Moreover, upon pivoting through the C2 server, we discovered that this server previously operated as the C2 server for the Redline Stealer back in May 2023.

Figure 2: Base64-encoded PowerShell command that decodes to Metasploit-based shellcode

Another PowerShell one-liner command was observed executing on the host (Figure 3). Here's a breakdown of what the script does:

Figure 3: Meterpreter payload

What did we do?

What can you learn from this TRU Positive?

Recommendations from our Threat Response Unit (TRU):

Indicators of Compromise

Cobalt Strike Configuration:

{
  "BeaconType": [
    "HTTP"
  ],
  "Port": 4445,
  "SleepTime": 60000,
  "MaxGetSize": 1048576,
  "Jitter": 0,
  "C2Server": "95.214.24[.]238,/dpixel",
  "HttpPostUri": "/submit.php",
  "Malleable_C2_Instructions": [],
  "HttpGet_Verb": "GET",
  "HttpPost_Verb": "POST",
  "HttpPostChunk": 0,
  "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  "CryptoScheme": 0,
  "Proxy_Behavior": "Use IE settings",
  "Watermark": 987654321,
  "bStageCleanup": "False",
  "bCFGCaution": "False",
  "KillDate": 0,
  "bProcInject_StartRWX": "True",
  "bProcInject_UseRWX": "True",
  "bProcInject_MinAllocSize": 0,
  "ProcInject_PrependAppend_x86": "Empty",
  "ProcInject_PrependAppend_x64": "Empty",
  "ProcInject_Execute": [
    "CreateThread",
    "SetThreadContext",
    "CreateRemoteThread",
    "RtlCreateUserThread"
  ],
  "ProcInject_AllocationMethod": "VirtualAllocEx",
  "bUsesCookies": "True",
  "HostHeader": ""
}

Note

Indicators

C2

103.163.187[.]12:8080

C2

176.105.255[.]46:8080

C2

103.163.187[.]12:49900

C2 / Exploit Source

95.214.24[.]238

C2 / Exploit Source

176.105.255[.]46

C2

86.48.3[.]172

C2 / Exploit Source

188.126.94[.]108

C2

141.255.168[.]250

C2

2adc9m0bc70noboyvgt357r5gwmnady2[.]oastify[.]com

Metasploit

5bf7426379fe5eb5d0cd2ed13aa9a101

Metasploit

11939b0f83537612cab531630a981da7

Cobalt Strike payload

9c313be764ad631490a8029e5a411523

References

eSentire Unit
eSentire Threat Response Unit (TRU)

The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.

Read the Latest from eSentire