How it works
The threat actors successfully uploaded a WAR archive that housed a WebShell and various payloads into the webroot of the SysAid Tomcat web service by exploiting the SysAid CVE-2023-47246 Path Traversal vulnerability. The vulnerability is located in the doPost method of the SysAid com.ilient.server.UserEntry class. Exploiting this vulnerability involves manipulating the accountID parameter to introduce a path traversal, allowing the attacker to determine the location on the vulnerable server where the WebShell is written. The attack is executed by delivering a POST request with a zipped, compressed WAR file containing the WebShell as the request body. Subsequently, the threat actor gains access to the WebShell, enabling them to interact with the compromised system.
PowerShell used to execute GraceWire
The threat actor leveraged unauthorized access to deploy a PowerShell script to execute the GraceWire loader on the victim’s machine.
The PowerShell script (pictured below) enumerates all the files listed in the C:Program FilesSysAidServertomcatwebappsusersfiles directory and then checks for antivirus or anti-malware processes beginning with “Sophos”. If the script detects adversarial software running on the victim’s system, then it exits to avoid detection.
If the script doesn’t detect antivirus or anti-malware software, then it executes the GraceWire loader (user.exe) on the victim’s machine.
Figure 2: The PowerShell script used to launch the GraceWire loader (user.exe)
GraceWire Loader Analysis
The GraceWire loader follows a sequence of steps. First, it checks for the existence of a file named <filename>.bin, which contains an encrypted payload. If this file is present in the current directory, the loader proceeds to read its contents using the ReadFile() function, storing the data in the allocated memory. Subsequently, it decrypts the encrypted information and calculates checksums. If the checksum is verified as correct, the program executes the decrypted bin payload. This payload is designed to deploy the GraceWire trojan. Additionally, the loader injects the GraceWire Trojan into various processes, including:
When examining the code, we also discovered debug print statements showcasing the control flow of the GraceWire loader.
Figure 3: A screenshot of debug print statements showcasing the control flow of the GraceWire loader
Getting rid of evidence
Threat actors employ another PowerShell script to systematically eliminate traces and evidence linked to their malicious activities once they have infiltrated the victim’s system. This post-exploitation tactic is aimed at erasing digital footprints and minimizing the likelihood of detection by removing indicators of compromise (IoCs).
Possible other exploits
Microsoft posted a tweet highlighting the exploitation of this vulnerability in CL0P ransomware and strongly recommends system updates.
In addition, SysAid found supporting evidence indicating the utilization of the following PowerShell command to download and execute CobaltStrike.
Figure 4: PowerShell command to download and execute CobaltStrike