Post Content\u00a0\u00a0<\/p>\n

\u200b<\/p>\n

How it works<\/h3>\n

The threat actors successfully uploaded a WAR archive that housed a WebShell and various payloads into the webroot of the SysAid Tomcat web service by exploiting the SysAid CVE-2023-47246 Path Traversal vulnerability. The vulnerability is located in the doPost<\/strong> method of the SysAid com.ilient.server.UserEntry<\/strong> class. Exploiting this vulnerability involves manipulating the accountID<\/strong> parameter to introduce a path traversal, allowing the attacker to determine the location on the vulnerable server where the WebShell is written. The attack is executed by delivering a POST request with a zipped, compressed WAR file containing the WebShell as the request body. Subsequently, the threat actor gains access to the WebShell, enabling them to interact with the compromised system.<\/p>\n

PowerShell used to execute GraceWire<\/h3>\n

The threat actor leveraged unauthorized access to deploy a PowerShell script to execute the GraceWire loader on the victim\u2019s machine.\u00a0<\/p>\n

The PowerShell script (pictured below) enumerates all the files listed in the C:Program FilesSysAidServertomcatwebappsusersfiles<\/strong> directory and then checks for antivirus or anti-malware processes beginning with \u201cSophos\u201d. <\/strong>If the script detects adversarial software running on the victim\u2019s system, then it exits to avoid detection.<\/p>\n

If the script doesn\u2019t detect antivirus or anti-malware software, then it executes the GraceWire loader (user.exe) on the victim\u2019s machine. <\/p>\n\n

Figure 2: The PowerShell script used to launch the GraceWire loader (user.exe)<\/p>\n

GraceWire Loader Analysis<\/h3>\n

The GraceWire loader follows a sequence of steps. First, it checks for the existence of a file named <filename>.bin<\/strong>, which contains an encrypted payload. If this file is present in the current directory, the loader proceeds to read its contents using the ReadFile() <\/strong>function, storing the data in the allocated memory. Subsequently, it decrypts the encrypted information and calculates checksums. If the checksum is verified as correct, the program executes the decrypted bin<\/strong> payload. This payload is designed to deploy the GraceWire trojan. Additionally, the loader injects the GraceWire Trojan into various processes, including:<\/p>\n

spoolsv.exe
\n\tmsiexec.exe
\n\tsvchost.exe<\/p>\n

When examining the code, we also discovered debug print statements showcasing the control flow of the GraceWire loader.<\/p>\n\n

Figure 3: A screenshot of debug print statements showcasing the control flow of the GraceWire loader<\/p>\n

Getting rid of evidence<\/h3>\n

Threat actors employ another PowerShell script to systematically eliminate traces and evidence linked to their malicious activities once they have infiltrated the victim\u2019s system. This post-exploitation tactic is aimed at erasing digital footprints and minimizing the likelihood of detection by removing indicators of compromise (IoCs).<\/p>\n

Possible other exploits<\/h3>\n

Microsoft posted a tweet<\/a> highlighting the exploitation of this vulnerability in CL0P ransomware and strongly recommends system updates.\u00a0
\n\tIn addition, SysAid found supporting evidence<\/a> indicating the utilization of the following PowerShell command to download and execute CobaltStrike.<\/p>\n

\nFigure 4: PowerShell command to download and execute CobaltStrike<\/p>\n

\u00a0\u00a0<\/p>","protected":false},"excerpt":{"rendered":"

Post Content\u00a0\u00a0 \u200b How it works The threat actors successfully […]<\/p>\n","protected":false},"author":0,"featured_media":1700,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11],"tags":[],"class_list":["post-1699","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-zenith-zscaler"],"yoast_head":"\n