A new variant of this tool, previously reported in 2013 by TrendLabs, was submitted to VirusTotal from the Philippines on March 27^th, 2017. Its original filename, 2017.exe, was prescient since it has the ability to exploit CVE-2017-5638 and other previous Apache STRUTS vulnerabilities.

Table 1 Tool Details

The application decompiles cleanly with a tool like ILSpy and contains no real surprises. When the C# app is executed it runs a GUI, presenting the user with a static header (vulnerability selection and execution portion) and footer (log output box). The middle section comprises four tabs, shown in Figure 1 below.

Figure 1 Tool Overview

The first tab provides an overview of the vulnerabilities it is configured to exploit, along with handy links to documentation for each one. To use the application, you enter the URL you’d like to target and then select the exploit in a dropdown box. Then you select an HTTP Method and hit the button underneath it. If successful, the information from the targeted application will show up in the log and replace the contents of this first window.

Figure 2 Query Vulnerable Server

The second tab includes a dropdown menu of canned commands to run on the target machine, Windows and Linux shell commands are supported. Alternatively, you may select to run a batched cmd.txt from the same local directory to run on the remote target.

Figure 3 Preconfigured Queries

Figure 4 Executed Command Output

This behavior is detectable via RSA NetWitness® Endpoint and Packets. The HTML.lua parser for Packets contains code that enables finding this behavior in either the GET or POST HTTP Methods.

Figure 5 IOC Metadata

When seeing this alert, you can pivot into RSA NetWitness Endpoint, searching in Tracking Data to determine if the Apache Tomcat process executed the requested command. If so, the server is vulnerable and should be handled according to your Incident Response plan as the actors likely ran additional commands. This can be verified by hitting ctl-f and searching within NetWitness Endpoint for ‘Tomcat’ to filter on those events. The Event “Create Process” is where you’ll find the attackers command history.

Figure 6 RSA NetWitness Endpoint Event

You may also follow-up in Packets. The HTTP response will not be HTML, rather it will be raw output from the command that was run.

Figure 7 NetWitness Packets Command Execution

The third tab (Figure 8) is a webshell installer function. By default it is configured to install the JSP version of China Chopper with the default password ‘chopper’. This can be controlled with a customized version of caidao.exe or cknife. Alternatively, you can paste in your own JSP code and choose the webshell of your liking. This simple webshell is a perfect fit as the application errors on larger, fuller function webshells. Figure 9 displays the remote command execution and output. This is more of a half shell and won’t allow interactive applications such as powershell or mimikatz to properly execute.

Figure 8 Webshell Installation

Figure 9 Simple Webshell Output

The final tab (Figure 10) allows you to add a list of URL’s manually, or via a text file, in order to perform bulk scans. Anyone searching for vulnerable applications can use google dorking to find and scrape vulnerable URL’s and then bulk scan using this tool.

Figure 10 Bulk Scanning Utility

This simple tool, an evolution of a previously released tool, keeps pace with recently released vulnerabilities. When only using signature-based tools to detect and defend your network, you can easily fall prey to zero-day exploits, such as CVE-2017-5638. With comprehensive network and endpoint forensics tools that deliver data in near-real time, such as the RSA NetWitness Suite, defenders can proactively search for this behavior and find new techniques. RSA recommends proactive security; hunting versus fishing.