InfoSec Handlers Diary Weblog – SANS Web Storm Heart
While you’re looking, generally you’re feeling fortunate since you noticed one thing that appears model new, however generally it’s not new or… the code has been modified to bypass present detections. Right here is an ideal instance. A number of months in the past, Juniper found[1] a backdoor concentrating on VMWare ESXi servers, extra exactly, the OpenSLP service (CVE-2019-5544 and CVE-2020-3992).
If the backdoor isn’t new, I discovered new variations of it that implement extra obfuscation strategies by decreasing adjustments to be caught by antivirus instruments and filters. The scripts, discovered on VT, have the next filename format: “esxi_ransomware_xxxxxxxx.py”. It appears that evidently the attacker examined completely different obfuscation strategies. Generally, simply taking a look on the supply code with a graphical overview is fascinating:
Many textual content editors suggest this sort of view. Within the image above, you possibly can see patterns with solely fascinating strains on the finish.
The backdoor has been obfuscated with many features that look difficult, however most of them do… nothing! Instance:
self.send_response(200)
self.send_header('Content material-type', 'textual content/html')
self.end_headers()
if opaque_fct_6_guXM09JTqW(1170448432, 34836967901, 30592200701, 23499594842, 7931033327):
if opaque_fct_7_2givpU14Oj(12913767465, 29715926998, 28391806664, 34224856236, 27002350942, 38119355106, 17984667519, 33397958160, 34307567544, 3134198737, 6433478414, 1333569498, 30190306077, 31065906546):
opaque_fct_3_HlBjJpTAMd(4559404501, 19631615206, 15232647523, 38155060881, 25231599065, 27560986774, 28564255047, 23742277226, 37444581463, 34726589553)
elif opaque_fct_3_Jvb1H08Kzj(1744861910, 8785099158, 15933986777):opaque_fct_6_78lRkhN51d(13973672458, 29300903469, 6016412088, 32808894927, 2647492267, 10754001214, 28891585111, 32994113503, 19424804608)
else:
type = cgi.FieldStorage(fp=self.rfile, headers=self.headers, environ={'REQUEST_METHOD': 'POST'})
else:
opaque_fct_7_ueGht7ZaDw(34708030056, 3642393576, 19762095891, 22250089401, 11960747056)
The primary if() situation will at all times be TRUE:
def opaque_fct_6_guXM09JTqW(opaque_fct_6_guXM09JTqW_0, opaque_fct_6_guXM09JTqW_1, opaque_fct_6_guXM09JTqW_2, opaque_fct_6_guXM09JTqW_3, opaque_fct_6_guXM09JTqW_4):
if (opaque_fct_6_guXM09JTqW_1 > opaque_fct_6_guXM09JTqW_0):
return True
if (opaque_fct_6_guXM09JTqW_4 <= opaque_fct_6_guXM09JTqW_1):
return True
if (opaque_fct_6_guXM09JTqW_1 > opaque_fct_6_guXM09JTqW_0):
return True
if (opaque_fct_6_guXM09JTqW_1 < opaque_fct_6_guXM09JTqW_0):
return False
if (opaque_fct_6_guXM09JTqW_3 >= opaque_fct_6_guXM09JTqW_1):
return False
if (opaque_fct_6_guXM09JTqW_1 < opaque_fct_6_guXM09JTqW_4):
return False
if (opaque_fct_6_guXM09JTqW_0 >= opaque_fct_6_guXM09JTqW_1):
return False
if (opaque_fct_6_guXM09JTqW_1 < opaque_fct_6_guXM09JTqW_4):
return False
if (opaque_fct_6_guXM09JTqW_1 < opaque_fct_6_guXM09JTqW_0):
return False
if (opaque_fct_6_guXM09JTqW_1 > opaque_fct_6_guXM09JTqW_0):
return True
if (opaque_fct_6_guXM09JTqW_0 <= opaque_fct_6_guXM09JTqW_1):
return True
if (opaque_fct_6_guXM09JTqW_0 >= opaque_fct_6_guXM09JTqW_1):
return False
Certainly, for those who test the parameters, ‘34836967901’ will at all times be greater than ‘1170448432’. Different calls are ineffective (like the primary name to opaque_fct_3_HlBjJpTAMd()).
For those who take away all of the junk code, the backdoor has exactly the identical conduct because the Juniper weblog put up defined.
[1] https://blogs.juniper.net/en-us/threat-research/a-custom-python-backdoor-for-vmware-esxi-serversXavier Mertens (@xme)
Xameco
Senior ISC Handler – Freelance Cyber Safety Marketing consultant
PGP Key