Now Reading
InfoSec Handlers Diary Weblog – SANS Web Storm Heart

InfoSec Handlers Diary Weblog – SANS Web Storm Heart

2023-03-16 15:35:24

While you’re looking, generally you’re feeling fortunate since you noticed one thing that appears model new, however generally it’s not new or… the code has been modified to bypass present detections. Right here is an ideal instance. A number of months in the past, Juniper found[1] a backdoor concentrating on VMWare ESXi servers, extra exactly, the OpenSLP service (CVE-2019-5544 and CVE-2020-3992).

If the backdoor isn’t new, I discovered new variations of it that implement extra obfuscation strategies by decreasing adjustments to be caught by antivirus instruments and filters. The scripts, discovered on VT, have the next filename format: “esxi_ransomware_xxxxxxxx.py”. It appears that evidently the attacker examined completely different obfuscation strategies. Generally, simply taking a look on the supply code with a graphical overview is fascinating:

Many textual content editors suggest this sort of view. Within the image above, you possibly can see patterns with solely fascinating strains on the finish.

The backdoor has been obfuscated with many features that look difficult, however most of them do… nothing! Instance:


self.send_response(200)
self.send_header('Content material-type', 'textual content/html')
self.end_headers()
if opaque_fct_6_guXM09JTqW(1170448432, 34836967901, 30592200701, 23499594842, 7931033327):
    if opaque_fct_7_2givpU14Oj(12913767465, 29715926998, 28391806664, 34224856236, 27002350942, 38119355106, 17984667519, 33397958160, 34307567544, 3134198737, 6433478414, 1333569498, 30190306077, 31065906546):
        opaque_fct_3_HlBjJpTAMd(4559404501, 19631615206, 15232647523, 38155060881, 25231599065, 27560986774, 28564255047, 23742277226, 37444581463, 34726589553)
    elif opaque_fct_3_Jvb1H08Kzj(1744861910, 8785099158, 15933986777):opaque_fct_6_78lRkhN51d(13973672458, 29300903469, 6016412088, 32808894927, 2647492267, 10754001214, 28891585111, 32994113503, 19424804608)
    else:
        type = cgi.FieldStorage(fp=self.rfile, headers=self.headers, environ={'REQUEST_METHOD': 'POST'})
    else:
        opaque_fct_7_ueGht7ZaDw(34708030056, 3642393576, 19762095891, 22250089401, 11960747056)

The primary if() situation will at all times be TRUE:


def opaque_fct_6_guXM09JTqW(opaque_fct_6_guXM09JTqW_0, opaque_fct_6_guXM09JTqW_1, opaque_fct_6_guXM09JTqW_2, opaque_fct_6_guXM09JTqW_3, opaque_fct_6_guXM09JTqW_4):
    if (opaque_fct_6_guXM09JTqW_1 > opaque_fct_6_guXM09JTqW_0):
        return True
    if (opaque_fct_6_guXM09JTqW_4 <= opaque_fct_6_guXM09JTqW_1):
        return True
    if (opaque_fct_6_guXM09JTqW_1 > opaque_fct_6_guXM09JTqW_0):
        return True
    if (opaque_fct_6_guXM09JTqW_1 < opaque_fct_6_guXM09JTqW_0):
        return False
    if (opaque_fct_6_guXM09JTqW_3 >= opaque_fct_6_guXM09JTqW_1):
        return False
    if (opaque_fct_6_guXM09JTqW_1 < opaque_fct_6_guXM09JTqW_4):
        return False
    if (opaque_fct_6_guXM09JTqW_0 >= opaque_fct_6_guXM09JTqW_1):
        return False
    if (opaque_fct_6_guXM09JTqW_1 < opaque_fct_6_guXM09JTqW_4):
        return False
    if (opaque_fct_6_guXM09JTqW_1 < opaque_fct_6_guXM09JTqW_0):
        return False
    if (opaque_fct_6_guXM09JTqW_1 > opaque_fct_6_guXM09JTqW_0):
        return True
    if (opaque_fct_6_guXM09JTqW_0 <= opaque_fct_6_guXM09JTqW_1):
        return True
    if (opaque_fct_6_guXM09JTqW_0 >= opaque_fct_6_guXM09JTqW_1):
        return False

Certainly, for those who test the parameters, ‘34836967901’ will at all times be greater than ‘1170448432’. Different calls are ineffective (like the primary name to opaque_fct_3_HlBjJpTAMd()).

See Also

For those who take away all of the junk code, the backdoor has exactly the identical conduct because the Juniper weblog put up defined.

[1] https://blogs.juniper.net/en-us/threat-research/a-custom-python-backdoor-for-vmware-esxi-servers

Xavier Mertens (@xme)

Xameco

Senior ISC Handler – Freelance Cyber Safety Marketing consultant

PGP Key

Source Link

What's Your Reaction?
Excited
0
Happy
0
In Love
0
Not Sure
0
Silly
0
View Comments (0)

Leave a Reply

Your email address will not be published.

2022 Blinking Robots.
WordPress by Doejo

Scroll To Top