Request a Demo
Rewterz
PatchWork APT Threat Actor Group – Active IOCs
July 9, 2024
Rewterz
Mekotio Banking Trojan Targets Latin American Users – Active IOCs
July 9, 2024

Attackers Target HFS Servers with Malware and Crypto Miners – Active IOCs

Severity

High

Analysis Summary

Threat actors are actively targeting older versions of the HTTP File Server (HFS) from Rejetto to deploy malware and cryptocurrency mining software. Security researchers have identified that these attacks exploit CVE-2024-23692, a critical vulnerability that allows unauthenticated execution of arbitrary commands.

This vulnerability affects HFS versions up to and including 2.3m which remain popular among individual users and small teams. Despite warnings from Rejetto about the dangers of using versions 2.3m through 2.4, a fix has not been implemented leaving users vulnerable to these attacks. The CVE-2024-23692 vulnerability, a template injection flaw, was discovered by security researchers and publicly disclosed in May.

Exploitation began soon after, facilitated by the release of a Metasploit module and proof of concept exploits. Attackers leverage this vulnerability to gather system information, install backdoors, and deploy various types of malware. Commands such as "whoami" and "arp" are executed to collect data on the system and users aiding in the attackers' planning of subsequent malicious actions.

In several observed cases, attackers terminated the HFS process after adding a new user to the administrators' group ensuring exclusive control over the compromised system. Researchers have documented the deployment of the XMRig tool for Monero cryptocurrency mining in multiple attacks, some of which are linked to the LemonDuck threat group. Other malware delivered includes XenoRAT for remote access, Gh0stRAT for data exfiltration, PlugX for persistent access, and GoThief for stealing information using Amazon AWS.

Researchers continue to detect ongoing attacks on HFS version 2.3m, emphasizing the need for users to upgrade to the latest version, 0.52.x, which offers improved security features such as HTTPS support and dynamic DNS. This information is crucial for users and organizations to detect and mitigate potential threats from these ongoing cyberattacks.

Impact

  • Command Execution
  • Data Theft
  • Cryptocurrency Theft
  • Financial Loss

Indicators of Compromise

Domain Name

  • support.firewallsupportservers.com

IP

  • 185.173.93.167
  • 121.204.249.123
  • 154.201.87.185
  • 164.155.205.99
  • 188.116.22.65

MD5

  • ce7dc5df5568a79affa540aa86b24773
  • 8f0071027d513867feb3eb8943ccaf05
  • 77970a04551636cc409e90d39bbea931
  • 6adaeb6543955559c05a9de8f92d1e1d
  • 4383b1ea54a59d27e5e6b3122b3dadb2

SHA-256

  • 0af21e5bdeaf84c33c172a1170987cca478c2b3e13a3de5653f724f36e278ee4
  • 5d37696feee100ac78d5221669f96b006c851f54c1f36f44fab2e6b71c6498b1
  • 69fe95d13e04c1e919980b8aa8e98e04e3c266d15589c074ae2bb8d9027d5a01
  • 29b27b5757f1503d348acef5201f65ce6726fdc5c3e84c8ee87c2c933cb41066
  • cbb265cfae15aa0f39bc67447aa82fc3ac40be6f9239a111e21e1532295eb4ed

SHA-1

  • 86f163a248e2a9eb2209881351029ce2bbcc5b58
  • 084b7e9e001bcfd1f2ad8adb6f39d08e5aadae4b
  • 0ed613fc7f6f592098ff679b321196274b814abd
  • 0e267e5ef7b91bf1ef7c8af40bd6fd7f8330ea36
  • be42f6a567b193884333d0668b94f7635c08dc00

URL

  • http://121.204.249.123/2345.exe
  • http://121.204.249.123:8077/systeminfo.exe
  • https://imgdev.s3.eu-west-3.amazonaws[.]com/dev/20210623/conost.exe
  • http://185.173.93.167:13306/Roboform.dll
  • http://185.173.93.167:13306/WindowsWatcher.key
  • http://188.116.22.65:5000/submit

Remediation

  • Block all threat indicators at your respective controls.
  • Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
  • Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
  • Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
  • Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
  • Use web application firewalls (WAF) to detect and block malicious traffic.
  • Restrict the use of administrative privileges and use them only when necessary.
  • Implement network segmentation to limit the spread of malware.