Attack campaign targeting Apache Struts2 vulnerability

Authors: Roberto Paleari (@rpaleari), Claudio Moletta (@redr2e) and Luca Giancane

At the beginning of March, a security advisory was published about two high-impact issues affecting Apache Struts2, a widely-used framework to create Java web applications. Despite they can be exploited to cause either a DoS (CVE-2014-0050) or to gain remote code execution on the affected server (CVE-2014-0094), these vulnerabilities have not raised much interest until a proof-of-concept exploit was published on a Chinese blog in April, followed by a more detailed write-up describing the technical details of the attack. In addition, on April 24th, researchers from Vulnhunt showed the inefficacy of the countermeasures initially proposed as a workaround to address the bugs.

As usually happens in these cases, after the publication of the PoC attackers started to mass-scan the Internet, searching for vulnerable servers. As a consequence, in these days we observed automated attacks trying to exploit CVE-2014-0094. All the attacks we observed so far are originated from a single source IP, namely

Anatomy of the attack

The attacks we observed start with a single HTTP GET request to rebase the application to a remote directory, using a UNC path that points to a SMB shared folder on the attacker's machine. The request logged by the target web server is the following:


By listing SMB services available on, we can confirm the presence of a share named "toplel", as shown in the figure below.

SMB share toplel, on the attacker's host
The toplel share accepts anonymous connections and contains several JSP pages, all containing the following HTML fragment:

gayfgt 696969

No active nor malicious code was found in any of these JSPs. Thus, our hypothesis is that some of these pages are invoked by the attacker to verify if the exploit succeeded, by checking the page returned actually matches the expected content. Unfortunately, at the time of writing we were not able to record any additional request sent by the attacker, beyond the initial one that triggers the Apache Struts2 vulnerability.

In addition to the anonymous SMB share, the attacker's machine exposes a web server configured to enable a directory listing on the root directory. This allowed us to inspect its contents and continue our analysis.

Directory listing on

We speculate the goal of the attacker is to leverage CVE-2014-0094 to eventually execute some of the binaries hosted on this server, as discussed in the next section. In addition to these malicious application, the server also hosts some warez and even a Torrent client with a web-based interface.

Warez folder on the attacker's host

Web-based Torrent client

Despite we still miss the joining link between the initial attacker's request and the request that drops and installs the malicious payload, we speculate the aim of the attacker is to execute one of two possible malicious applications, depending on the OS running on the compromised host:
  • besh, a shell script for Linux hosts.
  • toplel.exe, a binary application targeted for Windows machines.
The behavior of both the Linux and Windows payloads is described in the next paragraphs.

Linux payload

Analysis of the Linux payload (the script named "besh") is trivial: after collecting some information about the compromised machine, the script downloads and executes two additional binaries, yolo-x64 and yolo-x86 binaries; as you can probably imagine, these are 64-bit and 32-bit ELF applications, respectively.

Dropped binaries are a repackaged version of xptMiner, an open-source coin miner. As can be seen from the script contents, the application is configured to connect to, with username "Seegee.lin" and password "1"; at the time of writing, this URL was still active. On a compromised machine, the coin miner will be saved to /tmp/.HOLDMYWEEVE. In addition, the script also takes care of terminating any instance of the stratum process, another open-source coin miner.

Contents of the "besh" shell script

Windows payload

The goal of the Windows payload is the same as the Linux version, i.e., to install xptMiner on the victim's host. In this case, the dropper (ok.exe, MD5 hash 1467e41283f01c0f80568dd4b60b2484) is slightly obfuscated using very standard techniques: strings are encoded in base64 form and library functions are resolved starting from hard-coded hash values.

Upon execution, the binary checks if it is running on a 64-bit Windows system by leveraging the IsWow64Process() API. According to the result, either the yolo.exe (cb6799b63dbf3ddd1e7e0e05e579fe89) or swog.exe (5ace2dbc44e19d16bff7ce277bcdde2f) binaries are downloaded.

Generation of the HTTP request to download the second stage

As with the Linux version, dropped binaries are actually the xptMiner miner, that is then saved to local path %APPDATA%\ok.exe and finally executed with a command-line similar to the following:

%APPDATA%\ok.exe -o -u Seegee.toplel -p 1


In this post we briefly described an attack currently running "in the wild", which exploits Apache Struts2 vulnerability CVE-2014-0094 to execute arbitrary commands on a vulnerable web server. Apparently, the goal of the attacker is to drop an executable that eventually installs a coin miner.


No comments:

Post a Comment