HTTP File Server (HFS) is a program that provides a simple type of web service. Because it can provide web services with just an executable file without having to build a web server, it is often used for sharing files, allowing users to connect to the address through web browsers and easily download files.
Because HFS is exposed to the public in order to enable users to connect to the HFS web server and download files, it can be a target for external attacks if it has a vulnerability. In May 2024, a remote code execution vulnerability (CVE-2024-23692) in HFS was announced. Using this, the threat actor can send packets containing commands to HFS and have it execute malicious commands. Although not the latest version, the vulnerability affects “HFS 2.3m” which is used by many users.
1. CVE-2024-23692 Vulnerability
Not long after the vulnerability became known, the Proof of Concept (PoC) was announced. Using this, one can send packets containing commands to HFS servers remotely as shown below. This means that the threat actor can exploit the CVE-2024-23692 vulnerability after scanning the externally exposed HFS service to install malware or obtain control.
AhnLab SEcurity intelligence Center (ASEC) monitors attacks exploiting vulnerabilities. Through the AhnLab Smart Defense (ASD) infrastructure, it was able to identify the HFS process of installing malware. This attack began to be detected after the vulnerability was announced. As the version involved in the attack is “HFS 2.3m”, a vulnerable version used by many users, it is believed that the CVE-2024-23692 vulnerability was exploited.
After initial infiltration, the threat actors used commands such as “whoami” or “arp” to collect information on the system. They then added backdoor accounts for the purpose of connecting via RDP and concealed the accounts. In many cases, HFS was terminated after the process was complete so that it would not be used by other threat actors. Examining the malware strains and commands leads to the assumption that most attacks are done by Chinese-speaking threat actors.
> cmd /c “whoami” > arp -a > net user admin12 xiao9[removed]02.. /add > taskkill /f /im hfs.exe |
2. CoinMiner
XMRig, a CoinMiner that mines the Monero cryptocurrency, was the one the most used in the attacks. At least 4 threat actors are attacking HFS and installing CoinMiners. LemonDuck is a known threat actor out of those attackers.
It was first discovered in 2019 and has been exploiting various vulnerabilities to attack poorly managed systems. [1] (This post supports Korean only for now.) Although XMRig CoinMiner is installed in the end, XenoRAT and a vulnerability scanner script are also installed.
3. Backdoor
Besides CoinMiners, many RATs and backdoor-type malware strains are also detected. Aside from XenoRAT covered above, RAT malware such as Gh0stRAT and PlugX often used by Chinese threat actors as well as Cobalt Strike and Netcat can be found.
Out of the malware strains used in the attack, PlugX is a variant of the BackDoor.PlugX.38 mentioned in the Dr. Web report [2] and is the same type as the one covered in the past blog post “PlugX Malware Being Distributed via Vulnerability Exploitation.” [3] A small difference is that only the commands up to “0xA” are supported. In addition, “Disk”, “Nethood”, “Netstat”, “Option”, “PortMap”, “Process”, “RegEdit”, “Service”, “Shell”, “SQL”, and “Telnet” plugins are supported while “KeyLog”, “Screen”, “ClipLog”, and “RDP” are excluded.
4. GoThief
There are also attack cases involving various other malware strains. A major example is GoThief which uses Amazon AWS to steal information from the infected system. Developed in the Go language, AhnLab categorizes it under GoThief based on the source code path used for malware creation (“E:/Thief/GoThief-main/main.go”).
After capturing screenshots, GoThief uses the Amazon S3 service (Bucket name: imgdev) to collect the information on files on the desktop, uploaded screenshots, and IP address information to send it to another C&C server.
5. Conclusion
Recently, the remote code execution vulnerability CVE-2024-23692 in the HFS program that provides web services was announced. Attack cases against vulnerable versions of HFS continue to be detected ever since. Because HFS is exposed to the public in order to enable users to connect to the HFS web server and download files, it can be a target for external attacks if it has a vulnerability.
If HFS is in use, it must be checked whether it is a vulnerable version and must be patched to the latest version to prevent attacks from known vulnerabilities. Also, V3 should be updated to the latest version so that malware infection can be prevented.
File Detection
– Data/BIN.EncPe (2024.06.24.03)
– Backdoor/Win32.RL_Plugx.R285635 (2019.08.09.02)
– Trojan/Win32.RL_Cometer.R325811 (2020.02.14.00)
– Trojan/VBS.Launcher (2024.06.24.03)
– Trojan/BAT.Agent.SC200145 (2024.06.24.03)
– Trojan/BAT.Launcher (2024.06.24.03)
– Trojan/PowerShell.Loader (2024.06.27.02)
– Trojan/Win.XenoRAT.C5586957 (2024.02.11.01)
– Infostealer/Win.GoThief.C5643764 (2024.06.24.00)
– Downloader/PowerShell.Miner
– CoinMiner/Win.XMRig.C5643760 (2024.06.24.00)
– Dropper/Win.CoinMiner.C5643759 (2024.06.24.00)
– CoinMiner/MSI.XMRig (2024.06.24.02)
– Trojan/Win.Agent.C5640510 (2024.06.13.00)
– Trojan/Win32.Npkon.R55984 (2013.03.12.03)
– Dropper/Win.Generic.C5624814 (2024.05.24.00)
– CoinMiner/Win.Generic.R649206 (2024.05.24.00)
– Trojan/Win32.Dialer.C239376 (2014.01.10.00)
– Trojan/Win.UACBypassExp.R608495 (2023.09.30.00)
– Trojan/Win.Miner3.R512976 (2022.08.31.01)
– Unwanted/Win32.NSSM.R353938 (2020.10.27.00)
– Trojan/Win32.Banker.R52371 (2013.02.10.00)
– Trojan/Win.Generic.C5042047 (2022.03.31.01)
– Trojan/BAT.Agent (2024.06.24.03)
– Trojan/Win.Miner.R416364 (2021.04.18.01)
– Unwanted/Win32.CoinMiner.C2247048 (2017.11.07.05)
– Unwanted/Win64.NSSM.C2186917 (2018.03.22.08)
– HackTool/Win32.ServiceTool.R232096 (2018.07.19.07)
Behavior Detection
– Exploit/MDP.Event.M4869
– Malware/MDP.Download.M1900
– Execution/MDP.Powershell.M2514
– Execution/MDP.Powershell.M1185
– InitialAccess/MDP.Powershell.M1197
IoCs
MD5s
– ce7dc5df5568a79affa540aa86b24773: Gh0st RAT (2345.exe)
– 8f0071027d513867feb3eb8943ccaf05: Gh0st RAT (systeminfo.exe)
– 77970a04551636cc409e90d39bbea931: PlugX Loader (Roboform.dll)
– 6adaeb6543955559c05a9de8f92d1e1d: PlugX (Encoded) (WindowsWatcher.key)
– 4383b1ea54a59d27e5e6b3122b3dadb2: GoThief (conost.exe)
C&C Servers
– 154.201.87[.]185:999: Gh0st RAT
– 164.155.205[.]99:999: Gh0st RAT
– support.firewallsupportservers[.]com:80/443/53/8080: PlugX
– hxxp://188.116.22[.]65:5000/submit: GoThief
Download URLs
– hxxp://121.204.249[.]123/2345.exe: Gh0st RAT
– hxxp://121.204.249[.]123:8077/systeminfo.exe: Gh0st RAT
– hxxp://185.173.93[.]167:13306/Roboform.dll: PlugX Loader
– hxxp://185.173.93[.]167:13306/WindowsWatcher.key: PlugX (Encoded)
– hxxps://imgdev.s3.eu-west-3.amazonaws[.]com/dev/20210623/conost.exe: GoThief
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
The post Attack Cases Against HTTP File Server (HFS) (CVE-2024-23692) appeared first on ASEC BLOG.