WARNING! This blog post contains file names and strings that are offensive and hate-filled. The names of these files and strings were chosen by the attackers, and I in no way find humor in or appreciate them.
Had to wait a little while to finish gathering some information on this, because it was a large endeavor and may end up splitting into 2 or 3 posts.
This particular incident started with our client's hosted mail relay threatening to shut down their access to the relay due to a high volume of spam that was coming from the client's network. The client had a fairly extensive network, so we had to get our hands dirty digging into their environment to track down where the spam was coming from, but we eventually tracked it down to 2 possible servers. I'll offer to you my reasoning for suspecting each server first, and then I will tell you what the actual outcome was.
On the first server we examined, we started in the most obvious place possible; the anti-virus logs. We noted immediately that 2 files had been uploaded to this server at some point in the past, and now they had been sitting in the quarantine for months. Those files were 2 .ASPX files named "dusuki.aspx" and "website.aspx", and they were uploaded to the "C:\inetpub\wwwroot" directory. These 2 files had exactly the same contents, with the exception of "dusuki.aspx" having a small bit of comment added between lines 23-29. Here are the comments I just mentioned, plus a few lines of code just beneath:
Code by Bin
Make in China
E-mail : firstname.lastname@example.org
public string Password="21232f297a57a5a743894a0e4a801fc3";//admin
public string vbhLn="ASPXSpy";
ASPXSpy (https://github.com/tennc/webshell/blob/master/net-friend/aspx/aspxspy.aspx and https://github.com/tennc/webshell/blob/master/net-friend/aspx/aspxspy.aspx) is a web server backdoor with multiple capabilities such as file upload/download, service/process manipulation, etc. It is unclear exactly how long the ASPXSpy files had been on this server or if it had ever been used, but timestamps on the files indicate that it could have been an unpleasant span of time. This, however, was not the source of our spam problem. Read on for further details!
So, with no evidence that the origin of the spam was the first server, we moved on to our second suspected server. Once again, we started with the anti-virus logs. What we found was both surprising and disturbing. The malware, despite its age, wasn't all detected by anti-virus, as was later discovered by a manual perusal of the file structure. Below is a list of all the files that we turned up on this server:
So, you can see we have a mixture of .EXE files, .JAR files, and a single .VBS file. I am not at all going to go into the details behind these files; I will reserve that for another upcoming post. I will state, however, that these files were not responsible for the spam, and that some of them had even been noted in a previous cleanup attempt by another firm. However, they relied solely on an anti-virus engine to detect the files, which obviously didn't work for all of the files. Take this moment to examine yet another instance of the fact that any signature-based system can completely and utterly fail you, especially if it is your only means of identifying badness.
During my walk of the file system on this server, I encountered 2 directories containing files that looked to be dropped/queued e-mail messages. The directories in question were "C:\ColdFusion7\Mail\Undelivr" and "C:\inetpub\mailroot\Drop", both mail directories for ColdFusion and IIS, respectively. In the ColdFusion directory, we noted files with names such as "Mail558391.cfmail", and in the IIS directory we saw files with names such as "fd2eb58401d0ffec00000003.eml". Let's look at these e-mails, in turn.
First, the ColdFusion mail item:
type: text/html; charset=UTF-8
subject: [Verification] N°1391717292840
X-Mailer: ColdFusion 8 Application Server
body: Chèr(e) client(e),
body: Nous vous informons que votre ID arrive a expiration dans moins de 48 heures,
body: Il est impératif d'effectuer une vérification de vos informations a présent ,sans quoi votre ID sera détruit.
body: Cliquez simplement sur le lien ci-dessous et ouvrez une session a l'aide de votre Apple ID et de votre mot de passe .
body: <a href="http://tienda[.]ganasdemalasana[.]com/errors/acceuil[.]html">Vérifiez maintenant</a>
body: Pour plus d'informations, consultez la rubrique <a href="">Questions et réponses</a> .
body: L'assistance a la clientéle
And then the IIS SMTP mail item:
Received: from [redacted] ([127.0.0.1]) by [redacted] with Microsoft SMTPSVC(7.5.7601.17514);
Tue, 6 Oct 2015 00:10:51 -0400
Date: Tue, 6 Oct 2015 00:10:51 -0400 (EDT)
To: dé, [redacted]@hotmail.fr
Content-Type: text/html; charset=UTF-8
X-Mailer: ColdFusion 8 Application Server
X-OriginalArrivalTime: 06 Oct 2015 04:10:51.0875 (UTC) FILETIME=[FD2DDB30:01D0FFEC]
<table width="680" align="center" cellspacing="0" cellpadding="0" border="0">
<div style="background:rgb(255,255,255);padding:20px 20px 10px;border:1px solid rgb(255,255,255);color:rgb(0,0,0);font-family:Arial,Helvetica,sans-serif;font-size:12px;">Cher(e)
Lors de votre dernier achat , vous avez été averti par un message vous informant de l'obligation d'adhérer à la nouvelle réglementation concernant la fiabilité pour les achats par C.B. sur internet et de la mise en place d'un arrêt pour vos futurs achats.
Or, nous n'avons pas, ce jour, d'adhésion de votre part et nous sommes au regret de vous informer que vous pouvez plus utiliser votre carte sur internet.
<ul><strong>Adhésion : </strong><a href="https://livrefixo[.]com/errors/acceuil[.]html" target="_blank">Faites votre demande d'adhésion en ligne en cliquant ici</a></ul>
Merci de la confiance que vous nous témoignez.
So, in both instances, we have French recipients being directed to visit a URL that ends with "acceuil.html" (hint: "acceuil" translates to "home".) I tried as hard as I could to find either a live instance of this campaign or an archived copy of it, but to no avail. Given the pretext of the e-mails, though, I would guess that credential phishing is likely what was going on here.
Things were fairly simple from here. Turns out, the client was running an extremely old version of ColdFusion and had RDP open to the public Internet for anyone willing to force their way into the box. We ended up shuttering the whole blasted thing until it could be rebuilt in a secure manner.
This is just a friendly reminder to always patch. Patch, patch, patch. Do it.
I will do a deeper dive into the malicious files I found in later blog posts, so keep your eyes peeled!