Keypoints
- Attackers exploited a path traversal vulnerability in SysAid’s com.ilient.server.UserEntry.doPost via the accountID parameter to write files into the Tomcat webroot.
- Exploitation delivered a zipped WAR archive containing a WebShell and payloads that the actor then accessed to control the system.
- A PowerShell script was used to enumerate SysAid file directories, check for Sophos antivirus processes, and, if not found, execute the GraceWire loader (user.exe).
- The GraceWire loader reads an encrypted .bin payload, decrypts and verifies it, then injects the resulting Trojan into processes like spoolsv.exe, msiexec.exe, and svchost.exe.
- Actors used additional PowerShell to remove forensic evidence and there is evidence of PowerShell being used to download and run Cobalt Strike as a follow-up tool.
- Zscaler deployed detections and signatures for App.Exploit.CVE-2023-47246 and GraceWire/CL0P‑related artifacts.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Attackers exploited a SysAid zero-day path traversal to achieve remote code execution. ‘path traversal vulnerability leading to code execution’
- [T1105] Ingress Tool Transfer – The adversary uploaded a WAR archive containing a WebShell and payloads into the Tomcat webroot. ‘uploaded a WAR archive that housed a WebShell and various payloads into the webroot of the SysAid Tomcat web service’
- [T1505] Server Software Component (Web Shell) – A WebShell placed in the webroot provided remote interactive access and control of the compromised server. ‘the threat actor gains access to the WebShell, enabling them to interact with the compromised system’
- [T1059.001] Command and Scripting Interpreter: PowerShell – PowerShell scripts were used to enumerate files, check for Sophos processes, launch the GraceWire loader, and download/execute follow-on tools. ‘The PowerShell script … enumerates all the files … and then checks for antivirus … If the script doesn’t detect antivirus … then it executes the GraceWire loader (user.exe)’
- [T1055] Process Injection – The GraceWire loader injects the decrypted Trojan into system processes (spoolsv.exe, msiexec.exe, svchost.exe) to run payloads stealthily. ‘the loader injects the GraceWire Trojan into various processes, including: spoolsv.exe, msiexec.exe, svchost.exe’
- [T1070.004] Indicator Removal on Host: File Deletion – Actors executed PowerShell to remove traces and erase IoCs after operations. ’employ another PowerShell script to systematically eliminate traces and evidence linked to their malicious activities’
- [T1071.001] Application Layer Protocol: Web Protocols – Evidence shows PowerShell commands used to download and execute Cobalt Strike as a networked C2/implant delivery mechanism. ‘PowerShell command to download and execute CobaltStrike’
Indicators of Compromise
- [File Path] SysAid webroot used for payload staging – C:Program FilesSysAidServertomcatwebappsusersfiles
- [File Names] Payload and loader filenames observed – user.exe, <filename>.bin, WAR archive containing a WebShell
- [Processes] Processes targeted for injection – spoolsv.exe, msiexec.exe, svchost.exe
- [Detection Signatures / Labels] Malware detections referenced – Win32.Trojan.GraceWire, Win32.Ransom.Clop (and related signatures)
- [Commands] Malicious command examples – PowerShell used to execute GraceWire and a reported PowerShell command to download and execute Cobalt Strike
The technical attack flow begins with exploitation of a path traversal bug in SysAid’s com.ilient.server.UserEntry.doPost by manipulating the accountID parameter; this allowed attackers to write a zipped WAR file into Tomcat’s webroot, extract a WebShell, and gain interactive access. Using that WebShell the actor staged additional payloads and uploaded a PowerShell script that enumerated files under C:Program FilesSysAidServertomcatwebappsusersfiles, checked for Sophos processes (exiting if detected to avoid interference), and launched the GraceWire loader (user.exe) when no blocking AV was found.
The GraceWire loader first looks for an encrypted <filename>.bin in the working directory, reads it into memory, decrypts and verifies checksums, and if valid, executes the decrypted payload. The loader then performs process injection to implant the GraceWire trojan into system processes such as spoolsv.exe, msiexec.exe, and svchost.exe; debug print statements in the loader reveal its control flow. Post‑exploitation, the actors ran a separate PowerShell routine to remove artifacts and evidence, and there is supporting evidence of a PowerShell command used to download and execute Cobalt Strike as a follow‑on tool.
Detection controls should focus on the initial file write patterns (unexpected WAR uploads to Tomcat webapps), WebShell access behavior, PowerShell executions that enumerate SysAid directories or invoke user.exe, presence of encrypted .bin payloads read into memory, and suspicious process injection into spoolsv.exe/msiexec.exe/svchost.exe; Zscaler published signatures for App.Exploit.CVE-2023-47246 and GraceWire-related detections to cover these stages.