Threat Research

HTTP File Server (HFS) (CVE-2024-23692) Attack Cases

Ahnlab

The article explains how CVE-2024-23692 enables remote code execution in exposed HTTP File Server (HFS) installations, allowing attackers to send commands and install malware. It catalogs campaigns across multiple families (CoinMiner, LemonDuck, Gh0stRAT, PlugX, GoThief) with behaviors like system discovery, backdoor creation for RDP, and data exfiltration to AWS S3, attributing many activities to Chinese-speaking actors.
#CVE-2024-23692 #HFS #LemonDuck #Gh0stRAT #PlugX #GoThief #XMRig #XenoRAT

Keypoints

  • CVE-2024-23692 is a remote code execution vulnerability in HFS 2.3m that can be exploited after scanning externally exposed HFS services to install malware or take control.
  • A PoC was released soon after the vulnerability disclosure, enabling remote commands on vulnerable HFS servers.
  • Post-infiltration activity includes system information collection (e.g., whoami, arp -a) and creation of backdoor accounts for RDP access, followed by terminating the HFS process.
  • CoinMiners, especially XMRig, are widely used, with LemonDuck among several actors deploying CoinMiner alongside other malware like XenoRAT and vulnerability scanners.
  • GoThief steals desktop files, screenshots, and IPs, using Amazon S3 (bucket imgdev) to exfiltrate data to a C2 server.
  • Other backdoors/RATs such as Gh0stRAT, PlugX, Cobalt Strike, and Netcat are observed, with PlugX showing plugins and a variant of BackDoor.PlugX.38.
  • Defensive guidance emphasizes patching HFS to the latest version and updating V3 to prevent known exploit-based infections.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – The vulnerability allowed remote command execution on exposed HFS instances; “Using this, the threat actor can send packets containing commands to HFS servers remotely as shown below. This means that the threat actor can exploit the CVE-2024-23692 vulnerability after scanning the externally exposed HFS service to install malware or obtain control.”
  • [T1059] Command and Scripting Interpreter – Attackers executed Windows commands to gather info and configure persistence, for example: “cmd /c “whoami”” and “arp -a” and “net user admin12 … /add” and “taskkill /f /im hfs.exe”.
  • [T1033] System Owner/User Discovery – The use of “whoami” to determine the current user context.
  • [T1016] System Network Configuration Discovery – The use of “arp -a” to enumerate network configuration details.
  • [T1136] Create Account – Creation of backdoor accounts to enable RDP access, e.g., “net user admin12 xiao9[removed]02.. /add” and “net localgroup administrators tools /add”.
  • [T1070] Indicator Removal on Host – Terminating the HFS process to hinder detection: “taskkill /f /im hfs.exe”.
  • [T1021.001] Remote Services – Backdoor accounts used to connect via Remote Desktop (RDP).
  • [T1113] Screen Capture – GoThief activity mentions capturing screenshots as part of data collection.
  • [T1567.002] Exfiltration to Cloud Storage – GoThief uploads data to AWS S3 (Bucket name: imgdev) and sends it to a C2 server, described as: “the Amazon S3 service (Bucket name: imgdev) to collect the information on files on the desktop, uploaded screenshots, and IP address information to send it to another C&C server.”
  • [T1071.001] Web Protocols – Use of C2 channels over HTTP/domains/IPs (e.g., Gh0st RAT and PlugX C2 addresses and domains listed).
  • [T1119] Automated Collection (implied by data gathering) – GoThief collects screenshots, file lists, and IP information for exfiltration.

Indicators of Compromise

  • [IP Address] – 154.201.87[.]185:999 and 164.155.205[.]99:999 (C2 servers for Gh0st RAT)
  • [Domain] – support.firewallsupportservers[.]com:80/443/53/8080 (C2/communication), imgdev.s3.eu-west-3.amazonaws[.]com (GoThief-related AWS bucket)
  • [URL] – hxxp://121.204.249[.]123/2345.exe; hxxp://121.204.249[.]123:8077/systeminfo.exe (Gh0st RAT download/loader)
  • [URL] – https://imgdev.s3.eu-west-3.amazonaws[.]com/dev/20210623/conost.exe (GoThief-related download)
  • [MD5] – ce7dc5df5568a79affa540aa86b24773: Gh0st RAT (2345.exe); 8f0071027d513867feb3eb8943ccaf05: Gh0st RAT (systeminfo.exe); 77970a04551636cc409e90d39bbea931: PlugX Loader (Roboform.dll); 6adaeb6543955559c05a9de8f92d1e1d: PlugX (Encoded) (WindowsWatcher.key); 4383b1ea54a59d27e5e6b3122b3dadb2: GoThief (conost.exe)
  • [File Name] – conost.exe (GoThief); Roboform.dll (PlugX Loader); WindowsWatcher.key (PlugX encoded)
  • [Cloud Resource] – Bucket imgdev (AWS S3) used for GoThief data exfiltration

Read more: https://asec.ahnlab.com/en/67650/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint