Keypoints
- CISA received four files from an Aeronautical Sector incident response engagement.
- Two PE files (bitmap.exe, wkHPd.exe) are Meterpreter/Metasploit variants configured to connect to C2 servers and load unencrypted payloads into memory.
- Two ASPX webshells (resource.aspx, ConfigLogin.aspx) enable remote JavaScript execution after authentication using keys “OWAwebconfig” and “TUCSON”; the webshells use obfuscation to bypass protections.
- C2 infrastructure observed: 108[.]62[.]118[.]160 and 179[.]60[.]147[.]4; one Meterpreter binary connects to 179[.]60[.]147[.]4 on TCP port 58731.
- CISA published YARA rules (CISA_10430311_01, _02, _03) and provided SHA256 hashes for the four submitted files for detection.
- Antivirus detections across vendors identified these executables as Meterpreter/Metasploit variants and the ASPX files as webshell/backdoor.
MITRE Techniques
- [N/A] No MITRE ATT&CK techniques explicitly referenced – ‘No MITRE ATT&CK techniques are explicitly referenced in the article.’
Indicators of Compromise
- [SHA256 hashes] Submitted file hashes – 334c2d0af191ed96b15095a4a098c400f2c0ce6b9c66d1800f6b74554d59ff4b, 79a9136eedbf8288ad7357ddaea3a3cd1a57b7c6f82adffd5a9540e1623bfb63, and 2 more hashes.
- [Filenames] Malicious filenames observed – bitmap.exe, wkHPd.exe (Meterpreter payloads); resource.aspx, ConfigLogin.aspx (ASPX webshells).
- [IP addresses] Command-and-control servers – 108[.]62[.]118[.]160 (associated with wkHPd.exe), 179[.]60[.]147[.]4 (associated with bitmap.exe).
- [Authentication keys] Webshell authentication keys – “OWAwebconfig” (resource.aspx), “TUCSON” (ConfigLogin.aspx) used to authenticate before remote JS execution.
- [Ports] Network context – TCP port 58731 observed for connection from bitmap.exe to 179[.]60[.]147[.]4.
- [YARA rules] Detection rules published – CISA_10430311_01, CISA_10430311_02, CISA_10430311_03 (targets Meterpreter samples and OWA-targeting ASPX webshells).
The technical analysis identified two small PE32+ x86-64 executables (SHA256: 334c2d0a…ff4b for bitmap.exe and 79a9136e…fb63 for wkHPd.exe) that are variants of the Metasploit Meterpreter payload. Both binaries are designed to establish outbound TCP connections to specific IP addresses (bitmap.exe → 179[.]60[.]147[.]4 on port 58731; wkHPd.exe → 108[.]62[.]118[.]160), receive an unencrypted payload from the C2, and execute that payload directly in memory. Antivirus vendors flagged these samples as Meterpreter/Metasploit variants and CISA supplied YARA signatures (CISA_10430311_01 and CISA_10430311_02) that match characteristic byte sequences and the provided SHA256 values for detection and hunting.
The two ASPX artifacts (resource.aspx, 175 bytes; ConfigLogin.aspx, 169 bytes) are tiny webshells that accept authenticated requests and execute remote JavaScript. Each webshell requires a specific authentication key—resource.aspx uses “OWAwebconfig” and ConfigLogin.aspx uses “TUCSON”—and includes obfuscated use of the ‘unsafe’ context to evade security controls while executing attacker-supplied scripts. CISA’s YARA rule CISA_10430311_03 targets these ASPX webshells by matching multiple small string patterns and the webshell SHA256 values.
CISA provided the full set of IOCs and YARA rules for deployment: four SHA256 hashes, the four filenames, two C2 IP addresses, observed TCP port usage, and the three YARA rules for automated detection. Analysts should prioritize network egress monitoring to the listed IPs, memory/runtime detection for unencrypted in-memory payload execution, and scanning web servers for the ASPX filenames and authentication-key usage to identify potential compromise.
Read more: https://www.cisa.gov/news-events/analysis-reports/ar23-250a