Threat Research

Patch Your WSO2: CVE-2022-29464 Exploited to Install Linux-Compatible Cobalt Strike Beacons, Other Malware

Securonix

Trend Micro analyzes exploitation of CVE-2022-29464 in WSO2 products, which leads to web shell deployment and the installation of Linux-compatible Cobalt Strike beacons along with other malware. The campaign shows persistence across multiple products, uses web shells in authenticationendpoint paths, and communicates with a known C2 server on 179.60.150.29:4444. #WSO2 #CobaltStrike

Keypoints

  • The CVE-2022-29464 vulnerability in WSO2 products allows unrestricted file uploads and remote code execution (RCE) without user interaction, posing a critical risk.
  • Attackers abused web shells uploaded to WSO2 endpoints (notably authenticationendpoint) using JSP or WAR payloads to maintain persistence.
  • Post-compromise activity includes downloading and executing a coinminer, via a wget call to fetch auto.sh, which is detected as a MALXMR trojan component.
  • A Linux-compatible Cobalt Strike beacon (207-byte ELF) was observed, establishing an outbound C2 to 179.60.150.29:4444, indicating active backdoor capabilities on infected Linux hosts.
  • Windows detections also appeared (Backdoor.Win64.COBEACON.SMA) and related tools like fscan were observed, suggesting mixed-platform targeting in the campaigns.
  • Threat actors exhibit persistence and reuse PoC artifacts, with a Metasploit module appearing shortly after disclosure, and notable ease of exploitation via public servers (Google/Shodan exposure).
  • Trend Micro emphasizes patching and applying mitigations from the WSO2 advisory to prevent rapid exploitation and further compromises in critical sectors.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – The vulnerability was exploited in the wild to achieve RCE via unrestricted file uploads. ‘CVE-2022-29464 being exploited in the wild since April, allowing unrestricted file uploads resulting to arbitrary remote code execution (RCE).’
  • [T1505.003] Web Shell – Web shells were installed and abused the vulnerability, with multiple paths such as authenticationendpoint being used. ‘We observed the installation of web shells abusing the vulnerability.’
  • [T1059.004] Unix Shell – OS commands executed from the Java process, including wget and chmod. ‘The Execution Profile also shows the execution of OS commands from Java processes such as wget/chmod.’
  • [T1071.001] Web Protocols – C2 communication observed as Linux beacon connects to a remote callback/C2 server. ‘performs an outbound connection to the IP address 179.60.150.29:4444. Our analysis found that the IP address is a malicious Cobalt Strike callback destination and command and control (C&C) server.’
  • [T1496] Resource Hijacking – Coinminer payload installed and executed (MALXMR family) via the web shell chain. ‘a coinminer installer (detected by Trend Micro as Trojan.SH.MALXMR.UWELO)’.

Indicators of Compromise

  • [File/Path] Web shell and payload artifacts – //repository/deployment/server/webapps/authenticationendpoint/{6 Random letters}.jsp, //repository/deployment/server/webapps/authenticationendpoint/temp.jsp, //repository/deployment/server/webapps/authenticationendpoint/unit.jsp, and related WAR payloads – example values listed in the article
  • [File/Path] Web application payloads in WAR/JSP paths – //repository/deployment/server/webapps/{5 letters like HcTnA}.war, //repository/deployment/server/webapps/{5 letters like HcTnA}/WEB-INF/classes/metasploit/Payload.class, //repository/deployment/server/webapps/authenticationendpoint/{6 Random letters}.jsp
  • [File/Path] Temporary and beacon-related files – //tmp/LBcgqCymZQhm, //tmp/uCQeONYQ, C:WindowsTempfscan.exe
  • [File/Path] Coinminer and miner-related files – /dev/shm/hezb, auto.sh, setup_c3pool_miner.sh
  • [SHA256] Known hashes – 2effebac6dc4fe8924315403f3dbda2fddfd7ea616faaf5cac2d7f6c85254e9e, d2ec9ec31013320eb3f4e1886a0e1a4720919761bd0cb62dbd66a9b8f13cc23d, 9afec5620d7cfd959b3ec81442fefc05b4d0200194bc4443de47ea0b9f452b0f, 293eca7343c5cab11427431c93f66f972ce14061691ceb9bd7546b9fb283b1d0, 5c0970c2c253c2120d722c37aa397b1ce5fa61108f8441a84001eed5b565dc78, 0c4c5c036272eb19d5617c9ce072e14ffb795a354dc682e6b0d144143ac4c7b4, 4993806d2f77096ab28d589f8ee91869fc6045725ec9bc83b9e57f78cf86a5b8, 58c0dd936dd314637a7a85db5227ed0ebbfcf33508372a646c09c98ec2dd4e5d, 92443dfd40df1dc87976fc827e46a264979d5ed2a8e2153864d6f2725a9aab0c, d26437cc6ff9d094d42947d214c80a313e064ca403e9dd33a8110d7e859dd10e, a3f08adadb93ee760f81ef96cc08810070f4f5a75d5417191975da5ab778766c, 0bade474b812222dbb9114125465f9dd558e6368f155a6cd20ca352ddd20549e
  • [URL] External endpoints – hxxp://13[.]94[.]40[.]162:8088/auto[.]sh, 179[.]60[.]150[.]29:4444
  • [IP] C2 and dropper destinations – 179.60.150.29:4444, 13.94.40.162:8088 (supply for auto.sh)
  • [Process] LBcgqCymZQhm – Linux COBEACON backdoor process observed executing from the Java process

Read more: https://www.trendmicro.com/en_us/research/22/e/patch-your-wso2-cve-2022-29464-exploited-to-install-linux-compatible-cobalt-strike-beacons-other-malware.html