Threat Research

Post-Exploitation Activities Observed from the Samsung MagicINFO 9 Server Flaw

Huntress
Post-Exploitation Activities Observed from the Samsung MagicINFO 9 Server Flaw
EXTRACT IOC
This article discusses limited exploitation activity targeting the Samsung MagicINFO 9 Server vulnerability, verified through a publicly released proof-of-concept in late April. Despite widespread installation, only three incidents with varying attack sophistication have been observed, impacting Samsung MagicINFO 9 Server systems. #SamsungMagicINFO9Server

Keypoints

  • A publicly available proof-of-concept for a vulnerability in Samsung MagicINFO 9 Server version 21.1050.0 was released on April 30, 2025.
  • Huntress verified the exploit against versions 21.1050.0 and 21.1040.2 and detected active exploitation incidents in the wild.
  • Despite over 75 affected machines, only three separate exploitation incidents were recorded, with two showing organized and scripted attacker behavior.
  • Attackers downloaded and renamed executables (srvany.exe) as php-cli.exe and php-fpm.exe on victim machines, possibly as an obfuscation tactic.
  • Reconnaissance commands such as “cmd.exe /c whoami” and “cmd.exe /c arp -a” were used in less organized attack attempts.
  • Service installation attempts failed on the first host, as confirmed by system event logs, while the second host successfully ran the malicious service.
  • Recommendations urge administrators to avoid exposing MagicINFO servers to the internet due to the lack of available patches and potential firewall protection reducing attack surface.

MITRE Techniques

  • [T1059] Command and Scripting Interpreter – Attackers used command-line commands such as “cmd.exe /c whoami” and “cmd.exe /c arp -a” for reconnaissance.
  • [T1035] Service Execution – Malicious service installation attempts using renamed executables like “php-cli.exe” and “php-fpm.exe” to run the payload were observed. (“The service failed to start… installed as user mode service”)
  • [T1105] Ingress Tool Transfer – Downloading executables from attacker-controlled domains such as “http://185.225.226[.]53/php_cli.exe” was used to transfer tools onto the victim machines.
  • [T1070] Indicator Removal on Host – The attackers attempted obfuscation by renaming downloaded executables, possibly to evade detection (“…named it as php-cli.exe … renamed it as php-fpm.exe”).

Indicators of Compromise

  • [URL] URLs hosting malicious executables – http://185.225.226[.]53/php_cli.exe, http://185.225.226[.]53/srvany.exe used by attackers to download payloads.
  • [File Paths and Hashes] Malicious service executables – C:MagicInfo Premiumtomcatbinphp-cli.exe (hash: c9c464c872b539eee7481e15331b7a6c75f4ba1f24b64d9f36a70b87a164d122), C:MagicInfo Premiumtomcatbinphp-fpm.exe (hash: abd4afd71b3c2bd3f741bbe3cec52c4fa63ac78d353101d2e7dc4de2725d1ca1)

Read more: https://www.huntress.com/blog/post-exploitation-activities-observed-from-samsung-magicinfo-9-server-flaw

Views: 28

Tags: PASSWORD, BACKDOOR, PAYLOAD, FIREWALL, RECONNAISSANCE, TOOL, WINDOWS, EDR