Analyzing Oracle WebLogic attack

Recently we received an alert from our WAF related to an attack towards out environment.
Further review of the alert found that the attacker is using Oracle WebLogic RCE Deserialization Vulnerability (CVE-2018-2628).

We observed that the attacker included some sort of PowerShell command in their request:

Seems like the PowerShell command is using Base64 encoding for obfuscation.
I use https://gchq.github.io/CyberChef/ to decode the Base64:

Seems like it tried to fetch DL.php file at http://111.230.229.226/images/test/DL.php.
Lets try grab that file:

Hmm.. Error 404..? Is it true error?
Or did we missing something here?

Lets analyze the command carefully:

We can see the attacker is assigning/using specific User-Agent when fetching the file.
That’s why when we try to wget/curl the file directly, it failed.

So what we have to do is we set the User-Agent exactly same when fetching the file.
In this case, I’m using curl to fetch the file:

Now see? Previously if the fetch the file without the User-Agent, it will failed/error 404.
Again, we see another set off Base64 encoding here.

But what is it?
I’m not an expert to explain this, but TL;DR, it convert Base64 encoded string to a memory stream and executes it. I guess ¯_(ツ)_/¯

So, to see what happen if this command executes, we can use this Python script below to decode it.
With this script, we can basically see what are those Base64 are doing.

Take the Base64 at above, paste it at encoded parameters as example below:

Save the script and run the Python script as command below:

This will save all the output from your CMD to text file for easier to ready.
P/S : Your can rename output_DL_php.txt to any filename that you want.

Let’s see whats inside the text file:

As you can see, the command is doing bunch of stuff that I’m lazy to explain 😉
Hope you enjoy reading this.

IOCs:

References:
https://gist.githubusercontent.com/strazzere/5faa709a3db9e1dcf3b5/raw/42b98a918bac3725934bcfa3087ac5936d9b88d1/decrypt.py
http://threat.tevora.com/5-minute-forensics-decoding-powershell-payloads/

Any Comments?

This site uses Akismet to reduce spam. Learn how your comment data is processed.