Backdoor via XFF – Mysterious Threat Actor Under Radar
Common Information
| Type | Value |
|---|---|
| UUID | f61e26b2-88ab-41f3-bd7d-1f4f2f7d3089 |
| Fingerprint | 1953014558892ba9e371cd76b6ba22687d9c5e62f277bff2609fe8583b1860c4 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | June 14, 2022, 4:57 p.m. |
| Added to db | March 11, 2024, 7:17 p.m. |
| Last updated | Aug. 31, 2024, 1:42 a.m. |
| Headline | Backdoor via XFF – Mysterious Threat Actor Under Radar |
| Title | Backdoor via XFF – Mysterious Threat Actor Under Radar |
| Detected Hints/Tags/Attributes | 146/2/114 |
Source URLs
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | CVE | 58 | cve-2019-0604 |
|
| Details | Domain | 12 | securityjoes.com |
|
| Details | Domain | 1 | www.intruder.io |
|
| Details | Domain | 41 | developer.mozilla.org |
|
| Details | Domain | 1 | hosthere.com |
|
| Details | Domain | 360 | attack.mitre.org |
|
| Details | Domain | 4127 | github.com |
|
| Details | Domain | 397 | asp.net |
|
| Details | Domain | 224 | unit42.paloaltonetworks.com |
|
| Details | Domain | 83 | xz.aliyun.com |
|
| Details | Domain | 2 | www.it145.com |
|
| Details | Domain | 1 | www.moregeek.xyz |
|
| Details | Domain | 9 | cloud.tencent.com |
|
| Details | Domain | 34 | xxx.xxx |
|
| Details | Domain | 98 | www.secureworks.com |
|
| Details | Domain | 36 | media.defense.gov |
|
| Details | Domain | 36 | news.softpedia.com |
|
| Details | Domain | 261 | blog.talosintelligence.com |
|
| Details | Domain | 16 | gitee.com |
|
| Details | Domain | 30 | www.php.net |
|
| Details | Domain | 182 | www.mandiant.com |
|
| Details | Domain | 8 | java.sun.com |
|
| Details | Domain | 1 | directive.page |
|
| Details | Domain | 3 | request.inputstream.read |
|
| Details | Domain | 1 | git.oschina.net |
|
| Details | Domain | 831 | example.com |
|
| Details | Domain | 198 | youtube.com |
|
| Details | Domain | 3 | youku.com |
|
| Details | 12 | response@securityjoes.com |
||
| Details | File | 20 | login.aspx |
|
| Details | File | 1 | 2c9c048.php |
|
| Details | File | 1 | dc9b66ce0.php |
|
| Details | File | 7 | 1.py |
|
| Details | File | 123 | os.sys |
|
| Details | File | 2 | pack.php |
|
| Details | File | 1 | tunnel123.php |
|
| Details | File | 1205 | index.php |
|
| Details | File | 2 | csa_gru_global_brute_force_campaign_uoo158036-21.pdf |
|
| Details | File | 1 | index_all.php |
|
| Details | File | 5 | reg.php |
|
| Details | File | 2 | china-chopper-still-active-9-years-later.html |
|
| Details | File | 1 | simple_proxy.php |
|
| Details | File | 43 | www.php |
|
| Details | File | 1 | file-get-contents.php |
|
| Details | File | 2 | ssl.php |
|
| Details | File | 1 | 79439.html |
|
| Details | File | 9 | payload.php |
|
| Details | File | 23 | payload.dll |
|
| Details | File | 1 | payload.asp |
|
| Details | Github username | 1 | chora10 |
|
| Details | Github username | 1 | koalabearguo |
|
| Details | Github username | 2 | cowboy |
|
| Details | Github username | 1 | bclswl0827 |
|
| Details | Github username | 1 | yitd |
|
| Details | Github username | 6 | beichendream |
|
| Details | Github username | 2 | l-codes |
|
| Details | Github username | 2 | antswordproject |
|
| Details | IPv4 | 30 | 192.168.1.101 |
|
| Details | MITRE ATT&CK Techniques | 14 | T1590.005 |
|
| Details | MITRE ATT&CK Techniques | 50 | T1592 |
|
| Details | MITRE ATT&CK Techniques | 86 | T1059.004 |
|
| Details | MITRE ATT&CK Techniques | 59 | T1059.006 |
|
| Details | MITRE ATT&CK Techniques | 245 | T1203 |
|
| Details | MITRE ATT&CK Techniques | 104 | T1505.003 |
|
| Details | MITRE ATT&CK Techniques | 585 | T1083 |
|
| Details | MITRE ATT&CK Techniques | 168 | T1046 |
|
| Details | MITRE ATT&CK Techniques | 534 | T1005 |
|
| Details | MITRE ATT&CK Techniques | 492 | T1105 |
|
| Details | MITRE ATT&CK Techniques | 442 | T1071.001 |
|
| Details | MITRE ATT&CK Techniques | 95 | T1572 |
|
| Details | MITRE ATT&CK Techniques | 130 | T1573.001 |
|
| Details | MITRE ATT&CK Techniques | 74 | T1573.002 |
|
| Details | MITRE ATT&CK Techniques | 152 | T1090 |
|
| Details | Threat Actor Identifier - APT | 522 | APT41 |
|
| Details | Threat Actor Identifier - APT | 783 | APT28 |
|
| Details | Url | 1 | https://www.intruder.io/research/practical-http-header-smuggling |
|
| Details | Url | 1 | https://developer.mozilla.org/en-us/docs/web/http/headers/x-forwarded-for |
|
| Details | Url | 2 | https://attack.mitre.org/software/s0020 |
|
| Details | Url | 1 | https://www.cynet.com/attack-techniques-hands-on/china-chopper-observed-in-recent-ms-exchange-server-attacks |
|
| Details | Url | 1 | https://github.com/chora10/cknife |
|
| Details | Url | 3 | https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge |
|
| Details | Url | 1 | https://xz.aliyun.com/t/6701 |
|
| Details | Url | 1 | https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability |
|
| Details | Url | 1 | http://xxx.xxx.xx.xx |
|
| Details | Url | 4 | https://www.secureworks.com/research/samsam-ransomware-campaigns |
|
| Details | Url | 1 | https://media.defense.gov/2021/jul/01/2002753896/-1/- |
|
| Details | Url | 1 | https://github.com/koalabearguo/reverse-proxy-php |
|
| Details | Url | 1 | https://developer.mozilla.org/en-us/docs/web/http/headers/x-forwarded-for#selecting_an_ip_address |
|
| Details | Url | 1 | https://news.softpedia.com/news/new-made-in-china-web-shell-threatens-the-security-of-web- |
|
| Details | Url | 1 | https://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html?m=1 |
|
| Details | Url | 1 | https://gitee.com/atwal/php-simple-proxy/blob/master/simple_proxy.php |
|
| Details | Url | 1 | https://github.com/cowboy/php-simple-proxy |
|
| Details | Url | 1 | https://github.com/bclswl0827/goagent-php/blob/master/index.php |
|
| Details | Url | 2 | https://attack.mitre.org/techniques/t1090 |
|
| Details | Url | 1 | https://www.php.net/manual/en/function.file-get-contents.php |
|
| Details | Url | 1 | https://www.php.net/manual/en/context.ssl.php |
|
| Details | Url | 1 | https://github.com/yitd/any-proxy |
|
| Details | Url | 4 | https://github.com/beichendream/godzilla |
|
| Details | Url | 1 | https://www.mandiant.com/resources/the-little-malware-that-could-detecting-and-defeating-the- |
|
| Details | Url | 1 | https://www.it145.com/9/79439.html |
|
| Details | Url | 1 | https://www.moregeek.xyz/i/502400954959 |
|
| Details | Url | 1 | https://cloud.tencent.com/developer/article/1757147 |
|
| Details | Url | 1 | https://developer.mozilla.org/en-us/docs/web/http/headers/x-forwarded- |
|
| Details | Url | 1 | https://github.com/l-codes/neo-regeorg |
|
| Details | Url | 1 | http://java.sun.com/jsp/page\"><jsp:directive.page |
|
| Details | Url | 1 | http://git.oschina.net/atwal/php-simple-proxy |
|
| Details | Url | 43 | http://example.com |
|
| Details | Url | 1 | http://github.com/cowboy/php-simple-proxy |
|
| Details | Url | 1 | https://github.com/bclswl0827/goagent-php |
|
| Details | Url | 1 | https://github.com/antswordproject/antsword |
|
| Details | Yara rule | 1 | rule neo_regeorg_proxy {
meta:
author = "Charles Lomboni - Security Joes"
description = "Rules to detect neo-reGeorg proxy tool"
date = "June, 2022"
reference = "https://github.com/L-codes/Neo-reGeorg"
strings:
$neo_regeorg_en = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
$neo_regeorg_de = "BASE64 CHARSLIST"
$neo_regeorg_cmd = "X-CMD"
$neo_regeorg_target = "X-TARGET"
$neo_regeorg_error = "X-ERROR"
$neo_regeorg_status = "X-STATUS"
$neo_regeorg_phrase = "Georg says, 'All seems fine'"
$neo_pass_php_1 = "if(version_compare(PHP_VERSION,'5.4.0','>='))@http_response_code(200);"
$neo_pass_php_2 = "$mark = substr($cmd,0,22);"
$neo_pass_php_3 = "$cmd = substr($cmd, 22);"
$neo_pass_php_4 = "$writebuf = \"writebuf\".$mark;"
$neo_pass_php_5 = "$readbuf = \"readbuf\".$mark;"
$neo_pass_php_6 = "$target_ary = explode(\"|\", base64_decode(strtr($headers["
$neo_pass_php_7 = "$_SESSION[$writebuf] .= base64_decode(strtr($rawPostData, $de, $en));"
$neo_pass_jspx_1 = "<jsp:root version=\"2.0\"
mlns:jsp=\"http://java.sun.com/JSP/Page\"><jsp:directive.page
contentType=\"text/html\"/><jsp:directive.page pageEncoding=\"UTF-8\"
trimDirectiveWhitespaces=\"true\"/>"
$neo_pass_jspx_2 = "return super.defineClass(b, 0, b.length);"
$neo_pass_jspx_3 = "Class clazz = new U(this.getClass().getClassLoader()).g(clazzBytes);"
$neo_pass_jsp_1 = "<%@page pageEncoding=\"UTF-8\" trimDirectiveWhitespaces=\"true\"%>"
$neo_pass_aspx_1 = "public String StrTr(string input, string frm, string to) {"
$neo_pass_aspx_2 = "String en =
\"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\";"
$neo_pass_aspx_3 = "Uri u = new
Uri(System.Text.Encoding.UTF8.GetString(Convert.FromBase64String(StrTr(rUrl, de, en))));"
$neo_pass_aspx_4 = "request.Headers.Add(key, Request.Headers.Get(key));"
$neo_pass_aspx_5 = "if((c = Request.InputStream.Read(buff, 0, buff.Length)) > 0) {"
$neo_pass_aspx_6 = "String mark = cmd.Substring(0,22);"
$neo_pass_aspx_7 = "String target_str =
System.Text.Encoding.Default.GetString(Convert.FromBase64String(StrTr(Request.Headers.Get("
condition:
($neo_regeorg_en and $neo_regeorg_de and $neo_regeorg_cmd and $neo_regeorg_target and $neo_regeorg_error and $neo_regeorg_status and $neo_regeorg_phrase) or ($neo_pass_php_1 and $neo_pass_php_2 and $neo_pass_php_3 and $neo_pass_php_4 and $neo_pass_php_5 and $neo_pass_php_6 and $neo_pass_php_7) or (($neo_pass_jspx_1 or $neo_pass_jsp_1) and $neo_pass_jspx_2 and $neo_pass_jspx_3) or ($neo_pass_aspx_1 and $neo_pass_aspx_2 and $neo_pass_aspx_3 and $neo_pass_aspx_4 and $neo_pass_aspx_5 and $neo_pass_aspx_6 and $neo_pass_aspx_7)
} |
|
| Details | Yara rule | 1 | rule any_proxy {
meta:
author = "Charles Lomboni - Security Joes"
description = "Rules to detect Any-Proxy tool"
date = "June, 2022"
reference = "https://github.com/yitd/Any-Proxy"
strings:
$anyproxy_post = "$_POST['Any-Proxy'], time()+3600*24*366);"
$anyproxy_anyip_comment = { 2F 2F 24 61 6E 79 69 70 E5 80 BC E4 B8 BA 31 E5 8F 91 E9 80 81 E6 9C 8D E5 8A A1 E5 99 A8 49 50 E5 A4 B4 EF BC 8C E5 80 BC E4 B8 BA 32 E5 88 99 E5 8F 91 E9 80 81 E9 9A 8F E6 9C BA 49 50 EF BC 8C E5 80 BC E4 B8 BA 33 E5 8F 91 E9 80 81 E5 AE A2 E6 88 B7 E7 AB AF 49 50 EF BC 8C E4 BB 85 E5 9C A8 E9 83 A8 E5 88 86 E7 BD 91 E7 AB 99 E4 B8 AD E6 9C 89 E6 95 88 }
$anyproxy_html = { E5 9C A8 E5 BD 93 E5 89 8D E9 93 BE E6 8E A5 E6 9C AB E5 B0 BE E8 BE 93 E5 85 A5 20 7E 71 20 E5 8F AF E4 BB A5 E9 80 80 E5 87 BA E5 BD 93 E5 89 8D E9 A1 B5 E9 9D A2 E5 9B 9E E5 88 B0 E9 A6 96 E9 A1 B5 3C 2F 70 3E 3C 70 3E E5 9C A8 E5 9F 9F E5 90 8D E5 90 8E E9 9D A2 E5 8A A0 E4 B8 8A E9 93 BE E6 8E A5 E5 9C B0 E5 9D 80 E5 8D B3 E5 8F AF E8 AE BF E9 97 AE EF BC 8C E5 A6 82 20 27 20 2E 20 24 68 74 74 70 73 20 2E 20 24 68 6F 73 74 20 2E 20 27 2F 68 74 74 70 3A 2F 2F 69 70 33 38 2E 63 6F 6D 2F }
$anyproxy_powered = ">Powered by <a href=\"https://github.com/yitd/Any-Proxy\">Any-Proxy"
$anyproxy_script_alert_ip = { 3C 73 63 72 69 70 74 3E 61 6C 65 72 74 28 27 E8 AF B7 E6 B1 82 E7 9A 84 69 70 E8 A2 AB E7 A6 81 E6 AD A2 EF BC 81 27 29 }
$anyproxy_script_alert = { 3C 73 63 72 69 70 74 3E 61 6C 65 72 74 28 27 E8 AF B7 E6 B1 82 E7 9A 84 E5 9F 9F E5 90 8D E6 9C 89 E8 AF AF EF BC 81 27 29 }
$anyproxy_array_comment = { 2F 2F E5 85 B3 E7 B3 BB E6 95 B0 E7 BB 84 E8 BD AC E6 8D A2 E6 88 90 E5 AD 97 E7 AC A6 E4 B8 B2 EF BC 8C E6 AF 8F E4 B8 AA E9 94 AE E5 80 BC E5 AF B9 E4 B8 AD E9 97 B4 E7 94 A8 3D E8 BF 9E E6 8E A5 EF BC 8C E4 BB A5 3B 20 E5 88 86 E5 89 B2 }
$anyproxy_foreach_comment = { 2F 2F E5 A6 82 E6 9E 9C E8 BF 94 E5 9B 9E E5 88 B0 E5 AE A2 E6 88 B7 E7 AB AF 63 6F 6F 6B 69 65 E4 B8 8D E6 AD A3 E5 B8 B8 E5 8F AF E6 8A 8A E4 B8 8B E8 A1 8C E4 B8 AD E7 9A 84 24 72 6F 6F 74 20 2E 20 24 74 6F 70 E6 8D A2 E6 88 90 24 68 6F 73 74 }
condition:
all of them
} |
|
| Details | Yara rule | 1 | rule simple_php_proxy {
meta:
author = "Charles Lomboni - Security Joes"
description = "Rules to detect Simple PHP Proxy tool"
date = "June, 2022"
reference = "https://github.com/cowboy/php-simple-proxy/"
strings:
$simple_php_proxy_git_osc = "git@osc"
$simple_php_proxy_git_osc_url = "http://git.oschina.net/atwal/php-simple-proxy"
$simple_php_proxy_comments = { E4 BC 98 E5 8C 96 E4 BF AE E6 94 B9 E7 82 B9 EF BC 9A E5 8A A0 E4 B8 8A E4 BA 86 E5 BC 82 E5 B8 B8 E5 A4 84 E7 90 86 EF BC 8C 62 61 73 65 75 72 6C E8 AE BE E7 BD AE EF BC 8C E4 BC 9A E6 9B B4 E5 AE 89 E5 85 A8 EF BC 8C E9 BB 98 E8 AE A4 E4 B8 BA 6A 73 6F 6E 70 E6 A0 BC E5 BC 8F }
$simple_php_proxy_request_ex = "simple_proxy.php?url=http://example.com/"
$simple_php_proxy_github = "http://github.com/cowboy/php-simple-proxy"
$simple_php_proxy_config_comments = { E6 A0 B9 E6 8D AE E9 9C 80 E8 A6 81 E4 BF AE E6 94 B9 E4 B8 8B E9 9D A2 E7 9A 84 E9 85 8D E7 BD AE E9 A1 B9 EF BC 8C E9 85 8D E7 BD AE E9 A1 B9 E8 AF B4 E6 98 8E E8 A7 81 E4 B8 8A E9 9D A2 E7 9A 84 E8 AF B4 E6 98 8E E6 96 87 E5 AD 97 }
condition:
all of them
} |
|
| Details | Yara rule | 1 | rule antSword_webshell {
meta:
author = "Charles Lomboni - Security Joes"
description = "Rules to detect antSword web shell"
date = "June, 2022"
reference = "https://github.com/AntSwordProject/antSword"
strings:
$antSword_cmd = "$cmd = @$_POST['ant'];"
$antSword_pk = "$pk = <<<EOF"
$antSword_rsa_begin = "-----BEGIN PUBLIC KEY-----"
$antSword_rsa_end = "-----END PUBLIC KEY-----"
condition:
all of them
} |