Figure 1: CVE-2017-5638 campaign

The exploit triggers the vulnerability via the Content-Type header value, which the attacker customized with shell commands to be executed if the server is vulnerable.

In the first days of this campaign, shell commands were observed to infect the machine with the “PowerBot” malware, which is written in PERL, and uses DDoS as its main functionality (also known as the PerlBot or Shellbot).

The typical infection tactic for the most commonly observed threat actors, who scan the Internet for web vulnerabilities as their attack strategy, has been to execute commands in several steps: downloading the malware from a remote server, setting it as executable (in the case of binary file), running the malware, and removing the initial infection file.

Conventionally, attack payloads have relied on already installed programs on the target server to download the malware, such as wget and curl. In this campaign, the attacker also leverages the less common “fetch” program as well as a special mode of the “wget”. By using the “wget –qO –“ options, the malware file is downloaded but is not actually written to a file on the disk. Instead, the content is redirected to the Perl interpreter for execution, minimizing the local detectable footprint.

Once the bot is in place, the infected server will connect to an IRC channel to retrieve commands from the botnet master, as shown in Figures 2 and 3. While joining the IRC, F5 researchers observed that the botnet has more than 2,500 victims at the time of this writing, including production servers. And this number is just for a single IRC channel.