Microsoft has detected exploits being used to compromise systems running the ZOHO ManageEngine ADSelfService Plus software versions vulnerable to CVE-2021-40539 in a targeted campaign. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to DEV-0322, a group operating out of China, based on observed infrastructure, victimology, tactics, and procedures.
MSTIC previously highlighted DEV-0322 activity related to attacks targeting the SolarWinds Serv-U software with 0-day exploit. As with any observed nation-state actor activity, Microsoft notifies customers that have been targeted or compromised, providing them with the information they need to help secure their accounts.
Our colleagues at Palo Alto Unit 42 have also highlighted this activity in their recent blog. We thank Unit 42 for their collaboration as industry partners and ongoing efforts to protect customers. We would also like to thank our partners in Black Lotus Labs at Lumen Technologies for their contributions to our efforts to track and mitigate this threat.
This blog shares what Microsoft has observed in the latest DEV-0322 campaign and inform our customers of protections in place through our security products. We have not observed any exploit of Microsoft products in this activity.
MSTIC uses DEV-#### designations as a temporary name given to an unknown, emerging, or developing cluster of threat activity, allowing MSTIC to track it as a unique set of information until we can reach high confidence about the origin or identity of the actor behind the activity. Once it meets defined criteria, a DEV group is converted to a named actor.
MSTIC first observed the latest DEV-0322 campaign on September 22, 2021, with activity against targets that appear to be in the Defense Industrial Base, higher education, consulting services, and information technology sectors. Following initial exploitation of CVE-2021-40539 on a targeted system, DEV-0322 performed several activities including credential dumping, installing custom binaries, and dropping malware to maintain persistence and move laterally within the network.
In this campaign, DEV-0322 was observed performing credential dumping using the following commands:
DEV-0322 also occasionally deployed a tool to specifically read security event logs and look for Event ID 4624 events. Next, their tool would collect domains, usernames, and IP addresses and write them to the file elrs.txt. They typically called this tool elrs.exe, and below is an example of how they would call it:
After gaining credentials, DEV-0322 was observed moving laterally to other systems on the network and dropping a custom IIS module with the following command:
Installing custom IIS module
The gac.exe binary installs ScriptModule.dll into the Global Assembly Cache before using AppCmd.exe to install it as an IIS module. AppCmd.exe is a command line tool included in IIS 7+ installations used for server management. This module hooks into the BeginRequest IIS http event and looks for custom commands and arguments being passed via the Cookies field of the HTTP header.
Figure 1: Encoded request from the controller to the victim machine
The custom IIS module supports execution for cmd.exe and PowerShell commands. It also provides DEV-0322 with the ability to direct download and upload of files to and from a compromised IIS web server. The module also observes incoming authentication credentials and captures them; it then encodes these and writes them to the following path:
If this module receives the command “ccc,” it drops a file c:\windows\temp\ccc.exe. The file ccc.exe is a .NET program that launches cmd.exe with an argument and sends any output back to the controller.
Figure 2: the Base64-encoded ccc.exe contained inside the IIS module backdoor
Below is an example command from w3wp.exe process after ccc.exe is dropped:
Deploying Zebracon malware
In addition to a custom IIS module, DEV-0322 also deployed a Trojan that we are calling Trojan:Win64/Zebracon. This Trojan uses hardcoded credentials to make connections to suspected DEV-0322-compromised Zimbra email servers.
Subsequent commands are made to <ZimbraServer>/service/soap using an obtained authorization token (ZM_AUTH_TOKEN) to perform email operations on the threat actor-controlled mailbox, such as the following:
- Search email (e.g., <query>(in:\”inbox\” or in:\”junk\”) is:unread</query>)
- Read email
- Send email (e.g., Subject: [AutoReply] I’ve received your mail, I will check it soon!)
These operations are used by the Zebracon malware to receive commands from the DEV-0322-controlled mailbox.
Files related to the Zebracon Trojan have the following metadata:
- Company name:
- Synacor. Inc.
- File description:
- Zimbra Soap Suites
- Zimbra Soap Tools
- Internal name:
- Original filename:
Microsoft will continue to monitor DEV-0322 activity and implement protections for our customers. The current detections, advanced detections, and IOCs in place across our security products are detailed below.
Microsoft 365 Defender detections
Microsoft Defender Antivirus detects threat components as the following malware:
Endpoint detection and response (EDR)
Alerts with the following titles in the security center can indicate threat activity on your network:
- DEV-0322 Actor activity detected
- Malware from possible exploitation of CVE-2021-40539
The following alerts may also indicate activity associated with this threat. These alerts can be triggered by unrelated threat activity, but they are listed here for reference:
- ‘Zebracon’ high-severity malware was detected
- Anomaly detected in ASEP registry
Microsoft 365 Defender correlates any related alerts into incidents to help customers determine with confidence if observed alerts are related to this activity. Customers using the Microsoft 365 Defender portal can view, investigate, and respond to incidents that include any detections related to this DEV-0322 activity.
The threat and vulnerability management module in Microsoft Defender for Endpoint (included in Microsoft 365 Defender) provides insights related to CVE-2021-40539. Customers can find affected devices in their environment in the Microsoft 365 Defender portal and initiate the appropriate version update of the ManageEngine software. Customers can also use the hunting query included below to identify devices that might be vulnerable to CVE-2021-40539.
Microsoft Sentinel detections
The indicators of compromise (IoCs) included in this blog post are also available to Microsoft Sentinel customers through the Microsoft Emerging Threat Feed located in the Microsoft Sentinel Threat Intelligence blade. These can be used by customers for detection purposes alongside the hunting queries detailed below.
Advanced hunting queries
Microsoft Sentinel hunting queries
Name: DEV-0322 Command Line Activity November 2021
Description: This hunting query looks for process command line activity related to observed DEV-0322 activity as detailed in this blog post. It locates command lines that are used as part of the threat actor’s post-exploitation activity. The query uses additional data from Microsoft Defender for Endpoint to generate a risk score associated with each result. Hosts with higher risk events should be investigated first.
Name: DEV-0322 File Drop Activity November 2021
Description: This hunting query looks for file creation events related to observed DEV-0322 activity as detailed in this blog. The files this query hunts for are dropped as part of the threat actor’s post-exploitation activity. The query uses other additional data from Microsoft Defender for Endpoint to generate a risk score associated with each result. Hosts with higher risk events should be investigated first.
In addition to these queries, there are equivalent queries that use the Microsoft Sentinel Information Model (MSIM) to look for the same activity. If you are using MSIM you can find these queries here:
Microsoft 365 Defender hunting queries
Name: Surface devices with the CVE-2021-40539 vulnerability
Description: Use this query to look for devices in your organization that are possibly vulnerable to CVE-2021-40539. Run query.
| where CveId == "CVE-2021-40539"
| project DeviceId, DeviceName, CveId, OSPlatform, SoftwareName, SoftwareVersion
Name: Hunt for suspicious dropped files post-exploitation
Description: Look for suspicious files dropped the the threat actor’s post-exploitation activity. Run query.
// Look for the specific files dropped by threat actor
let files = dynamic(["C:\\ProgramData\\Microsoft\\Crypto\\RSA\\key.dat ", "c:\\windows\\temp\\ccc.exe"]);
| where FileName endswith "elrs.exe" or FolderPath has_any (files)
// Increase the risk score of command accessing file also seen
| join kind=leftouter (DeviceProcessEvents
| where ProcessCommandLine contains "cmd /c elrs.exe") on DeviceId
| project-reorder Timestamp, DeviceName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessAccountName
Name: Hunt for command lines observed used by the DEV-0322 actor
Description: Look for suspicious command lines that are used as part of the threat actor’s post-exploitation activity. Run query.
// Look for command lines observed used by the threat actor
let cmd_lines = dynamic(['cmd.exe /c "wmic /node:redacted process call create "ntdsutil snapshot \\"activate instance ntds\\" create quit quit > c:\\windows\\temp\\nt.dat";', 'regsvr32 /s c:\\windows\\temp\\user64.dll', 'process call create "cmd /c c:\\windows\\temp\\gac.exe -i c:\\windows\temp\\ScriptModule.dll >c:\\windows\\temp\\tmp.dat"']);
// Look for static cmd lines and dynamic one using regex
| where ProcessCommandLine has_any (cmd_lines) or ProcessCommandLine matches regex "save HKLM\\SYSTEM [^ ]*_System.HIV" or InitiatingProcessCommandLine has_any (cmd_lines) or InitiatingProcessCommandLine matches regex "save HKLM\\SYSTEM [^ ]*_System.HIV"
| summarize count(), FirstSeen=min(Timestamp), LastSeen = max(Timestamp) by DeviceId, DeviceName, ProcessCommandLine, AccountName, FileName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessAccountName, InitiatingProcessAccountSid
// Base risk score on number of command lines seen for each host
| extend RiskScore = count_
| project-reorder FirstSeen, LastSeen, RiskScore, DeviceName, DeviceId, ProcessCommandLine, AccountName
| extend timestamp = FirstSeen, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName
Indicators of compromise (IOCs)