Hello, welcome to the Tuesday, July 10th, 2018 edition of the Sands and the Storm Center's Stormcast.

My name is Johannes Ulrich and the day I'm recording from Jacksonville, Florida.

Renato has been keeping his Web Logic Honeypot up and running, but so far he really hasn't

gotten much else than crypto miners and

he has already written about this well until earlier this week when he actually got a sort

of interesting reverse shell that infected his honeypot.

It used to standard Weblogic exploit, nothing really all too fancy about it, but then it

does upload an Elf binary that implements the back door.

This particular backdoor connects back to a command and control server on Port 630, which

is certainly an odd port and, well, not all that stealthy.

It connects back to a host in China, and so far it actually looks like most of the exploit attempts

that used this type of backdoor were launched from China, and according to a virus total probably came from the same

actor. Now talking about virus total. Virus total or better the anti-malware engine it's

using, they didn't recognize this particular sample. Now once the connection is established, then the attacker has the ability to launch arbitrary

commands.

One interesting titbit here is that the host, the compromised host, actually authenticated

to this reverse shell, so to the command control server.

However, it uses the password replace with your password.

So apparently components were reused here without making even minimal adjustments.

At this point, Renato hasn't really seen any commands being executed via this reverse shell.

Now, sort of interesting, the malware first checks the time zone file, also checks for the presence of a specific dot-h file.

I'm not really sure what that dot-h file is about could be part of the malware,

...