Prophet Spider Exploits Citrix ShareFile to Deploy Webshell

Christian Taillon
4 min readMar 18, 2022
Photo by Rafael Garcin on Unsplash

The adversary group nicknamed Prophet Spider by Crowdstrike has chosen a new vulnerability to include in its exploitation tool kit. This group has been observed leveraging CVE-2021–22941 to deploy an open-source webshell pulled from GitHub. Occasionally, Prophet Spider compromises have resulted in Ransomware infections. In the past, compromises conducted by Prophet Spider have resulted in Ransomware outbreaks. Additionally, adversary objectives frequently include obtaining valid credentials. It is believed that the group has before or currently operates as an access broker; selling access to compromised systems for a price, perhaps even a portion of the ransomware payment.

Recent activity from this group involved resources used in attacks prior to current campaigns (at least WebLogic and Log4j). This suggests that while this group's capabilities are mature, they may reuse infrastructure to some extent — providing blue team defenders an opportunity to potentially disrupt future attacks.

Graph of Prophet Spider’s used Infrastructure

Who

Prophet Spider, like other Spider groups, is an eCriminal adversary group. Campaigns from this group have been observed as early as May 2017. This group focuses on compromising external and vulnerable web services. They are well known to abuse known public vulnerabilities, particularly those with an existing Proof-of-Concept. They have been observed exploiting recent and old vulnerabilities and have used SQL injection attacks. Their targets include Linux and Windows systems.

Unlike other adversaries groups, it does not appear that this group leverages other typical tactics such as password spraying, phishing, trojans/malvertising, or drive-by-downloads (Dark Reading, Prophet Spider Exploits WebLogic CVEs to Enable Ransomware Attacks).

What

In the most recently observed campaigns, attempts to exploit Citrix ShareFile (CVE-2021–22941) were observed. Organizations can remediate this vulnerability by updating their Citrix ShareFile storage zone controller to 5.11.20 or later.

Detections for this activity have also been developed by Emir Erdogan and are available on SOC Prime.

While this group has used many exploits in the past, some recent ones still in use include (CVE-2020–14750, CVE-2020–14882 CVE-2021–26084, CVE-2021–22941)

Graph Generated by chandanbn’s cvss Score Calculator

Why

This group does not seem to maintain its own ransomware nor is it an affiliate member of another Ransomware-as-a-Service (RaaS) as far as we can tell. However, it has been observed that compromises by this group have lead to ransomware attacks in the past. Egregor and MountLocker ransomware are two such malware that compromises from this group have resulted in.

Tactical Intelligence

Tools, Tactics, and Techniques

1. Open Source WebShell: https[:]//raw.githubusercontent[.]com/antonioCoco/ConPtyShell/master/Invoke-ConPtyShell.ps1
2. Wget
3. Winn.exe
4. GOTROJ remote access trojan

MITER ATT&CK

Initial Access

T1190: Exploit Public Facing Application

Execution

T1059.001: Command and Scripting Interpreter: PowerShell

Persistence

T1505.003: Server Software Component: Web Shell

Command and Control

T1071: Application Layer Protocol

Command and Control

T1105: Ingress Tool Transfer

Observed Tactics noted by Crowdstrike research.

Indicators of Attack:

188.119.149[.]160 [attacking exploit]

Indicators of Compromise:

45.61.136[.]39:443 [file hosting]

107.181.187[.]184:4242 [shell callback]

Invoke-ConPtyShell.ps1 from https[:]//raw.githubusercontent[.]com/antonioCoco/ConPtyShell

Possible Mitigation Steps to Consider:

  • Consider reviewing for activity from provided IP address (note that these IPs have been used in campaigns prior to the observed ShareFile exploitation, so historical connections could be related to other adversaries)
  • Consider monitoring for wget commands pulling files from githubusercontent
  • Ensure patches for CVE-2020–14750, CVE-2020–14882, CVE-2021–26084, CVE-2021–22941 are applied.
  • The adversary used a burpcollaborator[.]net token. This is a part of BurpSuite and, while not malicious, may be unexpected in your environment which may provide additional detection/disruption opportunities.
  • The adversary will continue to evolve their list of used exploits, quick patching reduces future risk of compromise from this adversary and groups like them.

Contributors

Special thanks to Mike Manrod and Jorge Trevino for contributions, collaboration, and editing.

References and Additional Resources

Prophet Spider Exploits WebLogic CVEs to Enable Ransomware Attacks

PROPHET SPIDER Exploits Oracle WebLogic to Facilitate Ransomware Activity

PROPHET SPIDER Exploits Citrix ShareFile Remote Code Execution Vulnerability CVE-2021–22941 to Deliver Webshell

Log4J: BlackBerry finds Prophet Spider access broker exploiting VMware Horizon

IAB Prophet Spider Seizes Opportunity to Exploit Log4j Vulnerability

--

--

Christian Taillon

A cyber nerd who believes that you don’t have to work at the same company to be on the same team.