Dama (Exploit Kit) – Malware

Overview

In the ever-evolving landscape of cybersecurity threats, the recent emergence of Dama, a sophisticated malware targeting ThinkPHP applications, underscores a troubling trend: the exploitation of outdated vulnerabilities with advanced techniques. Discovered by Akamai researchers, this malware exploits vulnerabilities CVE-2018-20062 and CVE-2019-9082, flaws that have persisted since 2018. Despite their age, these vulnerabilities are being actively exploited by attackers who deploy Dama to compromise and control targeted systems with alarming effectiveness. Dama is particularly notable for its advanced functionality and its origin. Written in Chinese and featuring a user interface in Traditional Chinese, this malware enables attackers to perform a range of malicious activities, including navigating the file system, uploading files, scanning networks, and gathering system data. Its ability to obscure its presence and operations reflects a high degree of sophistication, indicating that the threat actors behind it are adept at both technical and strategic aspects of cyber operations.

Targets

ThinkPHP Applications: Specifically those vulnerable to CVE-2018-20062 and CVE-2019-9082. These vulnerabilities allow attackers to execute remote code on the affected servers. Organizations and Data Centers: The malware targets various organizations that use ThinkPHP-based content management systems or applications, aiming to compromise their servers for control and further exploitation. Web Servers and Infrastructure: Attackers use the malware to install backdoors on compromised servers, which can then be used to spread within the victim’s network or enlist the server in broader attack infrastructure.

How they operate

Dama malware capitalizes on two critical vulnerabilities in ThinkPHP: CVE-2018-20062 and CVE-2019-9082. Both vulnerabilities, discovered several years ago, allow remote code execution on affected servers. Attackers exploit these weaknesses to gain unauthorized access to systems, which is the initial phase of the attack. The malware’s operation begins with an attempt to retrieve obfuscated code from a compromised ThinkPHP server. This code is then used to deploy a malicious payload on the victim’s system, typically a file named “roeter.php,” reflecting a misspelling of “router.” Once installed, Dama establishes a persistent presence on the compromised server by setting up a web shell, also known as Dama. This web shell is a powerful tool for the attackers, providing them with continuous control over the infected system. The web shell is capable of a range of functions, including file system navigation, file editing, and deletion. Additionally, it supports the upload of files to the server, allowing attackers to further manipulate the compromised system. The use of obfuscation techniques, such as ROT13 encoding, helps to evade detection and complicate efforts to analyze the malicious code. Dama’s deployment involves a network of compromised servers, often utilizing infrastructure hosted on cloud providers like Zenlayer. These servers, located primarily in Hong Kong, serve as nodes in the attacker’s infrastructure, obscuring the origin of the attack and making it more challenging for defenders to pinpoint and mitigate the threat. The malware’s ability to blend in with legitimate cloud operations further complicates the identification and eradication of the threat. The capabilities of the Dama malware extend beyond mere exploitation. It includes advanced features for privilege escalation, network scanning, and data access. The malware can bypass disabled PHP functions to escape the PHP sandbox and execute commands directly on the server. Additionally, it can scan network ports and access databases, potentially leading to further lateral movement within the victim’s network.

MITRE Tactics and Techniques

Initial Access: Exploit Public-Facing Application (T1190): The malware exploits vulnerabilities in ThinkPHP applications (CVE-2018-20062 and CVE-2019-9082) to gain initial access. Execution: Command-Line Interface (T1059): Although the Dama malware does not have a CLI for executing OS shell commands, it does facilitate command execution via its web interface. Persistence: Web Shell (T1505): The malware installs a web shell on the compromised server, allowing persistent access and control. Privilege Escalation: Exploitation for Privilege Escalation (T1068): The malware uses its web shell to interact with the system and potentially escalate privileges. Defense Evasion: Obfuscated Files or Information (T1027): The malware uses obfuscation techniques, such as ROT13 encoding, to hide its web shell code and avoid detection. Credential Access: Credential Dumping (T1003): Although not explicitly detailed in the initial findings, web shells typically enable attackers to access and extract credentials. Discovery: Network Service Scanning (T1046): The malware’s web shell can perform network scanning to identify other systems and services within the network. Command and Control: Standard Application Layer Protocol (T1071): The malware may communicate with its command and control server over standard web protocols, such as HTTP. Impact: Data Encrypted for Impact (T1486): The malware might be used as part of a broader attack campaign involving data encryption or other impact techniques.

References

• 2024: Old CVEs, New Targets — Active Exploitation of ThinkPHP