Prophet Spider group exploited a Citrix vulnerability to deploy Webshell

March 17, 2022
Prophet Spider Threat Group Citrix Vulnerability Exploit Webshell Sharefile IIS

A malicious threat group known as Prophet Spider has exploited a critical flaw in Citrix ShareFile to infect Microsoft’s Internet Information Services web server. According to recent reports, the app administrator has not addressed the RCE vulnerability, but a patch will be released soon after a threat actor has exploited it.

The malicious threat group has been updating its tactics, techniques, and procedures to exploit numerous webserver critical flaws.

In addition, the Prophet Spider has recently exploited the vulnerability tracked as CVE-2021-22941 to spread a web shell to download additional malicious tools.

For initial intrusion, the threat group distributes an HTTP post request to an Internet information Service by utilising the user agent called python-requests version 2.26.0.

After successfully infiltrating the webserver, the threat actors will continue to deploy specific commands to assess the connectivity. Suppose the connectivity has no issues and they successfully tethered themselves to the server, the threat actors will operate a name lookup on a subdomain that portrays itself as a burpcollaborater[.]net.

 

Prophet Spider is recognised for exploiting already known critical flaws, hence compromising Citrix.

 

In the last weeks of September last year, the relative path-traversal flaw, tracked by researchers as CVE-2021-22941, was revealed in ShareFile Zones Storage Controller to avoid any exploit from threat actors, especially Prophet Spider. Subsequently, researchers also indicated a proof-of-concept abuse for the identified vulnerability.

Based on reports, the CVE can allow threat actors to overwrite the existing file on a target server by utilising uploaded parameters in an HTTP GET request. Moreover, some malicious threat actors designed weaponised exploits for the RCE and were used numerous times since October last year.

Experts revealed that Prophet Spider is an eCrime group operating since May 2017. They are known for acquiring access to victims by exploiting flawed webs servers, which commonly adds publicly revealed flaws.

Prophet Spider is known for taking advantage of publicly disclosed server vulnerabilities to deliver numerous web shells. This recent incident implies that these threat actors are persistent and constantly evolve to adopt new exploit codes. Organizations should always patch their servers whenever a new update is available.

About the author