{"id":101178,"date":"2021-11-08T16:24:55","date_gmt":"2021-11-09T00:24:55","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=101178"},"modified":"2025-06-25T03:21:52","modified_gmt":"2025-06-25T10:21:52","slug":"threat-actor-dev-0322-exploiting-zoho-manageengine-adselfservice-plus","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/11\/08\/threat-actor-dev-0322-exploiting-zoho-manageengine-adselfservice-plus\/","title":{"rendered":"Threat actor DEV-0322 exploiting ZOHO ManageEngine ADSelfService Plus"},"content":{"rendered":"\n

Microsoft has detected exploits being used to compromise systems running the ZOHO ManageEngine ADSelfService Plus software versions vulnerable to CVE-2021-40539<\/a> in a targeted campaign. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to DEV-0322, a group operating out of China, based on observed infrastructure, victimology, tactics, and procedures.<\/p>\n\n\n\n

MSTIC previously highlighted DEV-0322 activity related to attacks targeting the SolarWinds Serv-U software with 0-day exploit<\/a>. As with any observed nation-state actor activity, Microsoft notifies customers that have been targeted or compromised, providing them with the information they need to help secure their accounts.<\/p>\n\n\n\n

Our colleagues at Palo Alto Unit 42 have also highlighted this activity in their recent blog<\/a>. We thank Unit 42 for their collaboration as industry partners and ongoing efforts to protect customers. We would also like to thank our partners in Black Lotus Labs<\/a> at Lumen Technologies for their contributions to our efforts to track and mitigate this threat.<\/p>\n\n\n\n

This blog shares what Microsoft has observed in the latest DEV-0322 campaign and inform our customers of protections in place through our security products. We have not observed any exploit of Microsoft products in this activity.<\/p>\n\n\n\n

MSTIC uses DEV-#### designations as a temporary name given to an unknown, emerging, or developing cluster of threat activity, allowing MSTIC to track it as a unique set of information until we can reach high confidence about the origin or identity of the actor behind the activity. Once it meets defined criteria, a DEV group is converted to a named actor.<\/p>\n\n\n\n

Activity description<\/h2>\n\n\n\n

MSTIC first observed the latest DEV-0322 campaign on September 22, 2021, with activity against targets that appear to be in the Defense Industrial Base, higher education, consulting services, and information technology sectors. Following initial exploitation of CVE-2021-40539 on a targeted system, DEV-0322 performed several activities including credential dumping, installing custom binaries, and dropping malware to maintain persistence and move laterally within the network.<\/p>\n\n\n\n

Credential dumping<\/h3>\n\n\n\n

In this campaign, DEV-0322 was observed performing credential dumping using the following commands:<\/p>\n\n\n\n

\"Screenshot<\/figure>\n\n\n\n

DEV-0322 also occasionally deployed a tool to specifically read security event logs and look for Event ID 4624 events. Next, their tool would collect domains, usernames, and IP addresses and write them to the file elrs.txt<\/em>. They typically called this tool elrs.exe<\/em>, and below is an example of how they would call it:<\/p>\n\n\n\n

\"Screenshot<\/figure>\n\n\n\n

After gaining credentials, DEV-0322 was observed moving laterally to other systems on the network and dropping a custom IIS module with the following command:<\/p>\n\n\n\n

\"Screenshot<\/figure>\n\n\n\n

Installing custom IIS module<\/h3>\n\n\n\n

The gac.exe<\/em> binary installs ScriptModule.dll<\/em> into the Global Assembly Cache before using AppCmd<\/em>.exe<\/em> to install it as an IIS module. AppCmd.exe<\/em> is a command line tool included in IIS 7+ installations used for server management. This module hooks into the BeginRequest IIS http event and looks for custom commands and arguments being passed via the Cookies field of the HTTP header.<\/p>\n\n\n\n

\"Screenshot<\/figure>\n\n\n\n

Figure 1: Encoded request from the controller to the victim machine<\/em><\/p>\n\n\n\n

The custom IIS module supports execution for cmd.exe<\/em> and PowerShell commands. It also provides DEV-0322 with the ability to direct download and upload of files to and from a compromised IIS web server. The module also observes incoming authentication credentials and captures them; it then encodes these and writes them to the following path:<\/p>\n\n\n\n

C:\\ProgramData\\Microsoft\\Crypto\\RSA\\key.dat<\/em><\/p>\n\n\n\n

If this module receives the command \u201cccc,\u201d it drops a file c:\\windows\\temp\\ccc.exe<\/em>. The file ccc.exe<\/em> is a .NET program that launches cmd.exe<\/em> with an argument and sends any output back to the controller.<\/p>\n\n\n\n

\"Screenshot<\/figure>\n\n\n\n

Figure 2: The Base64-encoded ccc.exe contained inside the IIS module backdoor<\/em><\/p>\n\n\n\n

Below is an example command from w3wp.exe<\/em> process after ccc.exe is<\/em> dropped:<\/p>\n\n\n\n

\"c:\\windows\\temp\\ccc.exe\" dir<\/code><\/p>\n\n\n\n

Deploying Zebracon malware<\/h3>\n\n\n\n

In addition to a custom IIS module, DEV-0322 also deployed a Trojan that we are calling Trojan:Win64\/Zebracon. This Trojan uses hardcoded credentials to make connections to suspected DEV-0322-compromised Zimbra email servers.<\/p>\n\n\n\n

Subsequent commands are made to <ZimbraServer>\/service\/soap<\/em> using an obtained authorization token (ZM_AUTH_TOKEN) to perform email operations on the threat actor-controlled mailbox, such as the following:<\/p>\n\n\n\n