Description of Campaign
Advanced persistent threat (APT) actors are suspected to be behind attacks on organizations and infecting systems with the Dingo J-spy webshell. The actors take advantage of flaws in VMware applications classified under CVE-2022-22954 and CVE-2022-22960. The vulnerabilities are due to server-side template injection and improper permissions in support scripts and result in privilege escalation and arbitrary code execution.

Our ATR Team gathers and analyzes information from multiple open and closed sources before disseminating intelligence reports. This campaign was researched by CISA and shared publicly.

How to use this article:

1. Scroll down and review the Product Countermeasures section of this article. Consider implementing them if they are not already in place.
2. Review the following articles:
   • KB87843 - Dynamic Application Containment rules and best practices
   • KB82925 - Identify what rule corresponds to an Adaptive Threat Protection and Threat Intelligence Exchange event 

Threat Hunting

YARA	rule dingo_jspy_webshell { strings: $string1 = "dingo.length" $string2 = "command = command.trim" $string3 = "commandAction" $string4 = "PortScan" $string5 = "InetAddress.getLocalHost" $string6 = "DatabaseManager" $string7 = "ExecuteCommand" $string8 = "var command = form.command.value" $string9 = "dingody.iteye.com" $string10 = "J-Spy ver" $string11 = "no permission ,die" $string12 = "int iPort = Integer.parseInt" condition: filesize < 50KB and 12 of ($string*) }
YARA	rule Godzilla_Webshell { strings: $string1 = "TomcatListenerMemShellFromThread" $string2 = "String xc =" $string3 = "String pass =" $string4 = "ServletRequestListener" $string5 = "cmds = new String" $string6 = "cmd" $string7 = "bin/bash" $string8 = "getInputStream" $string9 = "javax.crypto.Cipher c = javax.crypto.Cipher.getInstance" $string10 = "godzilla" condition: filesize < 20KB and 10 of ($string*) }
YARA	rule Tomcatjsp_Webshell { strings: $string1 = "ExecShellCmd" $string2 = "stCommParams" $string3 = "nKeyOffset = EncryptData" $string4 = "InputStream is = process.getInputStream" $string5 = "Process process = Runtime.getRuntime" $string6 = "ExecBinary" $string7 = "byte bzKey" $string8 = "nKeyOffset++" $string9 = "HttpServletRequest request, HttpServletResponse response" $string10 = "connect_test cmd" $string11 = "exec cmd" $string12 = "file upload" condition: filesize < 25KB and 12 of ($string*) }
YARA	rule reversesocks_tool { md5 = "dc88c5fe715b5f706f9fb92547da948a" strings: $string1 = "revsocks" $string2 = "-connect" $string3 = "client:8080 -pass test" $string4 = "RSA TESTING KEY" $string5 = "SETTINGS_MAX_CONCURRENT_STREAMS" $string6 = "Start on the server:" $string7 = "closing connection" $string8 = "socks 127.0.0.1:1080" $string9 = "revsocks -listen :8080" condition: uint16(0) == 0x457F and filesize < 6MB and 8 of ($string*) }

This Knowledge Base article discusses a specific threat that's being tracked. The list of IOCs will change over time; check Trellix Insights for the latest IOCs.
 
Campaign IOC

Type	Value
IP-DST	136.243.75.136
IP-DST	84.38.133.149
IP-DST	160.20.145.225
URL	http://84.38.133.149/img/icon.gif

Minimum set of Manual Rules to improve protection to block this campaign:

IMPORTANT: Always follow best practices when you enable new rules and signatures.

When you implement new rules or signatures, always set them to Report mode first and check the alerts generated. Resolve any issues that arise and then set the rules to Block. This step mitigates against triggering false positives and allows you to refine your configuration.

For more information, see KB87843 - List of and best practices for Endpoint Security Dynamic Application Containment rules.

Endpoint Security - Advanced Threat Protection: