Hackers attack HFS servers to drop malware and Monero miners

Hackers are targeting older versions of the HTTP File Server (HFS) from Rejetto to drop malware and cryptocurrency mining software.

Threat researchers at security company AhnLab believe that the threat actors are exploiting CVE-2024-23692, a critical-severity security issue that allows executing arbitrary commands without the need to authenticate.

The vulnerability affects versions of the software up to and including 2.3m. In a message on their website, Rejetto warns users that versions 2.3m through 2.4 are “dangerous and should not be used anymore” because of a bug that lets attackers “control your computer,” and a fix has yet to be found.

Rejetto HFS
Rejetto HFS 2.3m
Source: ASEC

Observed attacks

AhnLab SEcurity Intelligence Center (ASEC) observed attacks on version 2.3m of HFS, which continues to be very popular among individual users, small teams, educational institutions, and developers that want to test file sharing over a network.

Because of the targeted software version, the researchers believe that attackers are exploiting CVE-2024-23692, a vulnerability discovered by security researcher Arseniy Sharoglazov last August and disclosed publicly in a technical report in May this year.

CVE-2024-23692 is a template injection vulnerability that allows unauthenticated remote attackers to send a specially crafted HTTP request to execute arbitrary commands on the affected system.

Soon after the disclosure, a Metasploit module and proof of concept exploits became available. According to ASEC, this is around the time exploitation in the wild started.

The researchers say that during the attacks the hackers collect information about the system, install backdoors and various other types of malware.

Attackers execute commands like “whoami” and “arp” to gather information about the system and the current user, discover connected devices, and generally plan subsequent actions.

Malicious activity conducted through the HFS process
Malicious activity conducted through the HFS process
Source: ASEC

In many cases, the attackers terminate the HFS process after they add a new user to the administrators’ group, to prevent other threat actors from using it.

In the next phases of the attacks, ASEC observed the installation of the XMRig tool for mining Monero cryptocurrency. The researchers note that XMRig was deployed in at least four distinct attacks, one conducted of them attributed to the LemonDuck threat group.

Other payloads delivered to the compromised computer include:

  • XenoRAT – Deployed alongside XMRig for remote access and control.
  • Gh0stRAT – Used for remote control and data exfiltration from breached systems.
  • PlugX – A backdoor mostly associated with Chinese-speaking threat actors that is used for persistent access.
  • GoThief – An information stealer that uses Amazon AWS to steal data. It captures screenshots, collects information on desktop files, and sends data to an external command and control (C2) server.
LemonDuck's XenoRAT and scanner tool
LemonDuck’s XenoRAT and scanner tool
Source: ASEC

AhnLab researchers note that they keep detecting attacks on version 2.3m of HFS. Because the server needs to be exposed online for the file sharing to be possible, hackers will like continue looking for vulnerable versions to attack.

The recommended variant of the product is 0.52.x, which, despite being a lower version, is currently the latest HFS release from the developer. It is web-based, requires minimal configuration, comes with support for HTTPS, dynamic DNS, and authentication for the administrative panel.

The company provides a set of indicators of compromise in the report, which include hashes for the malware installed on breached systems, IP addresses for attacker command and control servers, and the download URLs for the malware used in the attacks.