Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: F5 BigIP vulnerability exploitation followed by a backdoor implant attempt - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
F5 BigIP vulnerability exploitation followed by a backdoor implant attempt

While monitoring SANS Storm Center's honeypots today, I came across the second F5 BIGIP CVE-2020-5902 vulnerability exploitation followed by a backdoor deployment attempt. The first one was seen by Johannes yesterday [1].

Running the backdoor binary (ELF) on a separate system, it was possible to verify that it establishes an SSL connection to the address web[.] (152[.]32.180.34:443).

Looking for the web[.] at VirusTotal while writing this diary, I could find no AV detecting the network addresses or the binary hash as malicious. 

For persistence, it writes a line on "/etc/init.d/rc.local" file on an attempt to start on system boot.

Examining the binary statically, it is possible to see the string' python -c 'import pty;pty.spawn("/bin/sh")’. It will require more analysis, but it may be used for the attacker to have an interactive terminal on the target system. A proper terminal is usually required for the attacker to run commands like 'su'.


Exploitation attempt source

Backdoor URL:

C2 communication

The backdoor binary
90ce1320bd999c17abdf8975c92b08f7 (MD5)
a8acda5ddfc25e09e77bb6da87bfa157f204d38cf403e890d9608535c29870a0  (SHA256)



Renato Marinho
Morphus Labs| LinkedIn|Twitter


84 Posts
ISC Handler
Jul 7th 2020
the screenshot shows 152[.]32[.]180[.]34 as the C2 channel, but in your write up, you list the IoC as 52[.]32[.]180[.]34. I assume the screenshot is correct?

1 Posts
Hello John, you are right.

The correct IP is 152[.]32.180.34.

Just fixed in the diary.


84 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!