VersaMem
VersaMem is a web shell designed for deployment to Versa Director servers following exploitation. Discovered in August 2024, VersaMem was used during Versa Director Zero Day Exploitation by Volt Typhoon to target ISPs and MSPs. VersaMem is deployed as a Java Archive (JAR) and allows for credential capture for Versa Director logon activity as well as follow-on execution of arbitrary Java payloads.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1129 | 共享模块 |
VersaMem relied on the Java Instrumentation API and Javassist to dynamically modify Java code existing in memory.[1] |
|
| Enterprise | T1059 | 命令与脚本解释器 |
VersaMem was delivered as a Java Archive (JAR) that runs by attaching itself to the Apache Tomcat Java servlet and web server.[1] |
|
| Enterprise | T1203 | 客户端执行漏洞利用 |
VersaMem was installed through exploitation of CVE-2024-39717 in Versa Director servers.[1] |
|
| Enterprise | T1074 | .001 | 数据分段: Local Data Staging |
VersaMem staged captured credentials locally at |
| Enterprise | T1027 | .013 | 混淆文件或信息: Encrypted/Encoded File |
VersaMem encrypted captured credentials with AES then Base64 encoded them before writing to local storage.[1] |
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
VersaMem deleted files related to initial installation such as temporary files related to the PID of the main web process.[1] |
| Enterprise | T1040 | 网络嗅探 |
VersaMem hooked the Catalina application filter chain |
|
| Enterprise | T1056 | .004 | 输入捕获: Credential API Hooking |
VersaMem hooked and overrided Versa's built-in authentication method, |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1017 | Volt Typhoon |
Campaigns
| ID | Name | Description |
|---|---|---|
| C0039 | Versa Director Zero Day Exploitation |
VersaMem was used during Versa Director Zero Day Exploitation by Volt Typhoon.[1] |