文章总结： 本文详细解析VoltTyphoon组织使用的VersaMem恶意软件静态分析过程，涵盖Tomcat内存马Hook机制、AES加密验证及方法混淆技术。文章通过逆向分析揭示恶意样本的获取方式、权限验证参数、凭证窃取函数及密钥存储细节，深入展示了针对VersaDirector设备的攻击技术链与防御要点。 综合评分： 82 文章分类： 恶意软件,漏洞分析,CTF,WEB安全,逆向分析

ElectricBreeze-2

原创

漫路修行

微痕鉴远

2026年1月8日 18:13 广东

The second installment of the series following Volt Typhoon. In this Sherlock players will have to retrieve the VersaMem malware and perform static analysis to better understand the group.

Taking the crossroads: The Versa director zero-day exploitation

https://www.cisa.gov/sites/default/files/2024-03/aa24-038a_csa_prc_state_sponsored_actors_compromise_us_critical_infrastructure_3.pdf

ElectricBreeze-1 中，我们了解过这个组织的TTP。接下来将分析一下该组织在行动中所使用malware 内存马。

Use MalwareBazaar to download a copy of the file with the hash ‘4bcedac20a75e8f8833f4725adfc87577c32990c3783bf6c743f14599a176c37’. What is the URL to do this?

https://bazaar.abuse.ch/download/4bcedac20a75e8f8833f4725adfc87577c32990c3783bf6c743f14599a176c37/

What is a suspicious directory in META-INF?

Director_tomcat_memShell

One of the files in this directory may give some insight into the threat actor’s origin. What is the file?

pom.xml

According to this file, what is the application’s name?

这里乱码，实际上是有中文。

The VersaMem web shell works by hooking Tomcat. Which file holds the functionality to accomplish this?

com/versa/vnms/ui/TestMain.class

There is a command that determines the PID for the hook. What is the program used in this line of code?

pgrep

The functionality for the webshell is in a different file. What is its name?

com/versa/vnms/ui/init/WriteTestTransformer.class

What is the name of the function that deals with authentication into the webshell?

getInsertCode

What request parameter must be present to activate the webshell logic?

p

What is the hardcoded access password used to validate incoming webshell requests?

5ea23db511e1ac4a806e002def3b74a1

What type of encryption is used?

aes

What cipher mode is used to encrypt the credentials?

ecb

What is the value of the key after decoding?

To avoid static detection, the method name is constructed at runtime and passed to java.lang.reflect.Method, what is the decimal byte array used to construct the string name?

100, 101, 102, 105, 110, 101, 67, 108, 97, 115, 115

What is the Base64-encoded string that is returned to the client if the class is successfully defined?

R2qBFRx0KAZceVi+MWP6FGGs8MMoJRV5M3KY/GBiOn8=

What is the decrypted string?

There is another class to log passwords for exfiltration. What is this file?

What is the main malicious function in this class?

captureLoginPasswordCode

The same AES key from the previous method is being used. What is the variable name it is being saved as in this function?

secretKey

What file is used to hold credentials before exfiltration?

免责声明：

本文所载程序、技术方法仅面向合法合规的安全研究与教学场景，旨在提升网络安全防护能力，具有明确的技术研究属性。

任何单位或个人未经授权，将本文内容用于攻击、破坏等非法用途的，由此引发的全部法律责任、民事赔偿及连带责任，均由行为人独立承担，本站不承担任何连带责任。

本站内容均为技术交流与知识分享目的发布，若存在版权侵权或其他异议，请通过邮件联系处理，具体联系方式可点击页面上方的联系我。

本文转载自：微痕鉴远 漫路修行《ElectricBreeze-2》