Threat Actors Use CVE-2019-18935 to Deliver Reverse Shells and JuicyPotatoNG Privilege Escalation Tool

Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.

We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.

Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.

In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.

Here’s the latest from our TRU Team…

What did we find?

In early January 2025, the eSentire Threat Response Unit (TRU) identified an unknown threat actor(s) exploiting the now six year old vulnerability, CVE-2019-18935, in Progress Telerik UI for ASP.NET AJAX.

TRU observed threat actor(s) using the w3wp.exe (IIS worker process) to load a reverse shell and run follow up commands for reconnaissance through cmd.exe. Reverse shells were dropped in the C:\Windows\Temp directory matching [10 digits].[6 digits].dll and [10 digits].[7 digits].dll.

The infection process begins when the threat actor(s) send a specific request to the IIS server to determine if the file upload handler is available. This can be seen in IIS logs as shown below:

After confirming the file upload handler is available and determining the software version is vulnerable, the threat actor(s) made use of a customized version of the PoC here to upload and execute a remote shell.

The reverse shell is simple and is a mixed mode .NET assembly containing a routine that serves to connect to the C2 at 213.136.75[.]130 via Windows Sockets. The legitimate windows binary cmd.exe is started and the input/output/error handles are redirected to threat actor control.

After the threat actor(s) established connection via the reverse shell, they executed several commands to get information about users on the system. The figure below contains the parent/child relationships and subsequent commands executed through the reverse shell to enumerate users via net.exe and net1.exe.

The following Yara rule can be used for detecting the reverse shell. This Yara rule is also available for download here.

rule TCP_Reverse_Shell_Windows_x64 { 
    meta: 
        description = "Detects Windows based 64-bit TCP reverse shell" 
        author = "YungBinary" 
        hash = "b971bf43886e3ab1d823477826383dfaee1e2935788226a285c7aebeabee7348" 
    strings:
        $winsock_2_0 = { 66 B? 02 00 FF 15 } 
        $winsock_2_1 = { 66 B? 02 01 FF 15 } 
        $winsock_2_2 = { 66 B? 02 02 FF 15 } 
        $winsock_1_0 = { 66 B? 01 00 FF 15 } 
        $winsock_1_1 = { 66 B? 01 01 FF 15 } 

        $socket_params = { 
            41 B8 06 00 00 00 
            BA 01 00 00 00  
            B9 02 00 00 00  
        } 


        $cmd = { 
            48 C7 44 24 ?? 00 00 00 00 
            48 C7 44 24 ?? 00 00 00 00 
            C7 44 24 ?? 00 00 00 00 
            C7 44 24 ?? (01 | 00) 00 00 00 
            45 33 C9 
            45 33 C0 
            48 8D 15 ?? ?? ?? ?? 
            33 C9 
            FF 15 
        } 

        $wait = { 
            BA FF FF FF FF 
            48 8B 4C ?? ?? 
            FF 15 
        } 

    condition: 
        uint16(0) == 0x5a4d and ((1 of ($winsock*)) and $socket_params and $cmd and $wait) 
} 
        

TRU also observed the threat actor(s) dropping the open-source privilege escalation tool JuicyPotatoNG on the host under various file names:

• C:\Users\Public\PingCaler.exe
• C:\Users\Public\JuicyPotatoNG.exe

The following batch files were also dropped on the host but the purpose of these files is not known at this time:

• C:\Users\Public\rdp.bat
• C:\Users\Public\user.bat
• C:\Users\Public\All.bat

The following diagram provided by Telerik can be used to determine if your specific version of Telerik UI for ASP.NET AJAX is vulnerable.

What did we do?

• Our team of 24/7 SOC Cyber Analysts proactively isolated the affected host to contain the infection on the customer’s behalf.
• We communicated what happened with the customer and helped them with incident remediation efforts.

What can you learn from this TRU Positive?

• While the vulnerability in Progress Telerik UI for ASP.NET AJAX is several years old, it continues to be a viable entry point for threat actors.
• This highlights the importance of patching systems, especially if they are going to be exposed to the internet.

Recommendations from the Threat Response Unit (TRU):

• Implement a comprehensive vulnerability management service with robust patch management solution and process to ensure systems are up to date with the latest security patches before exposing them to the Internet.
• Use an Endpoint Detection and Response (EDR) solution and ensure it is deployed across all workstations and servers.

Indicators of Compromise

You can access the Indicators of Compromise here.

References

• https://www.esentire.com/security-advisories/active-exploitation-of-cve-2019-18935
• https://bishopfox.com/blog/cve-2019-18935-remote-code-execution-in-telerik-ui
• https://www.telerik.com/products/aspnet-ajax/documentation/knowledge-base/common-allows-javascriptserializer-deserialization
• https://github.com/noperator/CVE-2019-18935
• https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-074a
• https://github.com/antonioCoco/JuicyPotatoNG