VersaMem
VersaMem is a web shell designed for deployment to Versa Director servers following exploitation. Discovered in August 2024, VersaMem was used during Versa Director Zero Day Exploitation by Volt Typhoon to target ISPs and MSPs. VersaMem is deployed as a Java Archive (JAR) and allows for credential capture for Versa Director logon activity as well as follow-on execution of arbitrary Java payloads.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1059 | Command and Scripting Interpreter |
VersaMem was delivered as a Java Archive (JAR) that runs by attaching itself to the Apache Tomcat Java servlet and web server.[1] |
|
| Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
VersaMem staged captured credentials locally at |
| Enterprise | T1203 | Exploitation for Client Execution |
VersaMem was installed through exploitation of CVE-2024-39717 in Versa Director servers.[1] |
|
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
VersaMem deleted files related to initial installation such as temporary files related to the PID of the main web process.[1] |
| Enterprise | T1056 | .004 | Input Capture: Credential API Hooking |
VersaMem hooked and overrided Versa's built-in authentication method, |
| Enterprise | T1040 | Network Sniffing |
VersaMem hooked the Catalina application filter chain |
|
| Enterprise | T1027 | .013 | Obfuscated Files or Information: Encrypted/Encoded File |
VersaMem encrypted captured credentials with AES then Base64 encoded them before writing to local storage.[1] |
| Enterprise | T1129 | Shared Modules |
VersaMem relied on the Java Instrumentation API and Javassist to dynamically modify Java code existing in memory.[1] |
|
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1017 | Volt Typhoon |
Campaigns
| ID | Name | Description |
|---|---|---|
| C0039 | Versa Director Zero Day Exploitation |
VersaMem was used during Versa Director Zero Day Exploitation by Volt Typhoon.[1] |