My title Page contents

F5 BIG-IP Vulnerability (CVE-2022-1388) Exploited by

Around May 2022, JPCERT/CC confirmed an attack activity against Japanese organizations that exploited F5 BIG-IP vulnerability (CVE-2022-1388). The targeted organizations have confirmed that data in BIG-IP has been compromised. We consider that this attack is related to the activities by BlackTech attack group. This blog article describes the attack activities that exploit this BIG-IP vulnerability.

Attack code that exploits the BIG-IP vulnerability

Below is a part of the attack code used in the attack. This attack tool enables attackers to execute arbitrary commands on BIG-IP.

A part of the confirmed code that exploits the BIG-IP vulnerabilityFigure 1: A part of the confirmed code that exploits the BIG-IP vulnerability

Figure 1 (grayed-out part) shows that multiple domestic BIG-IP IP addresses were listed in the attack code and that they were the target of the attack. The attack code as well as malware such as TSCookie and Bifrose, which is used by BlackTech, were found on the server used by the attacker.

Server where attack code was installedFigure 2: Server where attack code was installed

In addition to known malware, new unidentified malware was discovered on this server, which is described in the following section.


This malware targets Linux OS, and two types have been identified: one with a CPU architecture compatible with ARM and the other with x64. It is unclear what type of device it was created to run on, but it is possibly intended for IoT devices.

A part of malware codeFigure 3: A part of malware code (left: ARM type, right: x64 type)

This malware has a function to receive commands from the C2 server and execute arbitrary commands. It uses a host command, not a system call, to resolve host names.

A part of the code to execute the host commandFigure 4: A part of the code to execute the host command

There are also two types in terms of sending data: one of them sends data with RC4 encryption and the other sends data as it is. Some samples of the former have a unique behavior of sending the S-Box data used for encryption to the server.

A part of the code that sends S-Box data to the serverFigure 5: A part of the code that sends S-Box data to the server

Distribution of Hipid using malicious PyPI packages

Although this is not directly related to the attack that exploits the BIG-IP vulnerability, JFrog reports that the same type of malware as the one described above was registered as a malicious PyPI package in the past[1]. Figure 6 shows the contents of the malicious package’s The attacker may not have taken control of the existing package but installed malware on PyPi to install the package on the compromised system.

Contents of setup.pyFigure 6: Contents of

The malware itself was included in __init.py__ encoded in Base32 as shown in Figure 7. The malware is installed after decoding, overwriting /usr/sbin/syslogd.

Base64-encoded malwareFigure 7: Base64-encoded malware

In addition, the mount command is used for the malware process to run to hide the process, as shown in Figure 8.

Process hiding using the mount commandFigure 8: Process hiding using the mount command

In closing

The incident described in this report is currently under control and is no longer influential in many environments. BlackTech has been observed in a number of cases in recent years in which vulnerabilities in externally accessible systems are exploited. In the case described here, the vulnerability was exploited shortly after it was disclosed, and thus patch management continues to be important.

Shusei Tomonaga
(Translated by Takumi Nakano)


We would like to thank JFrog Shachar Menashe for his assistance with this study.


[1] JFrog Discloses 3 Remote Access Trojans in PyPI

Appendix A: C2 servers


Appendix B: Malware hash value

  • 9603b62268c2bbb06da5c99572c3dc2ec988c49c86db2abc391acf53c1cccceb
  • cb1a536e11ae1000c1b29233544377263732ca67cd679f3f6b20016fbd429817
  • 3d18bb8b9a5af20ab10441c8cd40feff0aabdd3f4c669ad40111e3aa5e8c54b8

Article Link: F5 BIG-IP Vulnerability (CVE-2022-1388) Exploited by BlackTech – JPCERT/CC Eyes | JPCERT Coordination Center official Blog

Spyware and Viruses

Process of Detecting Virus Infection

Virus Infection In today’s world, viruses have become a constant threat to public health. Viruses can spread quickly and have the potential to cause significant harm to individuals and entire populations. Identifying a viral infection is crucial to determine the best course of treatment and prevent the spread of the virus. In this article, we […]

Read More
Computers and Functions
Spyware and Viruses

Types Computers and Functions

Computers and Functions we do many things with computers, from working, entertaining ourselves, searching for information, and so on. When talking about a computer, many people imagine a device with a monitor, keyboard and mouse that are usually placed on the table. Though, the term computer can be applied to almost any device that has […]

Read More
Spyware and Viruses

NSIS Type of LockBit 3.0 Ransomware Disguised as Job

In February and June, the ASEC Analysis team posted in the blog about LockBit 2.0 ransomware being distributed via email. In this blog, we will introduce the new version of the LockBit 3.0 ransomware that is still being distributed through similar method. While in June there were multiple cases of the ransomware being distributed disguised as […]

Read More
Open chat
Iam Guest Posting Service
I Have 600 Site
Status : Indexed All
Good DA : 40-60
Different Nice I Category
Drip Feed Allowed
I can instant publish

My Service :
1. I will do your orders maximum of 1X24 hours, if at the time i’am online. I will do a maximum of 1 hour and the process is complete.
2. If any of you orders are not completed a maximum of 1x24 hours, you do not have to pay me, or free.
3. For the weekend, I usually online, that weekend when i’am not online, it means i’am working Monday.
4. For the payment, maximum payed one day after published live link.
5. Payment via paypal account
If you interesting, please reply
Thank You