S1154 VersaMem
VersaMem is a web shell designed for deployment to Versa Director servers following exploitation. Discovered in August 2024, VersaMem was used during Versa Director Zero Day Exploitation by Volt Typhoon to target ISPs and MSPs. VersaMem is deployed as a Java Archive (JAR) and allows for credential capture for Versa Director logon activity as well as follow-on execution of arbitrary Java payloads.1
| Item | Value |
|---|---|
| ID | S1154 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 27 August 2024 |
| Last Modified | 15 April 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1059 | Command and Scripting Interpreter | VersaMem was delivered as a Java Archive (JAR) that runs by attaching itself to the Apache Tomcat Java servlet and web server.1 |
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.001 | Local Data Staging | VersaMem staged captured credentials locally at /tmp/.temp.data.1 |
| enterprise | T1203 | Exploitation for Client Execution | VersaMem was installed through exploitation of CVE-2024-39717 in Versa Director servers.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | VersaMem deleted files related to initial installation such as temporary files related to the PID of the main web process.1 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.004 | Credential API Hooking | VersaMem hooked and overrided Versa’s built-in authentication method, setUserPassword, to intercept plaintext credentials when submitted to the server.1 |
| enterprise | T1040 | Network Sniffing | VersaMem hooked the Catalina application filter chain doFilter on compromised systems to monitor all inbound requests to the local Tomcat web server, inspecting them for parameters like passwords and follow-on Java modules.1 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.013 | Encrypted/Encoded File | VersaMem encrypted captured credentials with AES then Base64 encoded them before writing to local storage.1 |
| enterprise | T1129 | Shared Modules | VersaMem relied on the Java Instrumentation API and Javassist to dynamically modify Java code existing in memory.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1017 | Volt Typhoon | 1 |