| Attribute | Details |
|---|---|
| Threat Actors | Unknown attackers exploiting Cleo software vulnerabilities |
| Campaign Overview | Multi-stage attack deploying an encoded JAR payload targeting Cleo software. |
| Target Regions (Or Victims) | Organizations using Cleo Integration Suite (Harmony, VLTrader, LexiCom) globally |
| Methodology | Modular, multi-stage system using PowerShell and embedded JARs for exploitation, encryption, and data exfiltration |
| Product Targeted | Cleo Integration Suite (Harmony, VLTrader, LexiCom) |
| Malware Reference | Modular Java-based Remote Access Trojan (RAT) system with embedded classes (Cli, Dwn, Mos, Proc, SrvSlot, etc.) |
| Tools Used | PowerShell scripts, TCP connection setup, custom JAR loader, network management classes |
| Vulnerabilities Exploited | CVE-2024-50623 (unauthenticated vulnerability in Cleo software) |
| TTPs | Initial Access: Exploit Public-Facing Application (T1190), Command and Scripting Interpreter (T1059) |
| Discovery: System Owner/User Discovery (T1033), Domain Trust Discovery (T1482) | |
| Lateral Movement: Pass the Hash (T1550/002) | |
| Attribution | Rapid7 MDR and incident response teams contributed to this analysis |
| Recommendations | Improve detection and response capabilities, monitor assets for zero-day threats, strengthen identity security |
| Source | Rapid7 |
Read full article: https://www.rapid7.com/blog/post/2024/12/11/etr-modular-java-backdoor-dropped-in-cleo-exploitation-campaign/
The above summary has been generated by an AI language model
Leave a Reply