Attack Surface Management
,
Cybercrime
,
Fraud Management & Cybercrime
Possible Long-Term Attack by Unknown Hackers Thwarted
Hackers exploiting flaws in Cleo Communications software instances had intimate knowledge of their internals and deployed a previously unknown family of malware, security researchers from Huntress said Thursday.
See Also: 2024 CISO Insights: Navigating the Cybersecurity Maelstrom
Illinois-based Cleo published Wednesday evening a patch for arbitrary file-write vulnerability after Huntress researchers disclosed Monday that a patch for a flaw tracked as CVE-2024-50623 did not prevent active exploitation (see: Hackers Exploiting Cleo Software Zero-Day).
Cleo “boarded up one window, and locked all the doors of one side of the building, but not quite the other,” said John Hammond, a principal security researcher at Huntress. “Well, now they have,” he added. Cleo file transfer software is used in industries with large-scale logistics and supply chain operations.
Huntress dubbed malware used against Cleo LexiCom, VLTransfer and Harmony software products “Malichus,” a historical play of words on Cleopatra, the last ruler of the Ptolemaic Kingdom of Egypt. Malichus ruled a rival Middle East kingdom and burned Cleopatra’s naval fleet after her loss at the Battle of Actium – likely preventing her from fleeing Egypt in a sequence of events that ended with her suicide and the conversion of Egypt into an Imperial province of Rome.
“The malware is smart. [The hackers] have a lot of clever tricks for their initial access, and especially for their post-exploitation,” Hammond told Information Security Media Group. “It looks like these guys knew what they were doing.”
An attack against an unpatched instance of Cleo software begins with a simple POST message, Hammond said, no user authentication required.
Huntress has not seen hackers deploy ransomware. Attackers instead have established persistence and explored penetrated networks. “Was it supposed to be some low-and-slow APT attack later down the line? I can’t say for sure, because we were able to track it down.” The hackers were able to stay undetected until they ran an Active Directory survey to enumerate network assets.
Hackers were able to deploy malware partially by abusing a feature in Cleo software that automatically executes files in the autorun directory. This isn’t the first instance of hackers finding the Cleo autorun feature to be useful for deploying software – an attack in 2021 also made use of it. Cleo products will continue to contain an autorun directory, Hammond said, although the Wednesday patch should make it harder to exploit.
The architecture of Malichus is divided into three core stages: a PowerShell downloader, a Java-based downloader and a modular Java post-exploitation framework. The attack begins with a PowerShell loader encoded in Base64, which decodes and executes a Java archive.
In the next stage, the malware initiates communication with a command-and-control server to retrieve additional payloads, while its adaptability poses challenges for detection and mitigation efforts.
In the second stage, the malware employs AES-encrypted communications to download the third stage from the C2 server. It decodes variables such as encryption keys, victim identifiers and server addresses, maintaining obfuscation and operational secrecy.
The third stage consists of a modular Java-based framework with extensive post-exploitation capabilities. While compatible with both Linux and Windows systems, observed activity has primarily targeted Windows environments.