MAR-10454006-r3.v1 Exploit Payload Backdoor | CISA
Tags
maec-delivery-vectors: Watering Hole
attack-pattern: Exploits - T1587.004 Exploits - T1588.005 Malware - T1587.001 Malware - T1588.001 Phishing - T1660 Phishing - T1566 Software - T1592.002 Tool - T1588.002 Vulnerabilities - T1588.006 Whois - T1596.002
Show in Graph
Common Information
Type Value
UUID 65835a1f-f4c1-4ca1-a1ad-9b520d3157c4
Fingerprint 458e0a34456a090d
Analysis status DONE
Considered CTI value 2
Text language
Published July 28, 2023, noon
Added to db Aug. 12, 2023, 1:30 a.m.
Last updated Nov. 17, 2024, 5:57 p.m.
Headline MAR-10454006-r3.v1 Exploit Payload Backdoor
Title MAR-10454006-r3.v1 Exploit Payload Backdoor | CISA
Detected Hints/Tags/Attributes 53/2/32
Source URLs
Redirection Url
Details Source https://www.cisa.gov/news-events/analysis-reports/ar23-209c
URL Provider
Details Provider Source level domain
Details cisa.gov www.cisa.gov
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 85 https://cisa.gov/uscert/ncas/analysis-reports.xml 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details CVE 117 
cve-2023-2868
Details Domain 469 
www.cisa.gov
Details Domain 154 
us-cert.cisa.gov
Details Domain 84 
malware.us-cert.gov
Details Domain 84 
ftp.malware.us-cert.gov
Details Email 84 
submit@malware.us-cert.gov
Details File 3 
snapshot.tar
Details File 1 
snapshot0.tar
Details sha256 1 
0b917d945a7491869fa5003f6b85c09f5f45795a7852a8b63ba1abdc9797d6a6
Details sha256 1 
2a5de691243f2b91f164c3021c157fbd783b4f3e7d5f5950182e52ec868cd40b
Details sha256 1 
2a860849a9e68df0053556b85f20010a1384b4c87594ba4f9bb3e1b1d287b095
Details sha256 1 
2b2b7c5e825b7a18e13319b4a1275a0dd0086abd58b2d45939269d5a613a41e7
Details sha256 1 
3f2ca19ad3635f379968b0302c7e42cf954f85ab61166c6f70acfebc72f38ab7
Details sha256 1 
80342108e9f0f1fd6b5c44e88006cebe37e4eccb3a0f567636b22ad210c0a043
Details sha256 2 
949d4b01f31256e5e9c2b04e557dcca0a25fc2f6aa3618936befc7525e1df788
Details sha256 1 
9d0c7a45dd00d31a9724fa9e96cb8ac99dd5a6502fe4515cedaabb2e58b1c5f5
Details sha256 1 
b5113e29ec23f6e1be289b99dc7ac2af1c252b4b6ff6e977f7827ab7fd686321
Details sha256 1 
b52a9844d8368abe70b6ba0d8df84f88c8c0029dcbcf599665acd703b255d5d2
Details sha256 1 
caa795c4c934219d287379b20c2912af0f815de95bb73e0f02f5fe6eb9aa50bd
Details sha256 1 
cf0996a3aee148bc060f4726435dd0d7f1af79082277f407dfa07d81181322ba
Details sha256 2 
f289b565839794fe4f450ed0c9343b8fb699f97544d9af2a60851abc8b4656e0
Details sha256 1 
f536a7b75b7205762b75a037ebf6503029aab1a02afab14b2709797c32e7e0fa
Details IPv4 5 
107.148.219.54
Details IPv4 4 
107.148.223.196
Details IPv4 1 
107.148.0.0
Details IPv4 1 
107.149.255.255
Details Url 43 
http://www.cisa.gov/tlp.
Details Url 53 
https://us-cert.cisa.gov/forms/feedback
Details Url 84 
https://malware.us-cert.gov
Details Yara rule 1 
rule CISA_10454006_08 : trojan backdoor remote_access_trojan accesses_remote_machines communicates_with_c2 {
	meta:
		Author = "CISA Code & Media Analysis"
		Incident = "10454006"
		Date = "2023-07-05"
		Last_Modified = "20230712_1400"
		Actor = "n/a"
		Family = "n/a"
		Capabilities = "accesses-remote-machines communicates-with-c2"
		Malware_Type = "trojan backdoor remote-access-trojan"
		Tool_Type = "unknown"
		Description = "Detects reverse shell samples in TAR files used in CVE-2023-2868 encoded block"
		SHA256_1 = "0b917d945a7491869fa5003f6b85c09f5f45795a7852a8b63ba1abdc9797d6a6"
		SHA256_2 = "2a860849a9e68df0053556b85f20010a1384b4c87594ba4f9bb3e1b1d287b095"
		SHA256_3 = "3f2ca19ad3635f379968b0302c7e42cf954f85ab61166c6f70acfebc72f38ab7"
		SHA256_4 = "80342108e9f0f1fd6b5c44e88006cebe37e4eccb3a0f567636b22ad210c0a043"
		SHA256_5 = "9d0c7a45dd00d31a9724fa9e96cb8ac99dd5a6502fe4515cedaabb2e58b1c5f5"
		SHA256_6 = "b5113e29ec23f6e1be289b99dc7ac2af1c252b4b6ff6e977f7827ab7fd686321"
		SHA256_7 = "b52a9844d8368abe70b6ba0d8df84f88c8c0029dcbcf599665acd703b255d5d2"
		SHA256_8 = "caa795c4c934219d287379b20c2912af0f815de95bb73e0f02f5fe6eb9aa50bd"
		SHA256_9 = "cf0996a3aee148bc060f4726435dd0d7f1af79082277f407dfa07d81181322ba"
		SHA256_10 = "f536a7b75b7205762b75a037ebf6503029aab1a02afab14b2709797c32e7e0fa"
	strings:
		$s1 = { 59 57 4A 6A 5A 47 56 6D 5A }
		$s2 = { 59 7A 4A 57 4D 47 4D 79 62 47 74 4A 53 45 35 76 53 55 4D 78 61 }
		$s3 = { 54 44 4E 53 64 47 4E 44 4F }
		$s4 = { 5A 45 63 78 64 }
		$s5 = { 57 54 49 35 64 57 4A 74 56 6D 70 6B }
		$s6 = { 53 55 52 4A 4B 30 77 79 55 6D 78 6B 61 54 6C 31 5A 46 64 34 63 }
		$s7 = { 4C 6E 52 34 64 41 }
	condition:
		5 of them
}
Details Yara rule 1 
rule CISA_10452108_03 : backdoor communicates_with_c2 installs_other_components {
	meta:
		Author = "CISA Code & Media Analysis"
		Incident = "10452108"
		Date = "2023-06-20"
		Last_Modified = ""
		Actor = "n/a"
		Family = "n/a"
		Capabilities = "communicates-with-c2 installs-other-components"
		Malware_Type = "backdoor"
		Tool_Type = "unknown"
		Description = "Detects malicious Linux reverse shell samples"
		SHA256_1 = "2a5de691243f2b91f164c3021c157fbd783b4f3e7d5f5950182e52ec868cd40b"
	strings:
		$s0 = { 6F 47 68 37 6F 68 63 34 }
		$s1 = { 41 6B 65 6F 38 61 68 58 }
		$s2 = { 65 65 71 75 65 69 37 41 30 39 33 30 32 }
	condition:
		all of them
}
Details Yara rule 1 
rule CISA_10454006_09 : trojan backdoor remote_access_trojan accesses_remote_machines communicates_with_c2 {
	meta:
		Author = "CISA Code & Media Analysis"
		Incident = "10454006"
		Date = "2023-07-05"
		Last_Modified = "20230712_1400"
		Actor = "n/a"
		Family = "n/a"
		Capabilities = "accesses-remote-machines communicates-with-c2"
		Malware_Type = "trojan backdoor remote-access-trojan"
		Tool_Type = "unknown"
		Description = "Detects reverse shell samples in TAR files used in CVE-2023-2868"
		SHA256_1 = "949d4b01f31256e5e9c2b04e557dcca0a25fc2f6aa3618936befc7525e1df788"
		SHA256_2 = "f289b565839794fe4f450ed0c9343b8fb699f97544d9af2a60851abc8b4656e0"
		SHA256_3 = "2a5de691243f2b91f164c3021c157fbd783b4f3e7d5f5950182e52ec868cd40b"
	strings:
		$s1 = { 61 62 63 64 65 66 67 }
		$s2 = { 63 32 56 30 63 32 6C 6B 49 48 4E 6F 49 43 31 6A }
		$s3 = { 49 44 49 2B 4C 32 52 6C 64 69 39 75 64 57 78 73 }
		$s4 = { 49 43 39 30 62 58 41 76 }
		$s5 = { 59 32 39 75 62 6D 56 6A 64 }
		$n1 = { 6F 47 68 37 6F 68 63 34 }
		$n2 = { 41 6B 65 6F 38 61 68 58 }
		$n3 = { 65 65 71 75 65 69 37 41 30 39 33 30 32 }
	condition:
		all of ($s*) or all of ($n*)
}