Modular Java backdoor dropped in Cleo exploitation campaign | Rapid7 Blog
Tags
cmtmf-attack-pattern: Command And Scripting Interpreter Exploit Public-Facing Application
attack-pattern: Data Command And Scripting Interpreter - T1623 Domain Trust Discovery - T1482 Exploit Public-Facing Application - T1377 Ip Addresses - T1590.005 Malware - T1587.001 Malware - T1588.001 System Information Discovery - T1426 Pass The Hash - T1550.002 Powershell - T1059.001 Server - T1583.004 Server - T1584.004 Software - T1592.002 Use Alternate Authentication Material - T1550 Command-Line Interface - T1059 Exploit Public-Facing Application - T1190 Pass The Hash - T1075 Permission Groups Discovery - T1069 Powershell - T1086 System Information Discovery - T1082 System Owner/User Discovery - T1033 Exploit Public-Facing Application
Show in Graph
Common Information
Type Value
UUID ea7b7c27-d63f-4fdc-a680-a497b4040b8d
Fingerprint 3d49b18868218e82
Analysis status DONE
Considered CTI value 2
Text language
Published Dec. 11, 2024, 6:44 p.m.
Added to db Dec. 11, 2024, 7:58 p.m.
Last updated Dec. 19, 2024, 9:49 a.m.
Headline Modular Java Backdoor Dropped in Cleo Exploitation Campaign
Title Modular Java backdoor dropped in Cleo exploitation campaign | Rapid7 Blog
Detected Hints/Tags/Attributes 69/2/30
Source URLs
Redirection Url
Details Source https://www.rapid7.com/blog/post/2024/12/11/etr-modular-java-backdoor-dropped-in-cleo-exploitation-campaign/
Details Redirection https://blog.rapid7.com/2024/12/11/etr-modular-java-backdoor-dropped-in-cleo-exploitation-campaign/
URL Provider
Details Provider Source level domain
Details rapid7.com blog.rapid7.com
Details rapid7.com www.rapid7.com
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 50 Rapid7 Cybersecurity Blog https://blog.rapid7.com/rss/ 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details CVE 48 
cve-2024-50623
Details Domain 245 
system.io
Details Domain 1 
zis.read
Details File 2287 
cmd.exe
Details File 92 
java.exe
Details md5 1 
fa0ffca3597af31fc196ca27283aa038
Details md5 1 
510a7fa9d425f1c3a38ad81d813b3f17
Details md5 1 
7dcaffc9c26fe9e08e9b66e05c644cfc
Details md5 1 
ee7acd7a8a5795308942f094c950de6f
Details md5 1 
37a761f4d02577cf6789676f87cb9fc6
Details md5 1 
6ff85e7bec211869073b969dbd10c8eb
Details md5 1 
ca3de6f055f94acc87c6d335d9cc5c04
Details md5 1 
d924ffd1f2952a03da29c0a7a33e6a54
Details md5 1 
bcc1bf75e0be3efabbd616cc8cfa8c35
Details IPv4 6 
185.181.230.103
Details IPv4 1 
135.237.120.41
Details IPv4 1 
67.199.229.140
Details IPv4 1 
76.9.210.45
Details IPv4 3 
89.248.172.139
Details IPv4 1 
131.226.235.203
Details IPv4 2 
176.123.10.115
Details IPv4 4 
185.162.128.133
Details IPv4 2 
185.163.204.137
Details MITRE ATT&CK Techniques 586 
T1190
Details MITRE ATT&CK Techniques 739 
T1059
Details MITRE ATT&CK Techniques 242 
T1033
Details MITRE ATT&CK Techniques 1056 
T1082
Details MITRE ATT&CK Techniques 130 
T1482
Details MITRE ATT&CK Techniques 69 
T1069
Details MITRE ATT&CK Techniques 37 
T1550