A newly discovered cyberattack exploits vulnerabilities in Cleo software to deliver a sophisticated Java-based remote access trojan (RAT). The exploit chain leverages malicious XML configuration files to inject commands and compromise systems, highlighting the growth threat of advanced, stealthy malware campaigns.
The attack involves multi-stage payloads, encrypted communications, and data exfiltration techniques, putting sensitive information at risk for organisations reliant on the affected platform.
The attack begins with an encoded Java Archive (JAR) file deployed in the RAT. The JAR file is embedded within a complex exploitation chain that abuses XML-based configuration files in Cleo Integration Suite products (e.g., Harmony, VLTrader, LexiCom).
Attackers can upload and execute malicious XML configurations by exploiting a known vulnerability (CVE-2024-50623) and an as-yet-unnamed zero-day flaw. These configurations, when imported, trigger embedded PowerShell commands, compromising the host server.
The PowerShell script establishes a TCP connection to a malicious external host, and retrieves encrypted payloads decrypted using a custom XOR routine. The decrypted JAR file is then executed using Cleo’s embedded Java runtime, bypassing the need for external dependencies.
As researchers found out, the Java RAT system is modular, with key components including:
- Custom class loader: Dynamically loads and executes Java classes from an encrypted JAR file fetched during runtime.
- Encrypted communications: Uses AES encryption and dynamically evolving XOR routines for secure data exchange with the C2 server.
- Data exfiltration: Compresses and transmits local files in chunks via a network channel while managing buffers to evade detection.
- Command execution: Exeutes system commands across platforms (Windows/Linux), enabling interactive shell access for attackers.
The modular structure enables the malware to operate stealthily and adapt its functionality based on the received commands and payloads.
Researchers identified several classes within the RAT, each serving a specific function:
- Cli: Establishes a backdoor for remote control.
- Dwn and Mos: Handle file compression and transmission.
- Proc: Executes system commands and retrieves output.
- SrvSlot: Acts as the central node for encrypted communications and data handling.
- SFile: Handles file reading and writing operations.
- Slot: Manages the network connection using the Java network IO class.
Following the initial compromise, adversaries executed reconnaissance commands to gather system, user, and domain information. Notable commands include:
- systeminfo and whoami: For basic system and user details.
- nltest /domain_trusts: To enumerate domain trust relationships.
- wmic logicaldisk get name, size: To map storage devices.
In some cases, attackers performed ‘OverPass-The-Hash’ attacks, using NTLM hashes to obtain Kerberos tickets, granting access to additional network resources.
Researchers have urged organisations and users to monitor and patch for CVE-2024-50623, implement advanced threat detection, and restrict privileges to minimise the impact of exploitation.
In the News: Harvard releases AI dataset with over a million public-domain books