A recent investigation into Cleo software exploitation has uncovered a sophisticated, multi-stage cyberattack involving a modular Java-based Remote Access Trojan (RAT). This attack utilizes an encoded Java Archive (JAR) payload to perform system reconnaissance, file exfiltration, command execution, and encrypted communication with a command-and-control (C2) server. The RAT's modular design includes components for dynamic decryption, network management, and staged data transfer, highlighting the importance of robust detection and response capabilities.

Exploitation and Payload Deployment

The attack chain begins with the upload and execution of an XML file within a ZIP archive. This XML file contains PowerShell code that exploits known vulnerabilities, including CVE-2024-50623, in Cleo software. The XML configuration defines a "Host" and "Mailbox" setup, which are typical in Cleo Integration Suite configurations. A suspicious Action element within the XML triggers the execution of a PowerShell command, leading to the deployment of the malicious JAR file.

PowerShell Script Analysis

The PowerShell script is invoked as remote code execution (RCE) and uses Base64 encoding to obfuscate its commands. Upon decoding, the script establishes a TCP connection to an external host and retrieves encrypted data, which it decrypts using a custom XOR-based routine. The decrypted data is saved as a JAR file and executed using Cleo's embedded Java runtime.

  • Network Connection Setup: The script connects to a remote server and initiates a handshake.
  • XOR Decryption: A custom routine decrypts the payload, which is then saved locally.

Java RAT Architecture

The Java RAT employs a custom class loader to dynamically load and execute classes from a byte array. This approach allows the RAT to fetch and decrypt additional class data remotely, maintaining a small footprint and evading detection. The RAT's modular components facilitate file transfer, command execution, and encrypted communication with the C2 server.

Core Components

  • Cli Class: Establishes a backdoor connection and manages data streams.
  • Dwn Class: Handles file packaging and transmission to a remote server.
  • Proc Class: Executes system commands and returns output to the C2 server.

Indicators of Compromise and Mitigation

Network indicators of compromise (IOCs) include several suspicious IP addresses and a Cobalt Strike server. Post-exploitation behavior involves system enumeration and an "OverPass-The-Hash" attack to access additional network resources. Organizations should enhance their monitoring and incident response capabilities to detect and mitigate such threats promptly.

Network IOCs

  • 89.248.172[.]139
  • 176.123.10[.]115
  • 185.181.230[.]103
The link has been copied!