cybersecuritynews.com Open in urlscan Pro
104.21.112.1  Public Scan

Form analysis
3 forms found in the DOM

GET https://cybersecuritynews.com/

<form method="get" class="td-search-form" action="https://cybersecuritynews.com/">
  <!-- close button -->
  <div class="td-search-close">
    <a href="#"><i class="td-icon-close-mobile"></i></a>
  </div>
  <div role="search" class="td-search-input">
    <span>Search</span>
    <input id="td-header-search-mob" type="text" value="" name="s" autocomplete="off">
  </div>
</form>

POST #

<form action="#" method="post">
  <div class="td-login-inputs"><input class="td-login-input" autocomplete="username" type="text" name="login_email" id="login_email" value="" required=""><label for="login_email">your username</label></div>
  <div class="td-login-inputs"><input class="td-login-input" autocomplete="current-password" type="password" name="login_pass" id="login_pass" value="" required=""><label for="login_pass">your password</label></div>
  <input type="button" name="login_button" id="login_button" class="wpb_button btn td-login-button" value="Login">
</form>

GET https://cybersecuritynews.com/

<form method="get" class="td-search-form" action="https://cybersecuritynews.com/">
  <div role="search" class="td-head-form-search-wrap">
    <input id="td-header-search" type="text" value="" name="s" autocomplete="off"><input class="wpb_button wpb_btn-inverse btn" type="submit" id="td-header-search-top" value="Search">
  </div>
</form>

Text Content

 * Home
 * Threats
 * Cyberattack News
 * Vulnerability
 * Zero-Day
 * Data Breaches
 * Cyber AI
 * what is
 * Top 10


Search

Sign in
Welcome! Log into your account

your username
your password
Forgot your password? Get help
Password recovery
Recover your password

your email
A password will be e-mailed to you.
Cyber Security News

 * Home
 * Threats
 * Cyberattack News
 * Vulnerability
 * Zero-Day
 * Data Breaches
 * Cyber AI
 * what is
 * Top 10


Home Computer Security News Malichus Malware Exploiting Cleo 0-day Vulnerability
In Wild

 * Computer Security News
 * Cyber Security News
 * Malware
 * Vulnerability
 * Vulnerability News


MALICHUS MALWARE EXPLOITING CLEO 0-DAY VULNERABILITY IN WILD

By
Guru Baran
-
December 12, 2024

Threat actors are actively exploiting a critical zero-day vulnerability
(CVE-2024-50623) in Cleo’s file transfer products Harmony, VLTrader, and
LexiComis.

The flaw, stemming from an unrestricted file upload and download vulnerability,
allows unauthenticated remote code execution (RCE), posing a severe risk to
enterprises relying on Cleo’s software for secure file transfers.

The vulnerability was first publicized by security vendor Huntress, who noted
that the flaw stemmed from an incomplete patch released by Cleo in October.



Despite subsequent patches, attackers have found ways to bypass these, leading
to widespread exploitation. Huntress telemetry indicates that at least ten
businesses, primarily in consumer products, the food industry, trucking, and
shipping, have been compromised.

A new malware family named Malichus has been identified as exploiting a zero-day
vulnerability in Cleo file transfer software.

2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide

This vulnerability, tracked as CVE-2024-50623, affects Cleo’s Harmony, VLTrader,
and LexiCom products, allowing attackers to execute arbitrary code remotely.


MALICHUS MALWARE EMPLOYS 3 STAGES

The Malichus malware operates in three distinct stages:

Attack Chain Malichus malware


STAGE 1: POWERSHELL DOWNLOADER

The initial stage involves a small PowerShell loader that prepares the host for
further exploitation. This loader is stored as a base64 blob, which, upon
decoding, executes a Java Archive named `cleo.[numerical-identifier]`.

It establishes a TCP connection to a command-and-control (C2) server to retrieve
the second-stage payload.



The loader also sets a variable called `Query`, which is crucial for identifying
the C2 address and the victim’s IP address.


STAGE 2: JAVA DOWNLOADER

The second stage involves downloading and decrypting a Java Archive using a
unique AES key per payload. This archive contains a manifest file that triggers
the execution of the `start` class.

The backdoor retrieves the `Query` environment variable, decodes it to obtain
the AES key, and uses it to download the third stage payload via TLS v3.

The downloaded data is then decrypted, revealing a corrupted zip file, which is
repaired by removing the first two bytes before extraction and loading.


STAGE 3: JAVA BACKDOOR / POST EXPLOITATION FRAMEWORK

The final stage is a modular Java-based post-exploitation framework comprising
nine class files. The primary driver, `Cli` class, is loaded by the previous
stage.

This framework supports both Linux and Windows environments, although Huntress
observed its usage primarily on Windows systems.

It uses parameters passed from stage 2 to communicate with the C2 server,
identify the exploited system, and manage the malware’s persistence and data
theft activities.

Huntress security researchers first publicized the attacks on Monday, noting
that the vulnerability was being exploited en masse to steal data from at least
ten businesses, primarily in consumer products, food industry, trucking, and
shipping sectors.

The attacks began as early as December 3, with a significant uptick observed on
December 8.



Cleo has acknowledged the vulnerability and released an advisory urging
customers to upgrade to the latest product version (5.8.0.21) to address
additional attack vectors.

However, Huntress has indicated that even this patch is insufficient against the
exploits observed in the wild. Cleo is preparing a new CVE designation and
expects to release a new patch mid-week

Rapid7 has advised Cleo customers to remove affected products from the public
internet and place them behind a firewall. Additionally, disabling Cleo’s
Autorun Directory can prevent the latter part of the attack chain from being
executed.

This campaign echoes previous attacks by notorious groups like Clop, which
targeted managed file transfer software to steal and ransom customer data. While
attribution remains unclear, there are unconfirmed reports suggesting
involvement by the Termite group, known for a recent attack on Blue Yonder.

.The active exploitation of Cleo’s software underscores the critical need for
robust cybersecurity measures, especially in sectors handling sensitive data.
Companies using Cleo products are advised to take immediate action to secure
their systems and monitor for any signs of compromise dating back to at least
December 3, 2024.


IOCS

FilenameSHA256cleo.26076705eea898ef1155417361fa71b1078b7aaab61e7597d2a080aa38df4ad87b1cCli0c57b317b572d071afd8ccdb844dd6f117e20f818c6031d7ba8adcbd32be0617Dwn429d24e3f30c7e999033c91f32b108db48d669fde1c3fa62eff9da2697ed078eDwnLevelf80634ce187ad4834d8f68ac7c93500d9da69ee0a7c964df1ffc8db1b6fff5a9Mos0b7b1b24f85a0107829781b10d08432db260421a7727230f1d3caa854370cb81Proc1ba95af21bac45db43ebf02f87ecedde802c7de4d472f33e74ee0a5b5015a726SFile57ec6d8891c95a259636380f7d8b8f4f8ac209bc245d602bfa9014a4efd2c740ScSlot87f7627e98c27620dd947e8dd60e5a124fdd3bb7c0f5957f0d8f7da6d0f90deeSlot1e351bb7f6e105a3eaa1a0840140ae397e0e79c2bdc69d5e1197393fbeefc29bSrvSlotf4e5a6027b25ede93b10e132d5f861ed7cca1df7e36402978936019930e52a16

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN
– Try for Free

 * TAGS
 * cyber security
 * malware analysis
 * Zero-Day Vulnerability

Linkedin

Twitter

ReddIt

Facebook

Telegram

Guru Baran
https://cybersecuritynews.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He
has 10+ years of experience as a Security Consultant, Editor, and Analyst in
cybersecurity, technology, and communications.




ABOUT US
Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack
News, Hacking News & Vulnerability Analysis.
FOLLOW US
 * Home
 * About Us
 * Contact US
 * Privacy Policy

© Copyright 2024 - Cyber Security News