“and stage1fn. the passed parameters from stage 2 correspond to : - the c2 ip address retrieved from the query parameter - the exploited system ip address and associated port retrieved from the query parameter ( used as a unique victim identifier ) - the file name stored in the en…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1573Encrypted Channel
76%
“and sending responses from the c2 server. upon connection to a c2 server this class will log the packet number using the method l within the cli class for debugging purposes before setting st to 2 indicating the connection has been successfully established and was ready to receiv…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.001PowerShell
74%
“cleo malichus malware analysis cve - 2024 - 55956 | huntress summary - cve - 2024 - 55956 huntress previously reported on malicious activity from the exploitation of a 0 - day vulnerability in cleo software. the malware being delivered through this exploitation has now been analy…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.001PowerShell
69%
“zip file sending, zip files are split up for every 262154 bytes and then archived with zipids during exfiltration. this appears to be equivalent to 2 of their custom protocol packet lengths of 131072 bytes. proc proc contains implementations of the tasks that can be performed by …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1573.001Symmetric Cryptography
51%
“##er is shown below : the loader also sets a variable called query which is used for retrieving the c2 address used in a subsequent java backdoor and the victim ip address identifier. the c2 ip address and second stage dropper are different for each identified payload by huntress…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1105Ingress Tool Transfer
47%
“recvbuf, the dropper then keeps accepting bytes until the full stage 3 payload has been downloaded. then using the aes key and hardcoded iv, it decrypts the downloaded data which will yield an intentionally corrupted zip. they then repair the header by cutting off the first two b…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1041Exfiltration Over C2 Channel
39%
“time passed and sending a status update to the c2 server if more than 5 seconds had passed since the last update. the setstat method called by tick will set fields of the newly created tick packet with information about the current state of the dwn class. interestingly this class…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1204.002Malicious File
38%
“cleo malichus malware analysis cve - 2024 - 55956 | huntress summary - cve - 2024 - 55956 huntress previously reported on malicious activity from the exploitation of a 0 - day vulnerability in cleo software. the malware being delivered through this exploitation has now been analy…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1573Encrypted Channel
37%
“a complete packet, and calculates its crc32 value to confirm the packet ' s integrity. bytes 3 and 4 are then set to the high and low bytes of that crc32 value before it is encrypted. after the packet ’ s crc32 has been updated, pkt0 calls addencr which is responsible for encrypt…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059Command and Scripting Interpreter
36%
“zip file sending, zip files are split up for every 262154 bytes and then archived with zipids during exfiltration. this appears to be equivalent to 2 of their custom protocol packet lengths of 131072 bytes. proc proc contains implementations of the tasks that can be performed by …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1071Application Layer Protocol
35%
“and stage1fn. the passed parameters from stage 2 correspond to : - the c2 ip address retrieved from the query parameter - the exploited system ip address and associated port retrieved from the query parameter ( used as a unique victim identifier ) - the file name stored in the en…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1020Automated Exfiltration
32%
“time passed and sending a status update to the c2 server if more than 5 seconds had passed since the last update. the setstat method called by tick will set fields of the newly created tick packet with information about the current state of the dwn class. interestingly this class…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
Team Huntress has analyzed Cleo's software vulnerability CVE-2024-55956. Take a look at the technical breakdown of a new family of malware we’ve named Malichus.