Thursday, January 23, 2025
HomeCyber Security NewsCleo 0-day Vulnerability Exploited to Deploy Malichus Malware

Cleo 0-day Vulnerability Exploited to Deploy Malichus Malware

Published on

SIEM as a Service

Follow Us on Google News

Cybersecurity researchers have uncovered a sophisticated exploitation campaign involving a zero-day (0-day) vulnerability in Cleo file transfer software platforms.

This campaign has been used to deliver a newly identified malware family, now dubbed “Malichus.”

The threat, recently analyzed by Huntress and corroborated by other industry vendors, demonstrates significant technical complexity, raising alarms across the cybersecurity community due to its potential implications for organizations relying on Cleo technologies for secure file exchange.

Overview of the Attack
Overview of the Attack

Cleo 0-Day Vulnerability

Cleo, often used for enterprise data transfer and integration, was targeted by attackers who leveraged a previously unknown vulnerability to compromise systems.

The exploitation of this 0-day allows attackers to deploy Malichus, a modular malware framework with advanced capabilities aimed at exfiltration, reconnaissance, and post-exploitation operations.

2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide

The name “Malichus” references Malichus I, a historical adversary of Cleopatra known for his calculated acts of revenge, fitting the malware’s destructive and strategic nature. The attack follows a multi-stage process:

  1. Initial Entry with PowerShell Downloader
  2. Java-based Second-Stage Downloaders
  3. Deployment of a Modular Post-Exploitation Framework

Each stage utilizes bespoke techniques to avoid detection, evade analysis, and maximize system control.

Technical Anatomy of the Malichus Malware

The Malichus malware family is characterized by a three-stage deployment process, each carefully designed to establish reliable command-and-control (C2) communication, maintain persistence, and enable a wide range of malicious activities.

Stage 1: PowerShell Downloader

 Formatted Stage 1 PowerShell Downloader script
 Formatted Stage 1 PowerShell Downloader script

The initial stage uses a small PowerShell script that acts as a loader. This script is obfuscated using Base64 encoding and functions to:

  • Decode and execute a Java Archive (JAR) file named in the format cleo.[unique-identifier].
  • Establish a TCP connection to the C2 server to retrieve the second-stage payload.
  • Dynamically assign C2 addresses and victim identifiers via a “Query” variable to maintain flexibility across infections.

This stage ensures the swift setup of the host for further exploitation while staying lightweight to evade endpoint detection systems.

Stage 2: Java Downloader

Java Downloader MANIFEST.MF file
Java Downloader MANIFEST.MF file

The second stage involves a Java-based downloader that is responsible for retrieving the final payload. This downloader:

  • Decrypts downloaded components using unique AES keys per payload, ensuring attack-specific encryption.
  • Repairs corrupted zip files as part of its payload delivery mechanism.
  • Dynamically resolves class files within the decrypted archive to launch Stage 3.

The implementation of custom routines, such as environment variable parsing and encrypted C2 communication, displays the malware authors’ attention to stealth and adaptability.

Stage 3: Modular Post-Exploitation Framework

Decompilation of Cli class assigning variables before executing run method
Decompilation of Cli class assigning variables before executing run method

The final stage is a Java-based framework comprising nine distinct class files, delivering comprehensive functionality for the attacker’s objectives. Key components of this framework include:

  1. Cli Class
    • Facilitates C2 communication, including queuing connections on port 443.
    • Deletes traces of earlier-stage payloads using platform-specific commands (e.g., PowerShell or Bash).
    • Logs activity for debugging and operational tracking.
  2. Proc Class
    • Executes commands on the compromised system, including interactive shell sessions.
    • Parses Cleo configuration files to uncover trading relationships and sensitive data locations.
  3. Dwn Class
    • Handles file exfiltration by zipping, packaging, and uploading selected directories to the C2.
    • Tracks state and progress of exfiltration tasks dynamically.
  4. Custom C2 Protocol
    Malichus employs a fully custom C2 communication protocol that incorporates packet integrity checks (CRC32) and encryption routines, ensuring secure data exchange between infected hosts and attackers. Special packet types, such as “hello” and “zip” packets, streamline operational control and exfiltration procedures.

The modular design and expansive feature set of Malichus indicate a tailored approach to targeting organizations using Cleo software, particularly those in industries where secure file transfer and business integration are critical.

By leveraging its understanding of Cleo’s configuration structure, the malware can:

  1. Identify relationships between trading partners.
  2. Locate directories containing exchanged files.
  3. Exploit sensitive data for further attacks or financial gain.

Of particular concern is the adaptability of Malichus. Its multi-platform support (Windows and Linux), dynamic C2 handling, and encrypted packet protocols make detection and mitigation challenging for standard cybersecurity defenses.

The Cleo 0-day vulnerability exploited to deploy Malichus malware highlights the ever-evolving tactics of cybercriminals in targeting critical business systems.

Malichus represents a sophisticated and focused attack that warrants immediate attention from organizations relying on Cleo software.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Critical Vulnerability in Next.js Framework Exposes Websites to Cache Poisoning and XSS Attacks

A new report has put the spotlight on potential security vulnerabilities within the popular...

New Cookie Sandwich Technique Allows Stealing of HttpOnly Cookies

The "Cookie Sandwich Attack" showcases a sophisticated way of exploiting inconsistencies in cookie parsing...

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Tycoon 2FA Phishing Kit Using Specially Crafted Code to Evade Detection

The rapid evolution of Phishing-as-a-Service (PhaaS) platforms is reshaping the threat landscape, enabling attackers...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Critical Vulnerability in Next.js Framework Exposes Websites to Cache Poisoning and XSS Attacks

A new report has put the spotlight on potential security vulnerabilities within the popular...

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Tycoon 2FA Phishing Kit Using Specially Crafted Code to Evade Detection

The rapid evolution of Phishing-as-a-Service (PhaaS) platforms is reshaping the threat landscape, enabling attackers...