Cyber Security News

Cleo 0-day Vulnerability Exploited to Deploy Malichus Malware

Cybersecurity researchers have uncovered a sophisticated exploitation campaign involving a zero-day (0-day) vulnerability in Cleo file transfer software platforms.

This campaign has been used to deliver a newly identified malware family, now dubbed “Malichus.”

The threat, recently analyzed by Huntress and corroborated by other industry vendors, demonstrates significant technical complexity, raising alarms across the cybersecurity community due to its potential implications for organizations relying on Cleo technologies for secure file exchange.

Overview of the AttackOverview of the Attack
Overview of the Attack

Cleo 0-Day Vulnerability

Cleo, often used for enterprise data transfer and integration, was targeted by attackers who leveraged a previously unknown vulnerability to compromise systems.

The exploitation of this 0-day allows attackers to deploy Malichus, a modular malware framework with advanced capabilities aimed at exfiltration, reconnaissance, and post-exploitation operations.

2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide

The name “Malichus” references Malichus I, a historical adversary of Cleopatra known for his calculated acts of revenge, fitting the malware’s destructive and strategic nature. The attack follows a multi-stage process:

  1. Initial Entry with PowerShell Downloader
  2. Java-based Second-Stage Downloaders
  3. Deployment of a Modular Post-Exploitation Framework

Each stage utilizes bespoke techniques to avoid detection, evade analysis, and maximize system control.

Technical Anatomy of the Malichus Malware

The Malichus malware family is characterized by a three-stage deployment process, each carefully designed to establish reliable command-and-control (C2) communication, maintain persistence, and enable a wide range of malicious activities.

Stage 1: PowerShell Downloader

Formatted Stage 1 PowerShell Downloader script

The initial stage uses a small PowerShell script that acts as a loader. This script is obfuscated using Base64 encoding and functions to:

  • Decode and execute a Java Archive (JAR) file named in the format cleo.[unique-identifier].
  • Establish a TCP connection to the C2 server to retrieve the second-stage payload.
  • Dynamically assign C2 addresses and victim identifiers via a “Query” variable to maintain flexibility across infections.

This stage ensures the swift setup of the host for further exploitation while staying lightweight to evade endpoint detection systems.

Stage 2: Java Downloader

Java Downloader MANIFEST.MF file

The second stage involves a Java-based downloader that is responsible for retrieving the final payload. This downloader:

  • Decrypts downloaded components using unique AES keys per payload, ensuring attack-specific encryption.
  • Repairs corrupted zip files as part of its payload delivery mechanism.
  • Dynamically resolves class files within the decrypted archive to launch Stage 3.

The implementation of custom routines, such as environment variable parsing and encrypted C2 communication, displays the malware authors’ attention to stealth and adaptability.

Stage 3: Modular Post-Exploitation Framework

Decompilation of Cli class assigning variables before executing run method

The final stage is a Java-based framework comprising nine distinct class files, delivering comprehensive functionality for the attacker’s objectives. Key components of this framework include:

  1. Cli Class
    • Facilitates C2 communication, including queuing connections on port 443.
    • Deletes traces of earlier-stage payloads using platform-specific commands (e.g., PowerShell or Bash).
    • Logs activity for debugging and operational tracking.
  2. Proc Class
    • Executes commands on the compromised system, including interactive shell sessions.
    • Parses Cleo configuration files to uncover trading relationships and sensitive data locations.
  3. Dwn Class
    • Handles file exfiltration by zipping, packaging, and uploading selected directories to the C2.
    • Tracks state and progress of exfiltration tasks dynamically.
  4. Custom C2 Protocol
    Malichus employs a fully custom C2 communication protocol that incorporates packet integrity checks (CRC32) and encryption routines, ensuring secure data exchange between infected hosts and attackers. Special packet types, such as “hello” and “zip” packets, streamline operational control and exfiltration procedures.

The modular design and expansive feature set of Malichus indicate a tailored approach to targeting organizations using Cleo software, particularly those in industries where secure file transfer and business integration are critical.

By leveraging its understanding of Cleo’s configuration structure, the malware can:

  1. Identify relationships between trading partners.
  2. Locate directories containing exchanged files.
  3. Exploit sensitive data for further attacks or financial gain.

Of particular concern is the adaptability of Malichus. Its multi-platform support (Windows and Linux), dynamic C2 handling, and encrypted packet protocols make detection and mitigation challenging for standard cybersecurity defenses.

The Cleo 0-day vulnerability exploited to deploy Malichus malware highlights the ever-evolving tactics of cybercriminals in targeting critical business systems.

Malichus represents a sophisticated and focused attack that warrants immediate attention from organizations relying on Cleo software.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

Attackers Exploit Microsoft Entra Billing Roles to Escalate Privileges in Organizational Environments

A startling discovery by BeyondTrust researchers has unveiled a critical vulnerability in Microsoft Entra ID…

1 day ago

Threat Actors Exploit Google Apps Script to Host Phishing Sites

The Cofense Phishing Defense Center has uncovered a highly strategic phishing campaign that leverages Google…

1 day ago

Dadsec Hacker Group Uses Tycoon2FA Infrastructure to Steal Office365 Credentials

Cybersecurity researchers from Trustwave’s Threat Intelligence Team have uncovered a large-scale phishing campaign orchestrated by…

1 day ago

Beware: Weaponized AI Tool Installers Infect Devices with Ransomware

Cisco Talos has uncovered a series of malicious threats masquerading as legitimate AI tool installers,…

1 day ago

Pure Crypter Uses Multiple Evasion Methods to Bypass Windows 11 24H2 Security Features

Pure Crypter, a well-known malware-as-a-service (MaaS) loader, has been recognized as a crucial tool for…

1 day ago

Attackers Exploit Microsoft Entra Billing Roles to Escalate Privileges

A recent discovery by security researchers at BeyondTrust has revealed a critical, yet by-design, security…

1 day ago