Skip to main content

Explosive Remote Access Trojan and Caterpillar Web Shell

New versions of Explosive RAT and Caterpillar Web Shell have been observed in a recent campaign by the long-running and evasive Lebanese Cedar APT, also known as Volatile Cedar.

Threat ID:
CC-3742
Category:
Trojan
Threat Severity:
Medium
Threat Vector:
Exploit
Published:
4 February 2021 12:00 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

New versions of Explosive RAT and Caterpillar Web Shell have been observed in a recent campaign by the long-running and evasive Lebanese Cedar APT, also known as Volatile Cedar.

Affected platforms

The following platforms are known to be affected:

Oracle and Atlassian web servers

Threat details

Introduction

Explosive Remote Access Trojan (RAT) and Caterpillar Web Shell are malware tools custom-built by the Lebanese Cedar Advanced Persistent Threat (APT) group, also known as Volatile Cedar. Security researchers have observed Explosive and Caterpillar deployed by Lebanese Cedar alongside open-source tools in a recent campaign targeting vulnerable Oracle and Atlassian web servers.

Lebanese Cedar has operated since 2012 and was initially exposed in 2015, but they avoided further attention from security researchers until early 2021.

Delivery

Explosive and Caterpillar are delivered remotely by exploiting known vulnerabilities in unpatched public-facing Oracle and Atlassian web servers. Known exploits include CVE-2019-3396, CVE-2019-11581 and CVE-2012-3152 which affect Atlassian Confluence, Atlassian Jira and Oracle Fusion Middleware.

 

Activities

Extensive reconnaissance is carried out when a web server has been compromised. Caterpillar is used to collect network information and install additional files, while Explosive is used to steal sensitive information. Lebanese Cedar evades detection by using common utilities, changing attack methodologies and ceasing operations for long periods of time.

Remediation advice

Public-facing Oracle and Atlassian web servers should be checked for unusual activity and to ensure all available security updates have been applied. To help prevent and detect an infection, NHS Digital also advises that:

  • Secure configurations are applied to all devices.
  • Tamper protection settings in security products are enabled where available.
  • Obsolete platforms are segregated from the rest of the network.
  • Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
  • Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Indicators of compromise

Network indicators

IP addresses:

  • 68.65.122[.]109
  • 74.208.73[.]149
  • 191.101.5[.]183
  • 198.101.242[.]72
  • 169.50.13[.]61
Host indicators

Explosive RAT file hashes (SHA-256):

  • a97fdcb6493c2012aeebdeef0e09625a
  • 1316d35f6472eb323ae2c8b75199fbb5
  • 09a0970bfc1bc8acec1ec609d8d98fda
  • fef76a8027e07c7a51b312a26c488653
  • 902bcc27ed86bc623e20532239895da7
  • 8ac64a171736252b81c4a559df1f9bae
  • 65954b4c60031fb857a09761497ff641
  • 4147d6beb17b507a5df345dae5f15c41
  • 544fdcce998fc7f4bb2914b3ec5b4761
  • 1aebf9d07fe6e82d97e062cdbe656a36
  • 5d1f75bfc7cbd96891f26b1041fd5994
  • b54346cdaf9556eb88f3d95e0bad2be5
  • 1aebf9d07fe6e82d97e062cdbe656a36
  • e9f0260409c6c964985fa4df926d7e04
  • 3188df195d09ee38d89707501e330c2f

Explosive RAT file names:

  • 917951-f2030832.dll
  • Communicate.DLL
  • dllhost.exe
  • dzip
  • Mir.exe
  • rspr
  • spmpm.dll
  • syslib.tmp
  • symlock
  • vvzip
  • vwupd.tmp
  • wsinhelpd
  • wvwupd.exe

Web Shell file hashes (SHA-256):

  • 33af1cd4585da9ed804068b2a45fc8b4
  • 6ba944e9d3d96a46509204cd06ea2b11
  • 61f46fa93083d3a160ac8356fbc15722
  • 150dc0141b8a0010bb5a82419b3293eb
  • 7d58573b98597a010597423652ae3394
  • f30f2184ed83929cf96157bc91210daa
  • 8ed3d1cadc4c2251ec606b9d6eb5d272
  • 2d804386de4073bad642dfc816876d08
  • 2adf71947e977b85e269d5962243215c
  • 93448b89c592985e22f60ab0d654787d
  • 2d804386de4073bad642dfc816876d08
  • 39887492c5c70977c0c0cf0aa0e7154b

Web Shell file names:

  • 404.aspx
  • 405.aspx
  • CV.php
  • Mamad.aspx
  • test.jsp

 

CVE Vulnerabilities

Status Published

CVE-2019-3396

The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x), allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection.
Status Published

CVE-2019-11581

There was a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions. An attacker is able to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center. All versions of Jira Server and Data Center from 4.4.0 before 7.6.14, from 7.7.0 before 7.13.5, from 8.0.0 before 8.0.3, from 8.1.0 before 8.1.2, and from 8.2.0 before 8.2.3 are affected by this vulnerability.
Status Published

CVE-2012-3152

Unspecified vulnerability in the Oracle Reports Developer component in Oracle Fusion Middleware 11.1.1.4, 11.1.1.6, and 11.1.2.0 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Report Server Component. NOTE: the previous information is from the October 2012 CPU. Oracle has not commented on claims from the original researcher that the URLPARAMETER functionality allows remote attackers to read and upload arbitrary files to reports/rwservlet, and that this issue occurs in earlier versions. NOTE: this can be leveraged with CVE-2012-3153 to execute arbitrary code by uploading a .jsp file.

Last edited: 21 December 2021 9:57 am