Threat actors are actively exploiting a critical zero-day vulnerability (CVE-2024-50623) in Cleo’s file transfer products Harmony, VLTrader, and LexiComis.
The flaw, stemming from an unrestricted file upload and download vulnerability, allows unauthenticated remote code execution (RCE), posing a severe risk to enterprises relying on Cleo’s software for secure file transfers.
The vulnerability was first publicized by security vendor Huntress, who noted that the flaw stemmed from an incomplete patch released by Cleo in October.
Despite subsequent patches, attackers have found ways to bypass these, leading to widespread exploitation. Huntress telemetry indicates that at least ten businesses, primarily in consumer products, the food industry, trucking, and shipping, have been compromised.
A new malware family named Malichus has been identified as exploiting a zero-day vulnerability in Cleo file transfer software.
2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide
This vulnerability, tracked as CVE-2024-50623, affects Cleo’s Harmony, VLTrader, and LexiCom products, allowing attackers to execute arbitrary code remotely.
Malichus malware Employs 3 Stages
The Malichus malware operates in three distinct stages:
Stage 1: PowerShell Downloader
The initial stage involves a small PowerShell loader that prepares the host for further exploitation. This loader is stored as a base64 blob, which, upon decoding, executes a Java Archive named `cleo.[numerical-identifier]`.
It establishes a TCP connection to a command-and-control (C2) server to retrieve the second-stage payload.
The loader also sets a variable called `Query`, which is crucial for identifying the C2 address and the victim’s IP address.
Stage 2: Java Downloader
The second stage involves downloading and decrypting a Java Archive using a unique AES key per payload. This archive contains a manifest file that triggers the execution of the `start` class.
The backdoor retrieves the `Query` environment variable, decodes it to obtain the AES key, and uses it to download the third stage payload via TLS v3.
The downloaded data is then decrypted, revealing a corrupted zip file, which is repaired by removing the first two bytes before extraction and loading.
Stage 3: Java Backdoor / Post Exploitation Framework
The final stage is a modular Java-based post-exploitation framework comprising nine class files. The primary driver, `Cli` class, is loaded by the previous stage.
This framework supports both Linux and Windows environments, although Huntress observed its usage primarily on Windows systems.
It uses parameters passed from stage 2 to communicate with the C2 server, identify the exploited system, and manage the malware’s persistence and data theft activities.
Huntress security researchers first publicized the attacks on Monday, noting that the vulnerability was being exploited en masse to steal data from at least ten businesses, primarily in consumer products, food industry, trucking, and shipping sectors.
The attacks began as early as December 3, with a significant uptick observed on December 8.
Cleo has acknowledged the vulnerability and released an advisory urging customers to upgrade to the latest product version (5.8.0.21) to address additional attack vectors.
However, Huntress has indicated that even this patch is insufficient against the exploits observed in the wild. Cleo is preparing a new CVE designation and expects to release a new patch mid-week
Rapid7 has advised Cleo customers to remove affected products from the public internet and place them behind a firewall. Additionally, disabling Cleo’s Autorun Directory can prevent the latter part of the attack chain from being executed.
This campaign echoes previous attacks by notorious groups like Clop, which targeted managed file transfer software to steal and ransom customer data. While attribution remains unclear, there are unconfirmed reports suggesting involvement by the Termite group, known for a recent attack on Blue Yonder.
.The active exploitation of Cleo’s software underscores the critical need for robust cybersecurity measures, especially in sectors handling sensitive data. Companies using Cleo products are advised to take immediate action to secure their systems and monitor for any signs of compromise dating back to at least December 3, 2024.
IOCs
| Filename | SHA256 |
|---|---|
| cleo.2607 | 6705eea898ef1155417361fa71b1078b7aaab61e7597d2a080aa38df4ad87b1c |
| Cli | 0c57b317b572d071afd8ccdb844dd6f117e20f818c6031d7ba8adcbd32be0617 |
| Dwn | 429d24e3f30c7e999033c91f32b108db48d669fde1c3fa62eff9da2697ed078e |
| DwnLevel | f80634ce187ad4834d8f68ac7c93500d9da69ee0a7c964df1ffc8db1b6fff5a9 |
| Mos | 0b7b1b24f85a0107829781b10d08432db260421a7727230f1d3caa854370cb81 |
| Proc | 1ba95af21bac45db43ebf02f87ecedde802c7de4d472f33e74ee0a5b5015a726 |
| SFile | 57ec6d8891c95a259636380f7d8b8f4f8ac209bc245d602bfa9014a4efd2c740 |
| ScSlot | 87f7627e98c27620dd947e8dd60e5a124fdd3bb7c0f5957f0d8f7da6d0f90dee |
| Slot | 1e351bb7f6e105a3eaa1a0840140ae397e0e79c2bdc69d5e1197393fbeefc29b |
| SrvSlot | f4e5a6027b25ede93b10e132d5f861ed7cca1df7e36402978936019930e52a16 |
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free