Threat Report
SUMMARY
The recently discovered critical vulnerabilities in Cleo's file transfer software suite have triggered a widespread exploitation campaign affecting LexiCom, VLTransfer, and Harmony products. The attack chain begins with an unauthenticated remote code execution vulnerability that allows arbitrary file uploads, followed by a sophisticated multi-stage attack sequence involving malicious files dropped in the autorun directory and PowerShell-based payload delivery.
Cleo also published an update and advisory for CVE-2024-50623 & CVE-2024-55956 — which allows unauthenticated remote code execution.
All versions prior to and including 5.8.0.21 are vulnerable:
Cleo Harmony® (5.8.0.21)
Cleo VLTrader® (5.8.0.21)
Cleo LexiCom® (5.8.0.21)
Cleo MFT Solution
Analysis (Attack Chain)
Initial Access Vector
The attackers exploit a vulnerability in Cleo that allows unrestricted file upload and downloads on affected devices (CVE-2024-50623) that further leads to remote code execution. This vulnerability affects all versions up to 5.8.0.23, including fully patched systems at the time of discovery.
Logfile: C:\LexiCom\logs\LexiCom.xml
Attack Sequence
Stage 1: Initial Compromise
Attackers leverage the arbitrary file-write capability to drop files in the system. Threat actors drop this file within the autorun directory knowing it will be automatically interpreted and executed.
Primary payload: healthchecktemplate.txt placed in the autorun directory. This autorun then looks to invoke the “Import” functionality, native to the Cleo software.
Secondary payload: The import process above reads a local file on disk i.e. temp\LexiCom6836057879780436035.tmp, which is the second file dropped by threat actor i.e. a temporary ZIP file containing malicious XML configurations, containing a subdirectory 'host' and a 'main.xml' file inside it.
host\main.xml
Stage 2: Execution
This main.xml file stages a new autorun healthcheck.txt to invoke a PowerShell command and gain code execution.
Also as a technique most often used by threat actors, the healthchecktemplate.txt and healthcheck.txt files placed in the autoruns subdirectory were automatically deleted to remove trails or tracks.
The commands executed using PowerShell were obfuscated using BASE64, a very common tactic again.
Stage 3: Payload Delivery
The processes reaches out to an external IP address to retrieve new JAR files for continued post-exploitation. These JAR files contain webshell-like functionality for persistence on the endpoint.
A PowerShell downloader script initiates contact with C2 infrastructure over port 443 (encrypted communication).
An encoded JAR file (cleo.xxxx.jar) containing a start.class is downloaded and decrypted ( XOR-based decryption routines).
A second-stage JAR payload with dynamic components for system control is executed (Leverages Cleo's embedded Java runtime for execution).
A deep technical analysis of the artifacts and evidences can be found out from the Arctic Wolf's Threat Blog here: Cleopatra’s Shadow
Java RAT Framework
This modular Java-based RAT provides:
System reconnaissance capabilities
File exfiltration functionality
Encrypted C2 communication
Dynamic payload decryption
Internal Recon / Discovery
In the intrusions, basic discovery commands were utilized, such as the ones seen below:
whoami
systeminfo
nltest /domain_trusts
net view
net session
wmic localdisk get name, size
Post Exploitation
The Artic Wolf team tracked the attack chain down to a malicious PowerShell stager that ultimately executes a new Java-based backdoor, dubbed 'Cleopatra.' The Cleopatra backdoor supports in-memory file storage and is designed for cross-platform support across Windows and Linux. It is specifically designed to access data stored within Cleo MFT software.
Threat Context
The campaign has been attributed to the Cl0p ransomware group, known for targeting managed file transfer solutions. Over 1,342 exposed instances have been identified globally, with 79% located in the United States. The attackers primarily targeted organizations in consumer products, logistics, food supply, and shipping sectors
Detection
Indicators of Compromise (IoCs)
IPv4 Address
185.181.230[.]115 AS60602 – Inovare-Prim Srl :C2 Server
80.67.5[.]133 - AS42708 – Glesys Ab :C2 Server
5.181.158[.]25 - AS39798 – Mivocloud Srl :C2 Server
188.214.30[.]105 - AS51177 – Tipzor Media Srl :C2 Server
216.245.221[.]83 - AS46475 – Limestone Networks Inc. :C2 Server
176.123.4[.]50 - AS200019 – Alexhost Srl :C2 Server
185.162.128[.]133 - AS14576 – Hosting Solution Ltd. :C2 Server
184.107.3[.]70 - AS32613 – Leaseweb Canada Inc. :C2 Server
45.140.143[.]68 - AS212477 – Royalehosting Bv :C2 Server
195.123.224[.]8 - AS59729 – Green Floid Llc :C2 Server
184.107.3[.]196 - AS32613 – Leaseweb Canada Inc. :C2 Server
92.51.2[.]221 - AS209588 – Flyservers S.A. :C2 Server
67.220.94[.]173 - AS40065 – Cnservers Llc :C2 Server
192.119.99[.]42 - AS54290 – Hostwinds Llc. :C2 Server
184.107.3[.]196 - AS32613 – Leaseweb Canada Inc. :C2 Server
185.162.128[.]100 - AS14576 – Hosting Solution Ltd. :C2 Server
5.149.254[.]109 - AS59711 – Hz Hosting Ltd :C2 Server
92.51.2[.]244 - AS209588 – Flyservers S.A. :C2 Server
95.216.35[.]219 - AS24940 – Hetzner Online Gmbh :C2 Server
45.182.189[.]225 - AS273045 – Datahome S.A. Vulnerability Scanner and :C2 Server
38.180.51[.]138 - AS200088 – Artnet Sp. Z O.O. Vulnerability Scanner and :C2 Server
File Hash
6705EEA898EF1155417361FA71B1078B7AAAB61E7597D2A080AA38DF4AD87B1C SHA256 Java Loader (cleo.####.jar)'
Filename
healthcheck.txt - Malicious Cleo autorun
healthchecktemplate.txt - Malicious Cleo autorun
Hunting opportunity
Network Detection
Suspicious Network Connections
Monitor for outbound SSL/TLS connections from Cleo software products to rare or suspicious IP addresses, particularly connections to 45.182.189[.]225 and 181.214.147[.]164
File Transfer Patterns
Watch for anomalous data transfer volumes or unusual destination endpoints from Cleo applications
Host-Based Detection
File System Monitoring
Watch for file creation in the Cleo autorun directory
Monitor for suspicious JAR files named "cleo.[numerical-identifier].jar"
Track PowerShell execution from Cleo processes
Process Analysis
Monitor for:
Java runtime execution from unexpected locations
PowerShell processes spawned by Cleo applications
Suspicious command execution on Cleo servers
Key Artifacts
Malicious Components
Base64 encoded PowerShell loaders
JAR files with specific naming patterns
Files in the autorun directory
Configuration Changes
Modifications to trading relationship configurations
Changes to payload file locations
Alterations in file handling procedures
Recommended Telemetry Sources
Network flow logs
SSL/TLS inspection logs
File system auditing
Process creation logs
PowerShell script block logging
Java runtime execution logs
Source/References
Huntress Threat Report - Oh No Cleo! ...
Arctic Wolf Threat Report - Cleopatras Shadow
Vulnera - Cleo MFT ...
Cleo Solutions Center - Advisory