This report is about a known nation-state actor using multiple vulnerabilities to exploit perimeter devices. The threat actor group is known as APT41 in the cybersecurity community. APT41 is utilizing a custom-coded backdoor trojan called Speculoos to exploit a well-known Citrix vulnerability.
See the following related reports for background information:
The Speculoos backdoor trojan is used to infect the Citrix appliance which is listed below (Impact section). The malware acts as a post-exploitation tool where the malware takes over the appliance at multiple levels. All the actions taken by the Speculoos backdoor trojan, are to operate at the Kernel level (space) of the operating system. It targets key areas like the CPU (processor), physical memory, and much more to pull key configurations from the infected host. It does this by utilizing key “switching elements” (sysctl profiles in Linux/UNIX) in the operating system to pull such configuration information.
The malware enters the system using common network protocols like FTP (File Transfer Protocol) to start the infection phase of the malicious software. The trojan utilizes hexadecimal command sets to engage in file manipulation on the infected machine. Speculoos is highly advanced but is generally pretty common among nation-state-level threat actors.
Could result in the loss of sensitive configuration information that may aid in further network/system compromise. It’s highly encouraged if your organization has financial assets that are highly sensitive please, consider reviewing this malware campaign carefully.
The affected system builds (CVE-2019-19781):
It’s highly encouraged that you consider implementing the indicators of compromise (IOCs) list below as a preemptive measure. There’s a vendor patch available for CVE-2019-19781 so, consider implementing the appropriate patch for your environment.
Palo Alto Unit 42 Article:
Additional Reading for Curious Minds:
Kernel Space vs. User Space: https://www.embhack.com/introduction-to-kernel-space-and-user-space/
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report outlines a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.
Contact us for more information about Avertium’s managed detection and response service capabilities.