Cleo 0-day Vulnerability Exploited to Deploy Malichus Malware

Cybersecurity researchers have uncovered a sophisticated exploitation campaign involving a zero-day (0-day) vulnerability in Cleo file transfer software platforms.

This campaign has been used to deliver a newly identified malware family, now dubbed “Malichus.”

The threat, recently analyzed by Huntress and corroborated by other industry vendors, demonstrates significant technical complexity, raising alarms across the cybersecurity community due to its potential implications for organizations relying on Cleo technologies for secure file exchange.

<imgOverview of the Attack
Overview of the Attack

Cleo 0-Day Vulnerability

Cleo, often used for enterprise data transfer and integration, was targeted by attackers who leveraged a previously unknown vulnerability to compromise systems.

The exploitation of this 0-day allows attackers to deploy Malichus, a modular malware framework with advanced capabilities aimed at exfiltration, reconnaissance, and post-exploitation operations.

2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide

The name “Malichus” references Malichus I, a historical adversary of Cleopatra known for his calculated acts of revenge, fitting the malware’s destructive and strategic nature. The attack follows a multi-stage process:

  1. Initial Entry with PowerShell Downloader
  2. Java-based Second-Stage Downloaders
  3. Deployment of a Modular Post-Exploitation Framework

Each stage utilizes bespoke techniques to avoid detection, evade analysis, and maximize system control.

Technical Anatomy of the Malichus Malware

The Malichus malware family is characterized by a three-stage deployment process, each carefully designed to establish reliable command-and-control (C2) communication, maintain persistence, and enable a wide range of malicious activities.

Stage 1: PowerShell Downloader

<img Formatted Stage 1 PowerShell Downloader script
Formatted Stage 1 PowerShell Downloader script

The initial stage uses a small PowerShell script that acts as a loader. This script is obfuscated using Base64 encoding and functions to:

  • Decode and execute a Java Archive (JAR) file named in the format cleo.[unique-identifier].
  • Establish a TCP connection to the C2 server to retrieve the second-stage payload.
  • Dynamically assign C2 addresses and victim identifiers via a “Query” variable to maintain flexibility across infections.

This stage ensures the swift setup of the host for further exploitation while staying lightweight to evade endpoint detection systems.

Stage 2: Java Downloader

<imgJava Downloader MANIFEST.MF file
Java Downloader MANIFEST.MF file

The second stage involves a Java-based downloader that is responsible for retrieving the final payload. This downloader:

  • Decrypts downloaded components using unique AES keys per payload, ensuring attack-specific encryption.
  • Repairs corrupted zip files as part of its payload delivery mechanism.
  • Dynamically resolves class files within the decrypted archive to launch Stage 3.

The implementation of custom routines, such as environment variable parsing and encrypted C2 communication, displays the malware authors’ attention to stealth and adaptability.

Stage 3: Modular Post-Exploitation Framework

<imgDecompilation of Cli class assigning variables before executing run method
Decompilation of Cli class assigning variables before executing run method

The final stage is a Java-based framework comprising nine distinct class files, delivering comprehensive functionality for the attacker’s objectives. Key components of this framework include:

  1. Cli Class
    • Facilitates C2 communication, including queuing connections on port 443.
    • Deletes traces of earlier-stage payloads using platform-specific commands (e.g., PowerShell or Bash).
    • Logs activity for debugging and operational tracking.
  2. Proc Class
    • Executes commands on the compromised system, including interactive shell sessions.
    • Parses Cleo configuration files to uncover trading relationships and sensitive data locations.
  3. Dwn Class
    • Handles file exfiltration by zipping, packaging, and uploading selected directories to the C2.
    • Tracks state and progress of exfiltration tasks dynamically.
  4. Custom C2 Protocol
    Malichus employs a fully custom C2 communication protocol that incorporates packet integrity checks (CRC32) and encryption routines, ensuring secure data exchange between infected hosts and attackers. Special packet types, such as “hello” and “zip” packets, streamline operational control and exfiltration procedures.

The modular design and expansive feature set of Malichus indicate a tailored approach to targeting organizations using Cleo software, particularly those in industries where secure file transfer and business integration are critical.

By leveraging its understanding of Cleo’s configuration structure, the malware can:

  1. Identify relationships between trading partners.
  2. Locate directories containing exchanged files.
  3. Exploit sensitive data for further attacks or financial gain.

Of particular concern is the adaptability of Malichus. Its multi-platform support (Windows and Linux), dynamic C2 handling, and encrypted packet protocols make detection and mitigation challenging for standard cybersecurity defenses.

The Cleo 0-day vulnerability exploited to deploy Malichus malware highlights the ever-evolving tactics of cybercriminals in targeting critical business systems.

Malichus represents a sophisticated and focused attack that warrants immediate attention from organizations relying on Cleo software.

Divya