TeamT5 recently discovered two installers of a newly identified backdoor which we named MemzipRAT. The backdoor is named after an embedded string "get module from cmd memzip : %d" inside the PE files.
About TeamT5's Research Findings
With further investigation, we believe this attack was aiming at a South Korean company in the aerospace sector. The company is part of a top 10 conglomerate in South Korea, whose business includes aerospace, chemicals, financial services, IT, etc.
In fact, CloudDragon has been accused of using VPN vulnerabilities to attack numerous entities, including Korean government agencies , recently. It is highly possible that they deployed their new malware by the new vulnerability in this case as well.
Yet, there are two key factors that might pull the trigger of massive intrusions:
- VPN vulnerabilityThe VPN market in 2020 is USD $30 billion worldwide. That is, the market is huge and has multiple players inside. It could be a starting point for actors to infiltrate various corporations not only in South Korea, but to the whole world.
- Sectors involvedAs the identified target involved in crucial sectors, such as IT, it has a great chance to affect hundreds of entities in a short period.
We strongly advise everyone to take careful attention to CloudDragon's recent campaign for it might end up a severe supply chain attack.
*Image courtesy of Pixabay
Another CloudDragon attack abusing VPN zero-day vulnerability to target South Korean entities
supply chain attack, cyber espionage, CloudDragon, South Korea, cyber threat intelligence, threat hunting, 威脅情資, 資安情資