CloudDragon's Campaign: VPN Zero-day Vulnerability + New Backdoor

2021.07.01Cyber Threat Intelligence
TeamT5 recently discovered two installers of a newly identified backdoor which we named MemzipRAT. The backdoor is named after an embedded string "get module from cmd memzip : %d" inside the PE files.

About TeamT5's Research Findings

With further investigation, we believe this attack was aiming at a South Korean company in the aerospace sector. The company is part of a top 10 conglomerate in South Korea, whose business includes aerospace, chemicals, financial services, IT, etc.
In fact, CloudDragon has been accused of using VPN vulnerabilities to attack numerous entities, including Korean government agencies [1], recently. It is highly possible that they deployed their new malware by the new vulnerability in this case as well.

Yet, there are two key factors that might pull the trigger of massive intrusions:
  1. VPN vulnerability
    The VPN market in 2020 is USD $30 billion worldwide. That is, the market is huge and has multiple players inside. It could be a starting point for actors to infiltrate various corporations not only in South Korea, but to the whole world.
  2. Sectors involved
    As the identified target involved in crucial sectors, such as IT, it has a great chance to affect hundreds of entities in a short period.

We strongly advise everyone to take careful attention to CloudDragon's recent campaign for it might end up a severe supply chain attack.


*Image courtesy of Pixabay
2021.07.01Cyber Threat Intelligence

Related Post


北韓駭客組織再次利用 VPN 零時差漏洞對南韓航太產業發動攻擊

supply chain attack, cyber espionage, CloudDragon, South Korea, cyber threat intelligence, threat hunting
為提供您最佳的服務體驗,本網站使用 Cookies。當您使用本網站,即表示您同意 Cookies 技術支援。更多資訊請參閱隱私權與Cookies使用政策。