FF-Rat Analysisinfo

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (28)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Language

zh16
en12

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

CN: China24
US: USA4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

FF-Rat2
Kuluoz1
PlugX1
Cobalt Strike1
UNC48411

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined12
Programming Language Software4
Firewall Software2
Application Server Software2
Unified Communication Software2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined8
ONLYOFFICE6
Barracuda Networks2
Atlassian2
PHP Scripts Mall2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Barracuda Networks Barracuda Spam Firewall2
Atlassian Confluence Server2
Atlassian Confluence Data Center2
PHP Scripts Mall Professional Service Script2
Oracle WebLogic Server2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

These are the vulnerabilities that we have identified as researched, approached, or attacked.

#VulnerabilityBaseTemp0dayTodayExpCouKEVEPSSCTICVE
1code-projects Restaurant Reservation System addcompany.php sql injection8.17.9$0-$5k$0-$5kProof-of-ConceptNot defined 0.001010.00CVE-2024-9359
2Apple tvOS Web Content integer overflow4.94.8$5k-$25k$0-$5kNot definedOfficial fix 0.000440.00CVE-2024-44198
3FastAdmin lang path traversal5.35.2$0-$5k$0-$5kProof-of-ConceptOfficial fixexpected0.831740.46CVE-2024-7928
4Cisco Unity Connection unrestricted upload8.18.0$5k-$25k$0-$5kNot definedOfficial fix 0.009240.00CVE-2024-20272
5KeyCloak Password Reset password recovery6.56.4$0-$5k$0-$5kNot definedOfficial fix 0.002940.00CVE-2017-12161
6ONLYOFFICE Document Server FontFileBase.h heap-based overflow5.55.3$0-$5k$0-$5kNot definedOfficial fix 0.155720.00CVE-2022-29777
7ONLYOFFICE Server User Name input validation4.54.3$0-$5k$0-$5kProof-of-ConceptNot defined 0.002540.00CVE-2021-43448
8ONLYOFFICE Server Document Editor Service server-side request forgery6.86.5$0-$5k$0-$5kProof-of-ConceptNot defined 0.010270.00CVE-2021-43449
9ONLYOFFICE Document Server Example editor cross site scripting3.53.4$0-$5k$0-$5kNot definedOfficial fix 0.000660.09CVE-2022-24229
10ONLYOFFICE Document Server WebSocket API sql injection8.58.5$0-$5k$0-$5kNot definedNot defined 0.003070.00CVE-2020-11537
11ONLYOFFICE Server Document Editor improper authentication6.96.6$0-$5k$0-$5kProof-of-ConceptNot defined 0.002430.08CVE-2021-43447
12ONLYOFFICE Community Server UploadProgress.ashx unrestricted upload8.07.9$0-$5k$0-$5kNot definedOfficial fix 0.167990.00CVE-2023-34939
13vsftpd deny_file3.73.6$0-$5k$0-$5kNot definedOfficial fix 0.352900.18CVE-2015-1419
14Atlassian Confluence Server/Confluence Data Center Webwork OGNL injection8.07.9$0-$5k$0-$5kHighOfficial fixverified0.944370.03CVE-2021-26084
15PHPMailer Phar Deserialization addAttachment deserialization5.55.3$0-$5k$0-$5kNot definedOfficial fix 0.011500.00CVE-2020-36326
16Squid Proxy HTTP Header information disclosure6.66.6$5k-$25k$5k-$25kNot definedNot defined 0.158890.00CVE-2019-12529
17PHP com_print_typeinfo memory corruption10.010.0$5k-$25k$0-$5kHighNot definedexpected0.392890.00CVE-2012-2376
18Oracle WebLogic Server Console Remote Code Execution9.89.6$5k-$25k$0-$5kHighOfficial fixverified0.944540.03CVE-2020-14882
19PbootCMS 5 code injection8.58.5$0-$5k$0-$5kNot definedNot defined 0.051270.00CVE-2018-19595
20Microsoft Windows Win32k access control7.97.7$25k-$100k$5k-$25kNot definedOfficial fix 0.301880.04CVE-2019-0623

IOC - Indicator of Compromise (4)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
159.188.16.147FF-Rat03/10/2022verifiedLow
2XX.XX.XX.XXXxxx.xx.xx.xx.xxxxxx.xxxxxx.xxxxxxxx.xxxxxxx.xxxXx-xxx03/10/2022verifiedLow
3XXX.XX.XXX.XXXXx-xxx03/10/2022verifiedLow
4XXX.XX.XX.XXXx-xxx03/10/2022verifiedLow

TTP - Tactics, Techniques, Procedures (9)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-22Path TraversalpredictiveHigh
2T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
3TXXXXCAPEC-XXXCWE-XXXxxxxxxx XxxxxxxxxpredictiveHigh
4TXXXX.XXXCAPEC-XXXCWE-XX, CWE-XXXxxxx Xxxxx Xxxx XxxxxxxxxpredictiveHigh
5TXXXXCWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
6TXXXXCAPEC-XXXCWE-XXXxx XxxxxxxxxpredictiveHigh
7TXXXXCAPEC-XXCWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHigh
8TXXXXCAPEC-XXXCWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
9TXXXX.XXXCAPEC-XCWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (21)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/addcompany.phppredictiveHigh
2File/example/editorpredictiveHigh
3File/index/ajax/langpredictiveHigh
4Filexxxxx/xxxxxx.xxxpredictiveHigh
5Filexxx-xxx/xxxxxxx_xxx.xxxpredictiveHigh
6Filexxxxxxxxxxxxx/xxxxxxxxxx/xxxxxxxxxxxxx/xxxxxxxxxxxx.xpredictiveHigh
7Filexxx.xxpredictiveLow
8Filexxxxx.xxx/xxxx/x/predictiveHigh
9Filexxxxxxxxxxxxxx.xxxxpredictiveHigh
10Libraryxxxxxxxxxxx.xxxpredictiveHigh
11ArgumentxxxxxxxpredictiveLow
12ArgumentxxxxxxxpredictiveLow
13ArgumentxxxxxpredictiveLow
14ArgumentxxpredictiveLow
15ArgumentxxxxpredictiveLow
16ArgumentxxxxpredictiveLow
17ArgumentxxxxxxxpredictiveLow
18ArgumentxxxxpredictiveLow
19Argumentxxxx->xxxxxxxpredictiveHigh
20Input Value<xxx xxx="xxxx://x"; xx xxxxxxx="$(’x').xxxx(’xxxxxx’)" />predictiveHigh
21Input Value{xxxxx:xx(xxxx($_xxx[x]))}x{/xxxxx:xx}predictiveHigh

References (2)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

This view requires CTI permissions

Just purchase a CTI license today!