ZuoRAT Analysis

IOB - Indicator of Behavior (102)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en	86
zh	14
es	2

Country

cn	72
us	30

Actors

ZuoRAT	3
Cobalt Strike	2
APT10	1
pupy	1
Sliver	1

Activities

Interest

Timeline

Type

Not Defined	44
Content Management System	8
Groupware Software	6
Firewall Software	4
Router Operating System	4

Vendor

Not Defined	24
Microsoft	10
Cisco	8
Fortinet	6
Zoho ManageEngine	6

Product

Mail2000	6
Microsoft Exchange Server	4
WordPress	4
Moodle	4
Joomla CMS	4

Vulnerabilities

#	Vulnerability	Base	Temp	0day	Today	Exp	Rem	CTI	EPSS	CVE
1	Deltek Vision RPC over HTTP SQL sql injection	8.0	8.0	$0-$5k	$0-$5k	Not Defined	Not Defined	0.03	0.00815	CVE-2018-18251
2	Mail2000 Login portal cross site scripting	5.2	4.8	$0-$5k	$0-$5k	Not Defined	Not Defined	0.04	0.00301	CVE-2019-15072
3	Zoho ManageEngine ADSelfService Plus code injection	8.5	8.2	$0-$5k	$0-$5k	Not Defined	Official Fix	0.00	0.00515	CVE-2020-11518
4	Grafana Labs Permission improper authentication	9.8	9.6	$0-$5k	$0-$5k	Not Defined	Official Fix	0.04	0.97260	CVE-2021-39226
5	Johannes Sixt Kdbg .kdbgrc privileges management	5.9	5.7	$0-$5k	$0-$5k	Not Defined	Official Fix	0.02	0.00042	CVE-2003-0644
6	Microsoft Windows Group Policy Privilege Escalation	8.1	7.4	$25k-$100k	$5k-$25k	Unproven	Official Fix	0.02	0.00579	CVE-2022-37955
7	Litespeed Technologies OpenLiteSpeed Web Server Dashboard path traversal	5.5	5.4	$0-$5k	$0-$5k	Not Defined	Official Fix	0.00	0.00047	CVE-2022-0072
8	Fortinet FortiADC User Profile privileges management	6.4	6.4	$0-$5k	$0-$5k	Not Defined	Not Defined	0.05	0.00058	CVE-2021-43076
9	Sonus SBC 1000/SBC 2000/SBC SWe Lite Web Interface path traversal	6.4	6.4	$0-$5k	$0-$5k	Not Defined	Not Defined	0.01	0.00170	CVE-2018-11543
10	MDaemon Webmail cross site scripting	5.4	5.1	$0-$5k	$0-$5k	Not Defined	Official Fix	0.03	0.00078	CVE-2019-8983
11	Microsoft Office Remote Code Execution	7.3	6.4	$5k-$25k	$0-$5k	Unproven	Official Fix	0.03	0.00667	CVE-2021-27057
12	Fortinet FortiOS self-signed Fortigate CA certificate config	5.3	4.9	$0-$5k	$0-$5k	Proof-of-Concept	Workaround	0.03	0.00063	CVE-2012-4948
13	Mail2000 go cross site scripting	5.2	4.8	$0-$5k	$0-$5k	Not Defined	Not Defined	0.02	0.00571	CVE-2019-15071
14	GeoServer JNDI Lookup deserialization	7.2	7.0	$0-$5k	$0-$5k	Not Defined	Official Fix	0.06	0.00087	CVE-2022-24847
15	Fortinet FortiMail Web Server CGI access control	7.5	7.3	$0-$5k	$0-$5k	Not Defined	Official Fix	0.00	0.00126	CVE-2021-32586
16	Dovecot Quoted String out-of-bounds write	8.5	8.2	$0-$5k	$0-$5k	Not Defined	Official Fix	0.03	0.58672	CVE-2019-11500
17	MODX CMS modRestServiceRequest xml external entity reference	7.3	7.3	$0-$5k	$0-$5k	Proof-of-Concept	Not Defined	0.03	0.00191	CVE-2020-25911
18	Microsoft Exchange Server Privilege Escalation	8.8	8.1	$25k-$100k	$5k-$25k	Unproven	Official Fix	0.06	0.36292	CVE-2022-23277
19	Microsoft Exchange Outlook Web Access access control	5.3	4.6	$25k-$100k	$0-$5k	Unproven	Official Fix	0.03	0.00431	CVE-2014-6319
20	RoundCube Webmail Email Message rcube_string_replacer.php linkref_addindex cross site scripting	3.5	3.5	$0-$5k	$0-$5k	Not Defined	Official Fix	0.06	0.00274	CVE-2020-35730

IOC - Indicator of Compromise (7)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

ID	IP address	Hostname	Actor	Identified	Type	Confidence
1	59.124.6.0	59-124-6-0.hinet-ip.hinet.net	ZuoRAT	07/05/2022	verified	High
2	82.157.69.219		ZuoRAT	07/01/2022	verified	High
3	XXX.XXX.XXX.XXX		Xxxxxx	07/01/2022	verified	High
4	XXX.XX.XXX.XXX		Xxxxxx	07/01/2022	verified	High
5	XXX.XX.XXX.XX		Xxxxxx	07/01/2022	verified	High
6	XXX.XX.XXX.X	xxxxxxxxxxx-xxx-xx-xxx-x.xxxx-xxxxxxx.xxxxxxx.xx.xxxxxxxxxx.xxx	Xxxxxx	07/05/2022	verified	High
7	XXX.XXX.XX.XX		Xxxxxx	07/01/2022	verified	High

TTP - Tactics, Techniques, Procedures (15)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

ID	Technique	Vulnerabilities	Access Vector	Type	Confidence
1	T1006	CWE-21, CWE-22	Pathname Traversal	predictive	High
2	T1055	CWE-74	Injection	predictive	High
3	T1059	CWE-94	Cross Site Scripting	predictive	High
4	TXXXX.XXX	CWE-XX	Xxxxx Xxxx Xxxxxxxxx	predictive	High
5	TXXXX	CWE-XXX, CWE-XXX, CWE-XXX	X2xx Xxxxxxxxxxxxxxxx: Xxxx Xxxxxx Xxxxxxxxxxx Xxx Xxx Xxxxxxx	predictive	High
6	TXXXX.XXX	CWE-XXX	Xxx Xx Xxxx-xxxxx Xxxxxxxx	predictive	High
7	TXXXX	CWE-XX, CWE-XX	Xxxxxxx Xxxxxxxxx	predictive	High
8	TXXXX.XXX	CWE-XXX	Xxxx Xxxxxxxx	predictive	High
9	TXXXX	CWE-XX	Xxx Xxxxxxxxx	predictive	High
10	TXXXX	CWE-XXX	Xxx.xxx Xxxxxxxxxxxxxxxx: Xxxxxxxx Xx Xxxxxxxxxxxxx Xxxx	predictive	High
11	TXXXX.XXX	CWE-XXX	Xxxxxxxx	predictive	High
12	TXXXX.XXX	CWE-XX	Xxxxxxxxxxxxx	predictive	High
13	TXXXX	CWE-XXX, CWE-XXX	X2xx Xxxxxxxxxxxxxxxx: Xxxx Xxxxxxxxxxxx Xxxxxxx Xxxxxxxxxx	predictive	High
14	TXXXX.XXX	CWE-XXX	Xxx Xxxxxxxxxx Xxxxx	predictive	High
15	TXXXX.XXX	CWE-XXX	Xxxxxxxxxxxx Xxxxxx	predictive	High

IOA - Indicator of Attack (38)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

ID	Class	Indicator	Type	Confidence
1	File	.kdbgrc	predictive	Low
2	File	/../../conf/template/uhttpd.json	predictive	High
3	File	/cgi-bin/go	predictive	Medium
4	File	/cgi-bin/portal	predictive	High
5	File	/etc/shadow	predictive	Medium
6	File	/xxx/xxxxxxx	predictive	Medium
7	File	/xxxxxxx/	predictive	Medium
8	File	xxx-xxx/xxxxxxxxxxxx.xxx/xxxxxxxxxxxx	predictive	High
9	File	xxxx/xxxxxxxxxxxxx.xxx	predictive	High
10	File	xxxxxxxx/xxxxxx/xxxxx.xxx	predictive	High
11	File	xxxxxx/xxxxxxxxxxxx	predictive	High
12	File	xxx/xxxxxx.xxx	predictive	High
13	File	xxxxxxxx/xxxxxxxxxx/xxxxx-xx-xxxxxxxxx-xxxxxxxx.xxx	predictive	High
14	File	xxxxx.xxx	predictive	Medium
15	File	xxxxxxx.xxx	predictive	Medium
16	File	xxxxx_xxxxxx_xxxxxxxx.xxx	predictive	High
17	File	xxxxxxxxxx/xxxxxxxxxx_xxxx.xxx?xxxxxx=xxxxxx	predictive	High
18	File	xxx.x	predictive	Low
19	File	xxxx.xx.xx	predictive	Medium
20	File	xxxxxx.xxx	predictive	Medium
21	File	xxxxxx/xxxxxxxxxxx/xxxx_xxxxxxx.xxx	predictive	High
22	File	xxxxxxxx.xxx	predictive	Medium
23	Library	xxxxxxx.xxx	predictive	Medium
24	Argument	xxxxxx	predictive	Low
25	Argument	xxxx_xxxxxxx	predictive	Medium
26	Argument	xxxxxxxx	predictive	Medium
27	Argument	xxx_xxxxxx_x	predictive	Medium
28	Argument	xxxxxxxxxxx	predictive	Medium
29	Argument	xxxxxxxxxx	predictive	Medium
30	Argument	xxxxxx_xxxxx_xxx	predictive	High
31	Argument	xx	predictive	Low
32	Argument	xxxxxx/xxxxxx_xxxxxx	predictive	High
33	Argument	xxx	predictive	Low
34	Argument	xxxxxxxx	predictive	Medium
35	Input Value	xxxx/xxxxx/xxxxxxxx/xxxxxxx/xx/xxxxxxx/xxxxxxxxxx/xx_xxxx	predictive	High
36	Input Value	\x	predictive	Low
37	Network Port	xxxxx	predictive	Low
38	Network Port	xxx/xx (xxx)	predictive	Medium

References (3)

The following list contains external sources which discuss the actor and the associated activities:

◂ PreviousOverviewNext ▸

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!