ZuoRAT Analyse

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (123)

Chronologie

Langue

en90
zh30
sv2
es2

De campagne

cn68
us54
tw2

Acteurs

ZuoRAT3
Cobalt Strike2
APT291
ShadowPad1
APT101

Activités

Intérêt

Chronologie

Taper

Not Defined50
Content Management System12
Router Operating System8
Groupware Software6
Web Server6

Fournisseur

Not Defined28
Microsoft10
Cisco8
Fortinet6
Oracle6

Produit

Mail20006
Joomla CMS6
WordPress4
Microsoft Exchange Server4
Cisco RV0164

Vulnérabilités

#VulnérabilitéBaseTemp0dayAujourd'huiExpConEPSSCTICVE
1QNAP QTS Photo Station elévation de privilèges8.58.4$0-$5k$0-$5kNot DefinedOfficial Fix0.963410.04CVE-2019-7192
2Deltek Vision RPC over HTTP SQL sql injection8.08.0$0-$5k$0-$5kNot DefinedNot Defined0.005760.02CVE-2018-18251
3Mail2000 Login portal cross site scripting5.24.8$0-$5k$0-$5kNot DefinedNot Defined0.003340.04CVE-2019-15072
4Zoho ManageEngine ADSelfService Plus elévation de privilèges8.58.2$0-$5k$0-$5kNot DefinedOfficial Fix0.005620.00CVE-2020-11518
5Shopro Mall System sql injection8.07.9$0-$5k$0-$5kNot DefinedNot Defined0.001720.07CVE-2022-35154
6wix-embedded-mysql com.wix.mysql.distribution.Setup.apply elévation de privilèges7.67.5$0-$5k$0-$5kNot DefinedNot Defined0.001280.00CVE-2023-39021
7Blueriver Sava CMS fileManager.cfc directory traversal5.35.0$0-$5k$0-$5kProof-of-ConceptNot Defined0.025670.04CVE-2010-3468
8Mura CMS Draggable Feeds readRSS.cfm XML External Entity6.45.8$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.012040.00CVE-2017-15639
9Gibbon elévation de privilèges6.56.5$0-$5k$0-$5kNot DefinedNot Defined0.028420.09CVE-2023-34598
10Slider Revolution Plugin Image File elévation de privilèges7.57.4$0-$5k$0-$5kNot DefinedNot Defined0.000810.03CVE-2023-2359
11Essential Grid Plugin elévation de privilèges6.36.1$0-$5k$0-$5kNot DefinedNot Defined0.000000.02CVE-2023-47771
12Citrix ShareFile StorageZones Controller elévation de privilèges9.89.6$5k-$25k$0-$5kNot DefinedOfficial Fix0.973920.00CVE-2023-24489
13HPE ArubaOS AirWave Client Service buffer overflow9.89.6$5k-$25k$5k-$25kNot DefinedOfficial Fix0.001870.03CVE-2023-45616
14VMware Workspace ONE UEM Console SAML Response Redirect6.46.3$5k-$25k$0-$5kNot DefinedOfficial Fix0.000450.05CVE-2023-20886
15D-Link D-View coreservice_action_script Remote Code Execution9.89.5$5k-$25k$5k-$25kNot DefinedNot Defined0.000000.00CVE-2023-44414
16Citrix XenMobile Server elévation de privilèges5.55.5$5k-$25k$5k-$25kNot DefinedNot Defined0.002480.00CVE-2022-26151
17y_project RuoYi GenController sql injection6.96.9$0-$5k$0-$5kNot DefinedOfficial Fix0.001330.07CVE-2022-4566
18VMware Horizon Server divulgation de l'information5.35.2$5k-$25k$0-$5kNot DefinedOfficial Fix0.000460.03CVE-2023-34038
19Fortinet FortiWeb Authorization Header sql injection7.77.4$0-$5k$0-$5kNot DefinedOfficial Fix0.001310.00CVE-2020-29015
20Ignition Automation Ignition JavaSerializationCodec elévation de privilèges9.89.8$0-$5k$0-$5kNot DefinedNot Defined0.000000.02CVE-2023-39476

IOC - Indicator of Compromise (7)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDadresse IPHostnameActeurCampagnesIdentifiedTaperConfiance
159.124.6.059-124-6-0.hinet-ip.hinet.netZuoRAT05/07/2022verifiedÉlevé
282.157.69.219ZuoRAT01/07/2022verifiedÉlevé
3XXX.XXX.XXX.XXXXxxxxx01/07/2022verifiedÉlevé
4XXX.XX.XXX.XXXXxxxxx01/07/2022verifiedÉlevé
5XXX.XX.XXX.XXXxxxxx01/07/2022verifiedÉlevé
6XXX.XX.XXX.Xxxxxxxxxxxx-xxx-xx-xxx-x.xxxx-xxxxxxx.xxxxxxx.xx.xxxxxxxxxx.xxxXxxxxx05/07/2022verifiedÉlevé
7XXX.XXX.XX.XXXxxxxx01/07/2022verifiedÉlevé

TTP - Tactics, Techniques, Procedures (16)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClasseVulnérabilitésVecteur d'accèsTaperConfiance
1T1006CAPEC-126CWE-21, CWE-22Path TraversalpredictiveÉlevé
2T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveÉlevé
3T1059CAPEC-242CWE-94Argument InjectionpredictiveÉlevé
4T1059.007CAPEC-209CWE-79Cross Site ScriptingpredictiveÉlevé
5TXXXXCAPEC-122CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveÉlevé
6TXXXX.XXXCAPEC-0CWE-XXXXxx Xx Xxxx-xxxxx XxxxxxxxpredictiveÉlevé
7TXXXXCAPEC-136CWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveÉlevé
8TXXXX.XXXCAPEC-178CWE-XXXXxxx XxxxxxxxpredictiveÉlevé
9TXXXXCAPEC-108CWE-XXXxx XxxxxxxxxpredictiveÉlevé
10TXXXXCAPEC-102CWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveÉlevé
11TXXXX.XXXCAPEC-133CWE-XXXXxxxxxxxpredictiveÉlevé
12TXXXXCAPEC-116CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveÉlevé
13TXXXX.XXXCAPEC-0CWE-XXXxxxxxxxxxxxxpredictiveÉlevé
14TXXXXCAPEC-112CWE-XXX, CWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveÉlevé
15TXXXX.XXXCAPEC-0CWE-XXXXxx Xxxxxxxxxx XxxxxpredictiveÉlevé
16TXXXX.XXXCAPEC-1CWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveÉlevé

IOA - Indicator of Attack (45)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClasseIndicatorTaperConfiance
1File.kdbgrcpredictiveFaible
2File/../../conf/template/uhttpd.jsonpredictiveÉlevé
3File/cgi-bin/gopredictiveMoyen
4File/cgi-bin/portalpredictiveÉlevé
5File/etc/shadowpredictiveMoyen
6File/etc/sudoerspredictiveMoyen
7File/xxxxxxxxx//../predictiveÉlevé
8File/xxxxxxx/predictiveMoyen
9Filexxx-xxx/xxxxxxxxxxxx.xxx/xxxxxxxxxxxxpredictiveÉlevé
10Filexxx/xxxxx/xxxxxxxxx/xxxxxxxxxx/xxxxxxxxxxxxxpredictiveÉlevé
11Filexxxx/xxxxxxxxxxxxx.xxxpredictiveÉlevé
12Filexxxxxxxxxxx.xxxpredictiveÉlevé
13Filexxxxxxxx/xxxxxx/xxxxx.xxxpredictiveÉlevé
14Filexxxxxx/xxxxxxxxxxxxpredictiveÉlevé
15Filexxx/xxxxxx.xxxpredictiveÉlevé
16Filexxxxxxxx/xxxxxxxxxx/xxxxx-xx-xxxxxxxxx-xxxxxxxx.xxxpredictiveÉlevé
17Filexxxxx.xxxpredictiveMoyen
18Filexxxxxxxxxxx-xxxx.xxpredictiveÉlevé
19Filexxxxxxx.xxxpredictiveMoyen
20Filexxxxx_xxxxxx_xxxxxxxx.xxxpredictiveÉlevé
21Filexxxxxxxxxx/xxxxxxxxxx_xxxx.xxx?xxxxxx=xxxxxxpredictiveÉlevé
22Filexxx.xpredictiveFaible
23Filexxxx.xx.xxpredictiveMoyen
24Filexxxxxx.xxxpredictiveMoyen
25Filexxxxx/xxxx/xxxxxxx.xxxpredictiveÉlevé
26Filexxxxxx/xxxxxxxxxxx/xxxx_xxxxxxx.xxxpredictiveÉlevé
27Filexxxxxxxx.xxxpredictiveMoyen
28Libraryxxxxxxx.xxxpredictiveMoyen
29ArgumentxxxxxxpredictiveFaible
30Argumentxxxx_xxxxxxxpredictiveMoyen
31ArgumentxxxxxxxxpredictiveMoyen
32Argumentxxx_xxxxxx_xpredictiveMoyen
33ArgumentxxxxxxxxxxxpredictiveMoyen
34ArgumentxxxxxxxxxxpredictiveMoyen
35ArgumentxxxxxxpredictiveFaible
36Argumentxxxxxx_xxxxx_xxxpredictiveÉlevé
37ArgumentxxpredictiveFaible
38Argumentxxxxxx/xxxxxx_xxxxxxpredictiveÉlevé
39ArgumentxxxpredictiveFaible
40ArgumentxxxxxxxxpredictiveMoyen
41ArgumentxxxxxpredictiveFaible
42Input Valuexxxx/xxxxx/xxxxxxxx/xxxxxxx/xx/xxxxxxx/xxxxxxxxxx/xx_xxxxpredictiveÉlevé
43Input Value\xpredictiveFaible
44Network PortxxxxxpredictiveFaible
45Network Portxxx/xx (xxx)predictiveMoyen

Références (3)

The following list contains external sources which discuss the actor and the associated activities:

PrécédentAperçuSuivant

Want to stay up to date on a daily basis?

Enable the mail alert feature now!