FF-Rat Анализ

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (25)

Язык

en	14
zh	12

Страна

cn	18
us	6

Акторы

FF-Rat	2
Kuluoz	1
PlugX	1
Cobalt Strike	1
UNC4841	1

Интерес

Тип

Not Defined	14
Firewall Software	4
Content Management System	2
Mail Server Software	2
Programming Language Software	2

Поставщик

Not Defined	8
ONLYOFFICE	8
Bitrix	2
Barracuda Networks	2
Alt-N	2

Продукт

ONLYOFFICE Server	6
Bitrix Site Manager	2
Barracuda Networks Barracuda Spam Firewall	2
WordPress	2
Alt-N MDaemon	2

Уязвимости

#	Уязвимости	Base	Temp	0day	Сегодня	Э�	Rem	CTI	EPSS	CVE
1	Cisco Unity Connection эскалация привилегий	8.1	8.0	$5k-$25k	$0-$5k	Not Defined	Official Fix	0.04	0.00127	CVE-2024-20272
2	KeyCloak Password Reset эскалация привилегий	6.5	6.4	$0-$5k	$0-$5k	Not Defined	Official Fix	0.00	0.00293	CVE-2017-12161
3	ONLYOFFICE Document Server FontFileBase.h повреждение памяти	5.5	5.3	$0-$5k	$0-$5k	Not Defined	Official Fix	0.00	0.00211	CVE-2022-29777
4	ONLYOFFICE Server User Name эскалация привилегий	4.5	4.3	$0-$5k	$0-$5k	Proof-of-Concept	Not Defined	0.03	0.00071	CVE-2021-43448
5	ONLYOFFICE Server Document Editor Service эскалация привилегий	6.8	6.5	$0-$5k	$0-$5k	Proof-of-Concept	Not Defined	0.04	0.00100	CVE-2021-43449
6	ONLYOFFICE Document Server Example editor межсайтовый скриптинг	3.5	3.4	$0-$5k	$0-$5k	Not Defined	Official Fix	0.03	0.00116	CVE-2022-24229
7	ONLYOFFICE Document Server WebSocket API sql-инъекция	8.5	8.5	$0-$5k	$0-$5k	Not Defined	Not Defined	0.00	0.00174	CVE-2020-11537
8	ONLYOFFICE Server Document Editor слабая аутентификация	6.9	6.6	$0-$5k	$0-$5k	Proof-of-Concept	Not Defined	0.00	0.00076	CVE-2021-43447
9	ONLYOFFICE Community Server UploadProgress.ashx эскалация привилегий	8.0	7.9	$0-$5k	$0-$5k	Not Defined	Official Fix	0.01	0.00633	CVE-2023-34939
10	vsftpd deny_file неизвестная уязвимость	3.7	3.6	$0-$5k	$0-$5k	Not Defined	Official Fix	0.02	0.00312	CVE-2015-1419
11	Atlassian Confluence Server/Confluence Data Center Webwork OGNL эскалация привилегий	6.3	6.0	$0-$5k	$0-$5k	Proof-of-Concept	Official Fix	0.00	0.97448	CVE-2021-26084
12	PHPMailer Phar Deserialization addAttachment эскалация привилегий	5.5	5.3	$0-$5k	$0-$5k	Not Defined	Official Fix	0.03	0.00748	CVE-2020-36326
13	Squid Proxy HTTP Header раскрытие информации	6.6	6.6	$5k-$25k	$5k-$25k	Not Defined	Not Defined	0.00	0.00735	CVE-2019-12529
14	PHP com_print_typeinfo повреждение памяти	10.0	9.4	$25k-$100k	$0-$5k	Proof-of-Concept	Not Defined	0.04	0.25603	CVE-2012-2376
15	Oracle WebLogic Server Console Remote Code Execution	9.8	9.4	$25k-$100k	$0-$5k	Not Defined	Official Fix	0.00	0.97493	CVE-2020-14882
16	PbootCMS эскалация привилегий	8.5	8.5	$0-$5k	$0-$5k	Not Defined	Not Defined	0.00	0.04022	CVE-2018-19595
17	Microsoft Windows Win32k эскалация привилегий	7.9	7.7	$25k-$100k	$5k-$25k	Not Defined	Official Fix	0.00	0.00058	CVE-2019-0623
18	Western Digital PR4100 webfile_mgr.cgi эскалация привилегий	7.5	7.2	$0-$5k	$0-$5k	Not Defined	Official Fix	0.03	0.01702	CVE-2019-9949
19	PHP Scripts Mall Professional Service Script review.php sql-инъекция	8.5	7.9	$0-$5k	$0-$5k	Not Defined	Not Defined	0.00	0.00212	CVE-2017-17928
20	Alt-N MDaemon Worldclient эскалация привилегий	7.3	7.0	$5k-$25k	$0-$5k	Proof-of-Concept	Official Fix	0.00	0.00000

IOC - Indicator of Compromise (4)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

ID	IP-адрес	Hostname	Актор	Identified	Тип	Уверенность
1	59.188.16.147		FF-Rat	10.03.2022	verified	Высокий
2	XX.XX.XX.XXX	xxx.xx.xx.xx.xxxxxx.xxxxxx.xxxxxxxx.xxxxxxx.xxx	Xx-xxx	10.03.2022	verified	Высокий
3	XXX.XX.XXX.XXX		Xx-xxx	10.03.2022	verified	Высокий
4	XXX.XX.XX.XX		Xx-xxx	10.03.2022	verified	Высокий

TTP - Tactics, Techniques, Procedures (9)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

ID	Technique	Уязвимости	Вектор доступа	Тип	Уверенность
1	T1006	CWE-22	Path Traversal	predictive	Высокий
2	T1055	CWE-74	Improper Neutralization of Data within XPath Expressions	predictive	Высокий
3	TXXXX	CWE-XX	Xxxxxxxx Xxxxxxxxx	predictive	Высокий
4	TXXXX.XXX	CWE-XX, CWE-XX	Xxxxx Xxxx Xxxxxxxxx	predictive	Высокий
5	TXXXX	CWE-XXX	Xxxxxxxxx Xxxx Xxxxxxxxxxx Xxxxxxxxxx	predictive	Высокий
6	TXXXX	CWE-XX	Xxx Xxxxxxxxx	predictive	Высокий
7	TXXXX	CWE-XXX	Xxxxxxxxxxx Xxxxxxxxxx	predictive	Высокий
8	TXXXX	CWE-XXX	Xxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx Xxxxxxxxxxx	predictive	Высокий
9	TXXXX.XXX	CWE-XXX	Xxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx Xxxxxxxxx	predictive	Высокий

IOA - Indicator of Attack (17)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

ID	Класс	Indicator	Тип	Уверенность
1	File	/example/editor	predictive	Высокий
2	File	admin/review.php	predictive	Высокий
3	File	cgi-bin/webfile_mgr.cgi	predictive	Высокий
4	File	xxxxxxxxxxxxx/xxxxxxxxxx/xxxxxxxxxxxxx/xxxxxxxxxxxx.x	predictive	Высокий
5	File	xxx.xx	predictive	Низкий
6	File	xxxxx.xxx/xxxx/x/	predictive	Высокий
7	File	xxxxxxxxxxxxxx.xxxx	predictive	Высокий
8	Library	xxxxxxxxxxx.xxx	predictive	Высокий
9	Argument	xxxxxxx	predictive	Низкий
10	Argument	xxxxx	predictive	Низкий
11	Argument	xx	predictive	Низкий
12	Argument	xxxx	predictive	Низкий
13	Argument	xxxxxxx	predictive	Низкий
14	Argument	xxxx	predictive	Низкий
15	Argument	xxxx->xxxxxxx	predictive	Высокий
16	Input Value	<xxx xxx="xxxx://x"; xx xxxxxxx="$(’x').xxxx(’xxxxxx’)" />	predictive	Высокий
17	Input Value	{xxxxx:xx(xxxx($_xxx[x]))}x{/xxxxx:xx}	predictive	Высокий

Ссылки (2)

The following list contains external sources which discuss the actor and the associated activities:

◂ ПредыдущийОбзорДалее ▸

Interested in the pricing of exploits?

See the underground prices here!