CloudDragon's Campaign: VPN Zero-day Vulnerability + New Backdoor
Contents
TeamT5 recently discovered two installers of a newly identified backdoor which we named MemzipRAT. The backdoor is named after an embedded string "get module from cmd memzip : %d" inside the PE files.
About TeamT5's Research Findings
With further investigation, we believe this attack was aiming at a South Korean company in the aerospace sector. The company is part of a top 10 conglomerate in South Korea, whose business includes aerospace, chemicals, financial services, IT, etc.
In fact, CloudDragon has been accused of using VPN vulnerabilities to attack numerous entities, including Korean government agencies [1], recently. It is highly possible that they deployed their new malware by the new vulnerability in this case as well.
Yet, there are two key factors that might pull the trigger of massive intrusions:
- VPN vulnerabilityThe VPN market in 2020 is USD $30 billion worldwide. That is, the market is huge and has multiple players inside. It could be …
About TeamT5's Research Findings
With further investigation, we believe this attack was aiming at a South Korean company in the aerospace sector. The company is part of a top 10 conglomerate in South Korea, whose business includes aerospace, chemicals, financial services, IT, etc.
In fact, CloudDragon has been accused of using VPN vulnerabilities to attack numerous entities, including Korean government agencies [1], recently. It is highly possible that they deployed their new malware by the new vulnerability in this case as well.
Yet, there are two key factors that might pull the trigger of massive intrusions:
- VPN vulnerabilityThe VPN market in 2020 is USD $30 billion worldwide. That is, the market is huge and has multiple players inside. It could be …