The Exaramel backdoor, discovered by ESET in 2018, resurfaces in a campaign hitting companies that use an outdated version of a popular IT monitoring tool
France’s national cybersecurity agency ANSSI has disclosed details about an intrusion campaign targeting IT services firms that run the Centreon IT resource monitoring tool. The attacks are thought to have stayed under the radar for up to three years and have hit mainly web hosting providers based in France.
“On compromised systems, ANSSI discovered the presence of a backdoor in the form of a webshell dropped on several Centreon servers exposed to the internet. This backdoor was identified as being the P.A.S. webshell, version number 3.1.4. On the same servers, ANSSI found another backdoor identical to one described by ESET and named Exaramel,” said the agency.
Indeed, the latter was discovered and analyzed by ESET researchers in 2018. While being an upgrade of the backdoor that was at the heart of Industroyer, which caused an hour-long blackout in and around Ukraine’s capital, Kiev, in late 2016, ESET detected Exaramel at an organization that is not an industrial facility. Both Exaramel and Industroyer are the work of the TeleBots (aka Sandworm) APT group, which also unleashed the NotPetya (aka DiskCoder.C) wiper disguised as ransomware in 2017. TeleBots is descended from BlackEnergy, a group whose eponymously named malware was responsible for a power outage that affected a quarter ..
Support the originator by clicking the read the rest link below.
