Earlier this year, we started hunting for possible new DeftTorero (aka Lebanese Cedar, Volatile Cedar) artifacts. This threat actor is believed to originate from the Middle East and was publicly disclosed to the cybersecurity community as early as 2015. Notably, no other intelligence was shared until 2021, which led us to speculate on a possible shift by the threat actor to more fileless/LOLBINS techniques, and the use of known/common offensive tools publicly available on the internet that allows them to blend in.
The public reports available to date expose and discuss the final payload – Explosive RAT – and the webshells used in the initial foothold such as Caterpillar and ASPXSpy (you can find webshell MD5 hashes in the IoC section), with little on the tactics, techniques and procedures (TTPs); this post focuses primarily on the TTPs used by the threat actor in intrusions between late 2019 and mid-2021 to compromise victims.
More information about DeftTorero is available to customers of Kaspersky Intelligence Reporting.
Contact us: [email protected]
Initial Access and webshell deployment
During our intrusion analysis of DeftTorero’s webshells, such as Caterpillar, we noticed traces that infer the threat actor possibly exploited a file upload form and/or a command injection vulnerability in a functional or staging website hosted on the target web server. This assumption is based on the fact that the uploaded webshells always drop in the same web folder, and in some cases get assigned a name containing a GUID followed by the original webshell filename.
In other instances, we noticed traces pointing to a possible exploitation of IIS PHP plugins pre-installed by the server ..
Support the originator by clicking the read the rest link below.
