Dewmode

Malware Profile Updated 3 months ago

Download STIX

Preview STIX

DEWMODE is a malicious web shell malware, written in PHP, designed to interact with MySQL databases and specifically target Accellion FTA devices. It operates by infiltrating the compromised network and exfiltrating data. During 2020-2021, threat actor group TA505 exploited several zero-day vulnerabilities to install DEWMODE on internet-facing Accellion FTA servers. The malware was used as a tool for data theft, exploiting its ability to interact with the underlying MySQL database of the compromised device. The Cl0p ransomware group also utilized DEWMODE, along with other web shells like LEMURLOOT, SDBot, and the FlawedAmmyy remote access trojan (RAT). They were observed exploiting vulnerabilities in Kiteworks Accellion FTA in 2020 and Progress Software's MOVEit managed file transfer service in May, according to an analysis by networking firm F5 in June 2023. Microsoft noted in 2021 that the use of such web shells had nearly doubled compared to the previous year, indicating an escalating trend in this form of cyber attack. In a joint advisory, the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency highlighted similarities between the MOVEit Transfer SQL injection vulnerability exploit and the 2020-21 campaign where DEWMODE was installed on Accellion FTA servers. There has been evidence of a broad range of activity associated with these vulnerabilities, particularly around Memorial Day weekend (May 27-28). While complete details of the vulnerabilities leveraged to install DEWMODE are still being analyzed, multiple commonalities have been identified in UNC2546's activities.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Lemurloot	1	LemurLoot is a malicious software, or malware, specifically a web shell written in C# that targets the MOVEit Transfer platform. It was developed and deployed by the CL0P ransomware group to exploit vulnerabilities in systems and steal data. In May 2023, the group exploited a SQL injection zero-day

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Moveit

Web Shell

Exploit

Cobalt Strike

Exploits

Webshell

Ransomware

Zero Day

Vulnerability

Malware

Mysql

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Clop	Unspecified	2	Clop is a notorious malware, short for malicious software, known for its disruptive and damaging effects on computer systems. It primarily infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, Clop can steal personal information, disrupt o
FlawedAmmyy	Unspecified	1	FlawedAmmyy is a notable malware, specifically a Remote Access Trojan (RAT), that has been leveraged by threat actors for malicious purposes. The malware is designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites unbeknownst to the user.

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
TA505	Unspecified	2	TA505, also known as Cl0p Ransomware Gang and Lace Tempest, is a highly active and sophisticated cybercriminal group. The group has been associated with various high-profile cyber-attacks, demonstrating adaptability through a multi-vector approach to their operations. In June 2023, the U.S. Cybersec

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the Dewmode Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
Flashpoint	a year ago	No title
DARKReading	8 months ago	Web Shells Gain Sophistication for Stealth, Persistence
DARKReading	8 months ago	Web Shells Gain Sophistication for Stealth, Persistence
MITRE	a year ago	Threat Assessment: Clop Ransomware
CERT-EU	a year ago	SafeBreach Coverage for US-CERT Alert (AA23-158A) – CVE-2023-3462 MOVEit Vulnerability
CERT-EU	a year ago	Ransomware gang Clop prepped zero-day MOVEit attacks in 2021
Fortinet	a year ago	Ransomware Roundup - Cl0p \| FortiGuard Labs
CERT-EU	a year ago	Ransomware Gangs Actively Exploiting PaperCut Server Vulnerabilities