Dewmode

Malware updated 7 months ago (2024-05-04T20:19:34.774Z)
Download STIX
Preview STIX
DEWMODE is a malicious web shell malware, written in PHP, designed to interact with MySQL databases and specifically target Accellion FTA devices. It operates by infiltrating the compromised network and exfiltrating data. During 2020-2021, threat actor group TA505 exploited several zero-day vulnerabilities to install DEWMODE on internet-facing Accellion FTA servers. The malware was used as a tool for data theft, exploiting its ability to interact with the underlying MySQL database of the compromised device. The Cl0p ransomware group also utilized DEWMODE, along with other web shells like LEMURLOOT, SDBot, and the FlawedAmmyy remote access trojan (RAT). They were observed exploiting vulnerabilities in Kiteworks Accellion FTA in 2020 and Progress Software's MOVEit managed file transfer service in May, according to an analysis by networking firm F5 in June 2023. Microsoft noted in 2021 that the use of such web shells had nearly doubled compared to the previous year, indicating an escalating trend in this form of cyber attack. In a joint advisory, the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency highlighted similarities between the MOVEit Transfer SQL injection vulnerability exploit and the 2020-21 campaign where DEWMODE was installed on Accellion FTA servers. There has been evidence of a broad range of activity associated with these vulnerabilities, particularly around Memorial Day weekend (May 27-28). While complete details of the vulnerabilities leveraged to install DEWMODE are still being analyzed, multiple commonalities have been identified in UNC2546's activities.
Description last updated: 2024-05-04T19:19:17.011Z
What's your take? (Question 1 of 4)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Exploit
Moveit
Web Shell
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Clop Malware is associated with Dewmode. Clop, a malicious software (malware), is linked to a Russian-speaking cybercriminal group also known as Cl0p. It is designed to exploit and damage computer systems by stealing personal information, disrupting operations, or holding data hostage for ransom. In May 2023, the Clop group began exploitinUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The TA505 Threat Actor is associated with Dewmode. TA505, also known as Cl0p Ransomware Gang and Lace Tempest, is a highly active and sophisticated cybercriminal group. The group has been associated with various high-profile cyber-attacks, demonstrating adaptability through a multi-vector approach to their operations. In June 2023, the U.S. CybersecUnspecified
2
Source Document References
Information about the Dewmode Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more