Dewmode

Malware Profile Updated 25 days ago
Download STIX
Preview STIX
DEWMODE is a malicious web shell malware, written in PHP, designed to interact with MySQL databases and specifically target Accellion FTA devices. It operates by infiltrating the compromised network and exfiltrating data. During 2020-2021, threat actor group TA505 exploited several zero-day vulnerabilities to install DEWMODE on internet-facing Accellion FTA servers. The malware was used as a tool for data theft, exploiting its ability to interact with the underlying MySQL database of the compromised device. The Cl0p ransomware group also utilized DEWMODE, along with other web shells like LEMURLOOT, SDBot, and the FlawedAmmyy remote access trojan (RAT). They were observed exploiting vulnerabilities in Kiteworks Accellion FTA in 2020 and Progress Software's MOVEit managed file transfer service in May, according to an analysis by networking firm F5 in June 2023. Microsoft noted in 2021 that the use of such web shells had nearly doubled compared to the previous year, indicating an escalating trend in this form of cyber attack. In a joint advisory, the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency highlighted similarities between the MOVEit Transfer SQL injection vulnerability exploit and the 2020-21 campaign where DEWMODE was installed on Accellion FTA servers. There has been evidence of a broad range of activity associated with these vulnerabilities, particularly around Memorial Day weekend (May 27-28). While complete details of the vulnerabilities leveraged to install DEWMODE are still being analyzed, multiple commonalities have been identified in UNC2546's activities.
What's your take? (Question 1 of 4)
1d9fc578-368a-4c4d-affa-9f42f07703ee Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Exploit
Moveit
Web Shell
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
ClopUnspecified
2
Clop is a malicious software (malware) designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or hold data hostage for ransom. T
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
TA505Unspecified
2
TA505, also known as Cl0p Ransomware Gang and Lace Tempest, is a highly active and sophisticated cybercriminal group. The group has been associated with various high-profile cyber-attacks, demonstrating adaptability through a multi-vector approach to their operations. In June 2023, the U.S. Cybersec
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Dewmode Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Flashpoint
a year ago
No title
MITRE
a year ago
Threat Assessment: Clop Ransomware
Fortinet
10 months ago
Ransomware Roundup - Cl0p | FortiGuard Labs
CERT-EU
a year ago
Ransomware gang Clop prepped zero-day MOVEit attacks in 2021
CERT-EU
a year ago
Ransomware Gangs Actively Exploiting PaperCut Server Vulnerabilities
DARKReading
6 months ago
Web Shells Gain Sophistication for Stealth, Persistence
CERT-EU
a year ago
SafeBreach Coverage for US-CERT Alert (AA23-158A) – CVE-2023-3462 MOVEit Vulnerability
DARKReading
6 months ago
Web Shells Gain Sophistication for Stealth, Persistence