DEWMODE is a malicious web shell malware, written in PHP, designed to interact with MySQL databases and specifically target Accellion FTA devices. It operates by infiltrating the compromised network and exfiltrating data. During 2020-2021, threat actor group TA505 exploited several zero-day vulnerabilities to install DEWMODE on internet-facing Accellion FTA servers. The malware was used as a tool for data theft, exploiting its ability to interact with the underlying MySQL database of the compromised device.
The Cl0p ransomware group also utilized DEWMODE, along with other web shells like LEMURLOOT, SDBot, and the FlawedAmmyy remote access trojan (RAT). They were observed exploiting vulnerabilities in Kiteworks Accellion FTA in 2020 and Progress Software's MOVEit managed file transfer service in May, according to an analysis by networking firm F5 in June 2023. Microsoft noted in 2021 that the use of such web shells had nearly doubled compared to the previous year, indicating an escalating trend in this form of cyber attack.
In a joint advisory, the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency highlighted similarities between the MOVEit Transfer SQL injection vulnerability exploit and the 2020-21 campaign where DEWMODE was installed on Accellion FTA servers. There has been evidence of a broad range of activity associated with these vulnerabilities, particularly around Memorial Day weekend (May 27-28). While complete details of the vulnerabilities leveraged to install DEWMODE are still being analyzed, multiple commonalities have been identified in UNC2546's activities.
Description last updated: 2024-05-04T19:19:17.011Z