Lemurloot

Malware updated 5 months ago (2024-05-04T16:29:34.826Z)

Download STIX

Preview STIX

LemurLoot is a malicious software, or malware, specifically a web shell written in C# that targets the MOVEit Transfer platform. It was developed and deployed by the CL0P ransomware group to exploit vulnerabilities in systems and steal data. In May 2023, the group exploited a SQL injection zero-day vulnerability identified as CVE-2023-34362 to install LemurLoot on MOVEit Transfer web applications. This harmful program can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge, and once inside, it can disrupt operations, steal personal information, or hold data hostage for ransom. The attack involved infecting internet-facing MOVEit Transfer web applications with LemurLoot, which was then used to steal data from underlying MOVEit Transfer databases and internal servers. The Cl0P ransomware group has been associated with other attacks using similar tools such as DEWMODE web shell, SDBot, and the FlawedAmmyy remote access trojan (RAT). This recent exploitation of MOVEit Transfer web applications with LemurLoot showcases the group's expanding repertoire and their ability to hack and steal critical data. The use of web shells like LemurLoot has grown dramatically, with Microsoft noting nearly double the encounters of web shells on monitored servers compared to the prior year, according to an analysis done in 2021. Cl0P notably dropped the DEWMODE and LEMURLOOT Web shells after exploiting vulnerabilities in Kiteworks Accellion FTA in 2020 and Progress Software's MOVEit managed file transfer service in May 2023. These instances highlight the increasing threat posed by such malware and the need for robust cybersecurity measures.

Description last updated: 2024-03-14T15:46:19.484Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Clop

Ransomware

Moveit

Exploit

Web Shell

Vulnerability

exploited

T1190

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The cl0p Threat Actor is associated with Lemurloot. Cl0p is a threat actor group that has emerged as the most used ransomware in March 2023, dethroning LockBit. The group has successfully exploited zero-day vulnerabilities in the past, but such attacks are relatively rare. Recent research by Malwarebytes highlights the bias of ransomware gangs for at	Unspecified	2

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The CVE-2023-34362 Vulnerability is associated with Lemurloot. CVE-2023-34362 is a critical software vulnerability found in Progress Software's managed file transfer (MFT) solution, MOVEit Transfer. This flaw was an SQL injection vulnerability that allowed for escalated privileges and unauthorized access. The vulnerability became active on May 27, 2023, when it	Unspecified	3

Source Document References

Information about the Lemurloot Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	9 months ago	Top 3 Data Breaches of 2023, and What Lies Ahead in 2024
CERT-EU	9 months ago	The Top 10 Ransomware Groups of 2023
DARKReading	a year ago	Web Shells Gain Sophistication for Stealth, Persistence
DARKReading	a year ago	Web Shells Gain Sophistication for Stealth, Persistence
CERT-EU	a year ago	Bitdefender Threat Debrief \| July 2023
Fortinet	a year ago	Ransomware Roundup - Cl0p \| FortiGuard Labs
CERT-EU	a year ago	Half of EDR Tools, Organizations Vulnerable to Clop Ransomware: Research \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	a year ago	Industrial control system vendors reportedly appear on ransomware attack list - Chemical Engineering \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	a year ago	Lessons From Clop: Combating Ransomware and Cyber Extortion Events - Security Boulevard
Flashpoint	a year ago	Lessons From Clop: Combating Ransomware and Cyber Extortion Events
CERT-EU	a year ago	Cl0p in Your Network? Here's How to Find Out
CERT-EU	a year ago	Uncovered: Clop Ransomware’s Lengthy Zero-Day Testing on the MOVEit Platform \| IT Security News
Flashpoint	2 years ago	No title
CISA	a year ago	#StopRansomware: CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability \| CISA
CERT-EU	a year ago	Cybersecurity hotlines at colleges could go a long way toward filling the skills gap
CERT-EU	a year ago	Anomali Cyber Watch: Cadet Blizzard - New GRU APT, ChamelDoH Hard-to-Detect Linux RAT, Stealthy DoubleFinger Targets Cryptocurrency
CERT-EU	a year ago	SQL injection vulnerability in MOVEit Transfer leads to data breaches worldwide
CERT-EU	a year ago	EY and PwC Among the Many Entities Caught Up in the MOVEit Cybersecurity Breach Ransom \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	a year ago	CL0P Ransomware Gang’s Exploitation of MOVEit Vulnerability: What It Means for Companies
CERT-EU	a year ago	Coverage Advisory for CVE-2023-34362 MOVEit Vulnerability