Lemurloot

Malware updated a month ago (2024-11-29T14:02:51.463Z)
Download STIX
Preview STIX
LemurLoot is a malicious software, or malware, specifically a web shell written in C# that targets the MOVEit Transfer platform. It was developed and deployed by the CL0P ransomware group to exploit vulnerabilities in systems and steal data. In May 2023, the group exploited a SQL injection zero-day vulnerability identified as CVE-2023-34362 to install LemurLoot on MOVEit Transfer web applications. This harmful program can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge, and once inside, it can disrupt operations, steal personal information, or hold data hostage for ransom. The attack involved infecting internet-facing MOVEit Transfer web applications with LemurLoot, which was then used to steal data from underlying MOVEit Transfer databases and internal servers. The Cl0P ransomware group has been associated with other attacks using similar tools such as DEWMODE web shell, SDBot, and the FlawedAmmyy remote access trojan (RAT). This recent exploitation of MOVEit Transfer web applications with LemurLoot showcases the group's expanding repertoire and their ability to hack and steal critical data. The use of web shells like LemurLoot has grown dramatically, with Microsoft noting nearly double the encounters of web shells on monitored servers compared to the prior year, according to an analysis done in 2021. Cl0P notably dropped the DEWMODE and LEMURLOOT Web shells after exploiting vulnerabilities in Kiteworks Accellion FTA in 2020 and Progress Software's MOVEit managed file transfer service in May 2023. These instances highlight the increasing threat posed by such malware and the need for robust cybersecurity measures.
Description last updated: 2024-03-14T15:46:19.484Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Moveit
Exploit
Web Shell
Vulnerability
exploited
T1190
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Clop Malware is associated with Lemurloot. Clop, a malicious software (malware), is linked to a Russian-speaking cybercriminal group also known as Cl0p. It is designed to exploit and damage computer systems by stealing personal information, disrupting operations, or holding data hostage for ransom. In May 2023, the Clop group began exploitinUnspecified
5
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The cl0p Threat Actor is associated with Lemurloot. Cl0p is a threat actor group that has emerged as the most used ransomware in March 2023, dethroning LockBit. The group has successfully exploited zero-day vulnerabilities in the past, but such attacks are relatively rare. Recent research by Malwarebytes highlights the bias of ransomware gangs for atUnspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The CVE-2023-34362 Vulnerability is associated with Lemurloot. CVE-2023-34362 is a critical software vulnerability found in Progress Software's managed file transfer (MFT) solution, MOVEit Transfer. This flaw was an SQL injection vulnerability that allowed for escalated privileges and unauthorized access. The vulnerability became active on May 27, 2023, when itUnspecified
3
Source Document References
Information about the Lemurloot Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
DARKReading
a year ago
CERT-EU
a year ago
DARKReading
a year ago
DARKReading
a year ago
CERT-EU
a year ago
Fortinet
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
Flashpoint
a year ago
CERT-EU
a year ago
CERT-EU
2 years ago
Flashpoint
2 years ago
CISA
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago