A campaign has been identified recently by the cybersecurity researchers of Palo Alto Networks, and this malicious campaign has been leveraging a remote code execution vulnerability in a very famous Zoho password manager and single sign-on service.

Nearly nine entities over the technology, defense, healthcare, energy, and education industries were being negotiated by leveraging by the newly patched critical vulnerability in Zoho’s ManageEngine ADSelfService Plus.

This campaign was started on September 22, 2021, and in this spying campaign, the hackers were taking account of the flaw with the motive to gain initial access so that they can target organizations.

The threat actors were planning to move parallel through the network so that they can carry out the post-exploitation activities simply by expanding the malicious tools that were specifically composed to collect all credentials and exfiltrate delicate data through a backdoor.

Threat Actor Activity

This campaign was found to be targeting the following sectors:- 

  • Defense Industrial Base
  • Higher education
  • Consulting services
  • Information technology

While MSTIC (Microsoft Threat Intelligence Center) hinted that this campaign has been operated by the DEV-0322, it’s a group operating out of China, and conducted several activities.

All the activities include credential dumping, installing custom binaries, and dropping malware to sustain persistence and so that they can easily move parallel within the network.

Disposing Zebracon malware

DEV-0322 also expanded a Trojan that was being called Trojan:Win64/Zebracon. And the security authorities announced that the Trojan was used as hardcoded credentials so that they can make connections easier to surmise the DEV-0322-compromised with Zimbra email servers.

Moreover, these operations were also used by the Zebracon malware so that they can receive commands from the DEV-0322-controlled mailbox.

The Microsoft Defender Antivirus identifies threat elements as the following malware:-

  • Trojan:MSIL/Gacker.A!dha
  • Backdoor:MSIL/Kokishell.A!dha
  • Trojan:Win64/Zebracon.A!dha

Endpoint detection and response (EDR) 

EDR alerts with the following headings in the security center:-

  • DEV-0322 Actor activity detected​
  • Malware from possible exploitation of CVE-2021-40539

Not only this even the Customers utilizing the Microsoft 365 Defender portal can also see, investigate, and reply to conflicts that involve any kind of detections associated with this DEV-0322 activity.

Microsoft Sentinel hunting queries

  • Name:  DEV-0322 Command-Line Activity November 2021
  • Description: This field query views for method command line activity that are compared to recognized DEV-0322 activity. 
  • Name: Surface devices with the CVE-2021-40539 vulnerability
  • Description: This query is being used to look for devices in your organization that are likely vulnerable to CVE-2021-40539.

So, the adversary is assumed to have targeted nearly 370 Zoho ManageEngine servers in the U.S. on September 17.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.