Speculoos

Description

(Palo Alto) We identified a total of five samples from our dataset, all of which were approximately the same file size, but contain minute differences amongst the sample set. The subtle differences indicate that they likely originated from the same developer and were either recompiled or patched. As described by FireEye, Speculoos was delivered by exploiting CVE-2019-19781, a vulnerability affecting the Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliances that allowed an adversary to remotely execute arbitrary commands.

Based on the spread of industries and regions, in addition to the timing of the vulnerability disclosure, we believe this campaign may have been more opportunistic in nature compared to the highly targeted attack campaigns that are often associated with these types of adversaries. However, considering the exploitation of the vulnerability in conjunction with delivery of a backdoor specifically designed to execute on the associated FreeBSD operating system indicates the adversary was absolutely targeting the affected devices.

Names

Name
Speculoos

Category

Malware

Type

• Backdoor
• Info stealer
• Exfiltration

Information

• https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/
• https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
• https://www.secureworks.com/research/threat-profiles/bronze-atlas

Malpedia

• https://malpedia.caad.fkie.fraunhofer.de/details/elf.speculoos

Other Information

Uuid

0e4ffad1-f5b0-4e3d-af45-c3b017566c1e

Last Card Change

2021-04-24