FF-Rat Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (25)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en16
zh10

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

cn18
us8

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

Kuluoz1
FF-Rat1
PlugX1
Cobalt Strike1
UNC48411

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined14
Firewall Software2
Cloud Software2
Programming Language Software2
Content Management System2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

ONLYOFFICE8
Not Defined8
Squid2
Western Digital2
Bitrix2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

ONLYOFFICE Server4
Squid Proxy2
Western Digital My Cloud Cloud2
Western Digital Mirror Gen22
Western Digital EX2 Ultra2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemEPSSCTICVE
1Cisco Unity Connection unrestricted upload8.18.0$5k-$25k$0-$5kNot DefinedOfficial Fix0.001270.06CVE-2024-20272
2KeyCloak Password Reset password recovery6.56.4$0-$5k$0-$5kNot DefinedOfficial Fix0.002930.00CVE-2017-12161
3ONLYOFFICE Document Server FontFileBase.h heap-based overflow5.55.3$0-$5k$0-$5kNot DefinedOfficial Fix0.002110.00CVE-2022-29777
4ONLYOFFICE Server User Name input validation4.54.3$0-$5k$0-$5kProof-of-ConceptNot Defined0.000710.03CVE-2021-43448
5ONLYOFFICE Server Document Editor Service server-side request forgery6.86.5$0-$5k$0-$5kProof-of-ConceptNot Defined0.001000.04CVE-2021-43449
6ONLYOFFICE Document Server Example editor cross site scripting3.53.4$0-$5k$0-$5kNot DefinedOfficial Fix0.001160.03CVE-2022-24229
7ONLYOFFICE Document Server WebSocket API sql injection8.58.5$0-$5k$0-$5kNot DefinedNot Defined0.001740.00CVE-2020-11537
8ONLYOFFICE Server Document Editor improper authentication6.96.6$0-$5k$0-$5kProof-of-ConceptNot Defined0.000760.04CVE-2021-43447
9ONLYOFFICE Community Server UploadProgress.ashx unrestricted upload8.07.9$0-$5k$0-$5kNot DefinedOfficial Fix0.006330.04CVE-2023-34939
10vsftpd deny_file unknown vulnerability3.73.6$0-$5k$0-$5kNot DefinedOfficial Fix0.003120.09CVE-2015-1419
11Atlassian Confluence Server/Confluence Data Center Webwork OGNL injection6.36.0$0-$5k$0-$5kHighOfficial Fix0.974470.04CVE-2021-26084
12PHPMailer Phar Deserialization addAttachment deserialization5.55.3$0-$5k$0-$5kNot DefinedOfficial Fix0.007480.00CVE-2020-36326
13Squid Proxy HTTP Header information disclosure6.66.6$5k-$25k$5k-$25kNot DefinedNot Defined0.007350.00CVE-2019-12529
14PHP com_print_typeinfo memory corruption10.09.4$25k-$100k$0-$5kProof-of-ConceptNot Defined0.256030.05CVE-2012-2376
15Oracle WebLogic Server Console Remote Code Execution9.89.4$5k-$25k$0-$5kHighOfficial Fix0.974720.00CVE-2020-14882
16PbootCMS code injection8.58.5$0-$5k$0-$5kNot DefinedNot Defined0.040220.00CVE-2018-19595
17Microsoft Windows Win32k access control7.97.7$25k-$100k$5k-$25kNot DefinedOfficial Fix0.000580.00CVE-2019-0623
18Western Digital PR4100 webfile_mgr.cgi link following7.57.2$0-$5k$0-$5kNot DefinedOfficial Fix0.017020.03CVE-2019-9949
19PHP Scripts Mall Professional Service Script review.php sql injection8.57.9$0-$5k$0-$5kNot DefinedNot Defined0.002120.00CVE-2017-17928
20Alt-N MDaemon Worldclient user session7.37.0$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.000000.00

IOC - Indicator of Compromise (4)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
159.188.16.147FF-Rat03/10/2022verifiedHigh
2XX.XX.XX.XXXxxx.xx.xx.xx.xxxxxx.xxxxxx.xxxxxxxx.xxxxxxx.xxxXx-xxx03/10/2022verifiedHigh
3XXX.XX.XXX.XXXXx-xxx03/10/2022verifiedHigh
4XXX.XX.XX.XXXx-xxx03/10/2022verifiedHigh

TTP - Tactics, Techniques, Procedures (9)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-22Path TraversalpredictiveHigh
2T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
3TXXXXCAPEC-242CWE-XXXxxxxxxx XxxxxxxxxpredictiveHigh
4TXXXX.XXXCAPEC-209CWE-XX, CWE-XXXxxxx Xxxx XxxxxxxxxpredictiveHigh
5TXXXXCAPEC-CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
6TXXXXCAPEC-108CWE-XXXxx XxxxxxxxxpredictiveHigh
7TXXXXCAPEC-50CWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHigh
8TXXXXCAPEC-116CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
9TXXXX.XXXCAPEC-1CWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (17)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/example/editorpredictiveHigh
2Fileadmin/review.phppredictiveHigh
3Filecgi-bin/webfile_mgr.cgipredictiveHigh
4Filexxxxxxxxxxxxx/xxxxxxxxxx/xxxxxxxxxxxxx/xxxxxxxxxxxx.xpredictiveHigh
5Filexxx.xxpredictiveLow
6Filexxxxx.xxx/xxxx/x/predictiveHigh
7Filexxxxxxxxxxxxxx.xxxxpredictiveHigh
8Libraryxxxxxxxxxxx.xxxpredictiveHigh
9ArgumentxxxxxxxpredictiveLow
10ArgumentxxxxxpredictiveLow
11ArgumentxxpredictiveLow
12ArgumentxxxxpredictiveLow
13ArgumentxxxxxxxpredictiveLow
14ArgumentxxxxpredictiveLow
15Argumentxxxx->xxxxxxxpredictiveHigh
16Input Value<xxx xxx="xxxx://x"; xx xxxxxxx="$(’x').xxxx(’xxxxxx’)" />predictiveHigh
17Input Value{xxxxx:xx(xxxx($_xxx[x]))}x{/xxxxx:xx}predictiveHigh

References (2)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Do you know our Splunk app?

Download it now for free!