ZuoRAT Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (125)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en94
zh30
es2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

cn88
us36
tw2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

ZuoRAT3
Cobalt Strike2
APT291
ShadowPad1
APT101

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined46
Content Management System12
Router Operating System8
Firewall Software8
Database Software6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined24
Fortinet10
Cisco8
Microsoft8
Forcepoint4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Mail20004
Cisco RV0164
Cisco RV0424
Cisco RV0824
Cisco RV3204

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemEPSSCTICVE
1QNAP QTS Photo Station privileges management8.58.4$0-$5k$0-$5kHighOfficial Fix0.963410.00CVE-2019-7192
2Deltek Vision RPC over HTTP SQL sql injection8.08.0$0-$5k$0-$5kNot DefinedNot Defined0.005760.08CVE-2018-18251
3Mail2000 Login portal cross site scripting5.24.8$0-$5k$0-$5kNot DefinedNot Defined0.003340.04CVE-2019-15072
4Zoho ManageEngine ADSelfService Plus code injection8.58.2$0-$5k$0-$5kNot DefinedOfficial Fix0.005620.00CVE-2020-11518
5RuoYi edit sql injection7.67.5$0-$5k$0-$5kNot DefinedNot Defined0.000760.00CVE-2023-49371
6BDCOM 1704-WGL Backup File param.file.tgz information disclosure5.34.8$0-$5k$0-$5kProof-of-ConceptNot Defined0.001200.08CVE-2023-0659
7Shopro Mall System sql injection8.07.9$0-$5k$0-$5kNot DefinedNot Defined0.001720.07CVE-2022-35154
8wix-embedded-mysql com.wix.mysql.distribution.Setup.apply code injection7.67.5$0-$5k$0-$5kNot DefinedNot Defined0.001280.04CVE-2023-39021
9Blueriver Sava CMS fileManager.cfc path traversal5.35.0$0-$5k$0-$5kProof-of-ConceptNot Defined0.030230.04CVE-2010-3468
10Mura CMS Draggable Feeds readRSS.cfm xml external entity reference6.45.8$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.012040.00CVE-2017-15639
11Gibbon file inclusion6.56.5$0-$5k$0-$5kNot DefinedNot Defined0.028420.09CVE-2023-34598
12Slider Revolution Plugin Image File unrestricted upload7.57.4$0-$5k$0-$5kNot DefinedNot Defined0.000970.04CVE-2023-2359
13Essential Grid Plugin authorization6.36.1$0-$5k$0-$5kNot DefinedNot Defined0.000000.02CVE-2023-47771
14Citrix ShareFile StorageZones Controller access control9.89.6$5k-$25k$0-$5kHighOfficial Fix0.974200.04CVE-2023-24489
15HPE ArubaOS AirWave Client Service buffer overflow9.89.6$5k-$25k$5k-$25kNot DefinedOfficial Fix0.001870.03CVE-2023-45616
16VMware Workspace ONE UEM Console SAML Response redirect6.46.3$5k-$25k$0-$5kNot DefinedOfficial Fix0.000450.00CVE-2023-20886
17D-Link D-View coreservice_action_script Remote Code Execution9.89.5$5k-$25k$5k-$25kNot DefinedNot Defined0.000650.00CVE-2023-44414
18Citrix XenMobile Server command injection5.55.5$5k-$25k$5k-$25kNot DefinedNot Defined0.002480.00CVE-2022-26151
19y_project RuoYi GenController sql injection6.96.9$0-$5k$0-$5kNot DefinedOfficial Fix0.001330.04CVE-2022-4566
20VMware Horizon Server information disclosure5.35.2$5k-$25k$0-$5kNot DefinedOfficial Fix0.000460.04CVE-2023-34038

IOC - Indicator of Compromise (7)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
159.124.6.059-124-6-0.hinet-ip.hinet.netZuoRAT07/05/2022verifiedHigh
282.157.69.219ZuoRAT07/01/2022verifiedHigh
3XXX.XXX.XXX.XXXXxxxxx07/01/2022verifiedHigh
4XXX.XX.XXX.XXXXxxxxx07/01/2022verifiedHigh
5XXX.XX.XXX.XXXxxxxx07/01/2022verifiedHigh
6XXX.XX.XXX.Xxxxxxxxxxxx-xxx-xx-xxx-x.xxxx-xxxxxxx.xxxxxxx.xx.xxxxxxxxxx.xxxXxxxxx07/05/2022verifiedHigh
7XXX.XXX.XX.XXXxxxxx07/01/2022verifiedHigh

TTP - Tactics, Techniques, Procedures (16)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-21, CWE-22Path TraversalpredictiveHigh
2T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
3T1059CAPEC-242CWE-94Argument InjectionpredictiveHigh
4T1059.007CAPEC-209CWE-79Cross Site ScriptingpredictiveHigh
5TXXXXCAPEC-122CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
6TXXXX.XXXCAPEC-CWE-XXXXxx Xx Xxxx-xxxxx XxxxxxxxpredictiveHigh
7TXXXXCAPEC-136CWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
8TXXXX.XXXCAPEC-178CWE-XXXXxxx XxxxxxxxpredictiveHigh
9TXXXXCAPEC-108CWE-XXXxx XxxxxxxxxpredictiveHigh
10TXXXXCAPEC-102CWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHigh
11TXXXX.XXXCAPEC-133CWE-XXXXxxxxxxxpredictiveHigh
12TXXXXCAPEC-116CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
13TXXXX.XXXCAPEC-CWE-XXXxxxxxxxxxxxxpredictiveHigh
14TXXXXCAPEC-112CWE-XXX, CWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveHigh
15TXXXX.XXXCAPEC-CWE-XXXXxx Xxxxxxxxxx XxxxxpredictiveHigh
16TXXXX.XXXCAPEC-1CWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (47)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File.kdbgrcpredictiveLow
2File/../../conf/template/uhttpd.jsonpredictiveHigh
3File/cgi-bin/gopredictiveMedium
4File/cgi-bin/portalpredictiveHigh
5File/etc/shadowpredictiveMedium
6File/etc/sudoerspredictiveMedium
7File/xxxxx.xxxx.xxxpredictiveHigh
8File/xxxxxxxxx//../predictiveHigh
9File/xxxxxx/xxxx/xxxxpredictiveHigh
10File/xxxxxxx/predictiveMedium
11Filexxx-xxx/xxxxxxxxxxxx.xxx/xxxxxxxxxxxxpredictiveHigh
12Filexxx/xxxxx/xxxxxxxxx/xxxxxxxxxx/xxxxxxxxxxxxxpredictiveHigh
13Filexxxx/xxxxxxxxxxxxx.xxxpredictiveHigh
14Filexxxxxxxxxxx.xxxpredictiveHigh
15Filexxxxxxxx/xxxxxx/xxxxx.xxxpredictiveHigh
16Filexxxxxx/xxxxxxxxxxxxpredictiveHigh
17Filexxx/xxxxxx.xxxpredictiveHigh
18Filexxxxxxxx/xxxxxxxxxx/xxxxx-xx-xxxxxxxxx-xxxxxxxx.xxxpredictiveHigh
19Filexxxxx.xxxpredictiveMedium
20Filexxxxxxxxxxx-xxxx.xxpredictiveHigh
21Filexxxxxxx.xxxpredictiveMedium
22Filexxxxx_xxxxxx_xxxxxxxx.xxxpredictiveHigh
23Filexxxxxxxxxx/xxxxxxxxxx_xxxx.xxx?xxxxxx=xxxxxxpredictiveHigh
24Filexxx.xpredictiveLow
25Filexxxx.xx.xxpredictiveMedium
26Filexxxxxx.xxxpredictiveMedium
27Filexxxxx/xxxx/xxxxxxx.xxxpredictiveHigh
28Filexxxxxx/xxxxxxxxxxx/xxxx_xxxxxxx.xxxpredictiveHigh
29Filexxxxxxxx.xxxpredictiveMedium
30Libraryxxxxxxx.xxxpredictiveMedium
31ArgumentxxxxxxpredictiveLow
32Argumentxxxx_xxxxxxxpredictiveMedium
33ArgumentxxxxxxxxpredictiveMedium
34Argumentxxx_xxxxxx_xpredictiveMedium
35ArgumentxxxxxxxxxxxpredictiveMedium
36ArgumentxxxxxxxxxxpredictiveMedium
37ArgumentxxxxxxpredictiveLow
38Argumentxxxxxx_xxxxx_xxxpredictiveHigh
39ArgumentxxpredictiveLow
40Argumentxxxxxx/xxxxxx_xxxxxxpredictiveHigh
41ArgumentxxxpredictiveLow
42ArgumentxxxxxxxxpredictiveMedium
43ArgumentxxxxxpredictiveLow
44Input Valuexxxx/xxxxx/xxxxxxxx/xxxxxxx/xx/xxxxxxx/xxxxxxxxxx/xx_xxxxpredictiveHigh
45Input Value\xpredictiveLow
46Network PortxxxxxpredictiveLow
47Network Portxxx/xx (xxx)predictiveMedium

References (3)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Might our Artificial Intelligence support you?

Check our Alexa App!