Quote:Advanced persistent threat (APT) group Lebanese Cedar has compromised at least 250 public-facing servers since early 2020, researchers said, with its latest malware.
 
The group has added new features to its custom “Caterpillar” webshell and the “Explosive RAT” remote access trojan (RAT), both of which researchers at ClearSky Security said they linked to the compromise of the public servers [PDF], which allowed widespread espionage.

“The target companies are from many countries including: The United States, the United Kingdom, Egypt, Jordan, Lebanon, Israel and the Palestinian Authority,” according to researchers. “We assess that there are many more companies that have been hacked and that valuable information was stolen from these companies over periods of months and years.”
 
Lebanese Cedar’s hallmark is trolling for vulnerable systems. The latest, fourth version of Explosive RAT has been used against unpatched Oracle (CVE-2012-3152) and Atlassian servers (CVE-2019-3396 and CVE-2019-11581) web servers, ClearSky said. The group is also the only APT group known to use the Explosive RAT code, ClearSky added.
 
ClearSky said it identified specific upgrades made to the new Explosive RAT versus the previous version, which was first used back in 2015 — namely anti-debugging and encrypted communications between the compromised machine to the command-and-control (C2) server.
 
“Explosive utilizes multiple evasion techniques to avoid detection and maintain persistence, such as obfuscation, communication encryption and using a separate DLL for API activity,” ClearSky’s report said. “Since 2015, the tool had been minorly changed in obfuscation and communication encryption. The RAT’s control network is well thought out. It consists of default hard-coded C2 servers, static update servers and DGA-based dynamic update servers.”