VirusJava/Ivmob.EPMM!tr
Analysis
Java/Ivmob.EPMM!tr is a generic detection for a trojan.
Since this is a generic detection, malware that are detected as Java/Ivmob.EPMM!tr may have varying behaviour.
Below are some of its observed characteristics/behaviours:
- This malware is associated with the Ivanti Endpoint Manager Mobile outbreak and involves the CVE-2023-35078 and CVE-2023-35081 vulnerability.
- Java/Ivmob.EPMM!tr allows an unauthenticated attacker to obtain access to sensitive data and modify compromised servers. The malware may perform malicious actions such as deleting log entries based on the strings in "keywords.txt".
- The CVE identifiers included in this detection are:
- CVE-2023-35078 :
- vulnerability affecting the Ivanti Endpoint Manager Mobile that enables remote attackers to access personally identifiable information (PII) and modify the configuration on compromised systems.
- CVE-2023-35081:
- vulnerability affecting the EPMM web application server,access to admin privileges, enabling the operating system to write arbitrary files.
- CVE-2023-35078 :
- Below are images of the suspicious strings:
- Figure 1: Image showing log entries and keyword string found in the malware sample.
- This malware has been associated with the following third party article/advisory.
https://nvd.nist.gov/vuln/detail/CVE-2023-35078 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-35078 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-35081
- MD5: 1c8e55823e415fabeffca526aa285072
Sha256: 6255c75e2e52d779da39367e7a7d4b8d1b3c9c61321361952dcc05819251a127
Outbreak Alert
Ivanti Endpoint Manager Mobile (EPMM, formerly MobileIron Core) contains an authentication bypass vulnerability (CVE-2023-35078) that allows unauthenticated access to specific API paths and a path traversal vulnerability (CVE-2023-35081). An attacker with access to these API paths can access personally identifiable information (PII) such as names, phone numbers, and other mobile device details for users on a vulnerable system. An attacker can also make other configuration changes including installing software and modifying security profiles on registered devices.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
| FortiGate | |
|---|---|
| Extreme | |
| FortiClient | |
| Extended | |
| FortiMail | |
| Extended | |
| FortiSandbox | |
| Extended | |
| FortiWeb | |
| Extended | |
| Web Application Firewall | |
| Extended | |
| FortiIsolator | |
| Extended | |
| FortiDeceptor | |
| Extended | |
| FortiEDR |