Riskware/Adntac
Analysis
Riskware/Adntac is a detection for a riskware, this is synonymous to Generic PUA or Generic PUP.
Since this is a detection, riskware that are detected as Riskware/Adntac may have varying behaviour.
Below are some of its observed characteristics/behaviours:
- Files detected as Riskware/Adntac have been associated with Adobe ColdFusion incidence and involves the CVE-2023–26359 and CVE-2023–26360 vulnerability
- Upon execution of the application, the malware may perform malicious actions such as dropping files on the user's computer with filenames eg. "cl[Removed]it.dll", "cor[Removed]lr.dll" in the TEMP\.net\dncat\[Random] folder.
- The CVE identifiers included in this detection are:
- CVE-2023–26359:
- vulnerability affecting the Adobe ColdFusion versions 2018 (Update 15) and 2021 (Update 5) and prior will allow the logged-in user to execute arbitrary code.
- CVE-2023–26360:
- Improper Access Control vulnerability in Adobe ColdFusion versions 2018 and 2021 upgrades could lead to arbitrary code execution.
- CVE-2023–26359:
- This malware has been associated with the following third party article/advisory.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26360 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26359
|
- Md5: 1edf1d653deb9001565b5eff3e50824a
Sha256: 213079ef54d225c4ca75dd0d57c931bdc613e8c89a2d0dbff88be5b446d231f0 - MD5: 470797a25a6b21d0a46f82968fd6a184
Sha256: ce80b839411b1541d09b0ede82f1477b516da0c60760079f46ba4443e1a6f419
Outbreak Alert
FortiGuard Labs continue to see cyber-attacks targeting to exploit the ColdFusion vulnerability CVE-2023-26360. Blocking over multiple hundreds of attacks over the last weeks.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |