virus logo Virus

Riskware/Adntac

description-logoAnalysis

Riskware/Adntac is a detection for a riskware, this is synonymous to Generic PUA or Generic PUP. Since this is a detection, riskware that are detected as Riskware/Adntac may have varying behaviour.
Below are some of its observed characteristics/behaviours:

  • Files detected as Riskware/Adntac have been associated with Adobe ColdFusion incidence and involves the CVE-2023–26359 and CVE-2023–26360 vulnerability

  • Upon execution of the application, the malware may perform malicious actions such as dropping files on the user's computer with filenames eg. "cl[Removed]it.dll", "cor[Removed]lr.dll" in the TEMP\.net\dncat\[Random] folder.

  • The CVE identifiers included in this detection are:
    • CVE-2023–26359:
      • vulnerability affecting the Adobe ColdFusion versions 2018 (Update 15) and 2021 (Update 5) and prior will allow the logged-in user to execute arbitrary code.
    • CVE-2023–26360:
      • Improper Access Control vulnerability in Adobe ColdFusion versions 2018 and 2021 upgrades could lead to arbitrary code execution.

  • This malware has been associated with the following third party article/advisory. 
    • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26360
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26359

  • Below are images of the suspicious files:

    • Figure 1: Dropped files by the malware.

  • Following are some of the near/exact IOCs/file hash associated with this detection:
    • Md5: 1edf1d653deb9001565b5eff3e50824a
      Sha256: 213079ef54d225c4ca75dd0d57c931bdc613e8c89a2d0dbff88be5b446d231f0
    • MD5: 470797a25a6b21d0a46f82968fd6a184
      Sha256: ce80b839411b1541d09b0ede82f1477b516da0c60760079f46ba4443e1a6f419

description-logoOutbreak Alert

FortiGuard Labs continue to see cyber-attacks targeting to exploit the ColdFusion vulnerability CVE-2023-26360. Blocking over multiple hundreds of attacks over the last weeks.

View the full Outbreak Alert Report

recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
Extended
FortiClient
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2023-12-18 91.09831
2023-10-03 91.07527
2023-09-01 91.06564
2023-08-22 91.06273
ID 10150208
Released Aug 24, 2023
Description
Updated		 Aug 22, 2023
Outbreak Alert Adobe ColdFusion Code Execution
Aliases ATK/DnCat-A
Platform Profile Riskware is a term for potentially unwanted or dangerous software programs that do not fall under Adware. They could be legitimate software applications that may be misused and pose possible security risks to users.