Cleo Software Exploitation IOCs

https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild
Neo23x0 · Dec 10, 2024 · bf3774c · bf3774c
1 parent 1b7d496
commit bf3774c
Show file tree

Hide file tree

Showing 3 changed files with 47 additions and 1 deletion.
diff --git a/iocs/c2-iocs.txt b/iocs/c2-iocs.txt
@@ -1900,4 +1900,12 @@ earn.fm
 speedshare.app
 repocket.com
 
-# Last Line
+# Cleo Software Exploitation https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild
+176.123.5.126;65
+5.149.249.226;65
+185.181.230.103;65
+209.127.12.38;65
+181.214.147.164;65
+192.119.99.42;65
+
+# Last Line
diff --git a/iocs/filename-iocs.txt b/iocs/filename-iocs.txt
@@ -4423,4 +4423,9 @@ C:\\perflogs\\RunSchedulerTaskOnce\.ps1;85
 \\AppData\\Local\\Packages\\Microsoft\.Outlook_[a-zA-Z0-9]{1,50}\\.{0,120}\\[^\\]{1,80}\.rdp$;70
 \\AppData\\Local\\Microsoft\\Olk\\Attachments\\([^\\]{1,50}\\){0,5}[^\\]{1,80}\.rdp$;70
 
+# Cleo Software Exploitation https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild
+60282967-dc91-40ef-a34c-38e992509c2c\.xml;85
+\\healthchecktemplate\.txt;75
+\\healthcheck\.txt;60
+
 # End
diff --git a/yara/expl_cleo_dec24.yar b/yara/expl_cleo_dec24.yar
@@ -0,0 +1,33 @@
+
+rule EXPL_Cleo_Exploitation_Log_Indicators_Dec24 : SCRIPT {
+   meta:
+      description = "Detects indicators found in logs during and after Cleo software exploitation (as reported by Huntress in December 2024)"
+      author = "Florian Roth"
+      reference = "https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild"
+      date = "2024-12-10"
+      score = 75
+   strings:
+      $x1 = "Note: Processing autorun file 'autorun\\health" ascii wide
+      $x2 = "60282967-dc91-40ef-a34c-38e992509c2c.xml" ascii wide
+      $x3 = "<Detail level=\"1\">Executing 'cmd.exe /c \"powershell -NonInteractive -EncodedCommand " ascii wide
+   condition:
+      1 of them
+}
+
+rule EXPL_Cleo_Exploitation_PS1_Indicators_Dec24 : SCRIPT {
+   meta:
+      description = "Detects encoded PowerShell loader used during and after Cleo software exploitation (as reported by Huntress in December 2024)"
+      author = "Florian Roth"
+      reference = "https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild"
+      date = "2024-12-10"
+      score = 75
+   strings:
+      $xe1 = "Start-Process -WindowStyle Hidden -FilePath jre\\bin\\java.exe" base64 ascii wide
+      $xe2 = "$f=\"cleo." base64 ascii wide
+      $xe3 = "<Detail level=\"1\">Executing 'cmd.exe /c \"powershell -NonInteractive -EncodedCommand " base64 ascii wide
+
+      $x1 = "$f=\"cleo." ascii wide
+      $x2 = "<Detail level=\"1\">Executing 'cmd.exe /c \"powershell -NonInteractive -EncodedCommand " ascii wide
+   condition:
+      1 of them
+}