A sophisticated cyber intrusion campaign utilizing log poisoning and a new tool called Nezha has been uncovered. The attackers exploited a vulnerable phpMyAdmin interface to deploy a web shell, followed by the installation of Nezha, an open-source server monitoring tool repurposed for malicious activities. The campaign targeted over 100 victims, primarily in Taiwan, Japan, South Korea, and Hong Kong. The threat actors also deployed Ghost RAT, a remote access trojan, for further system compromise. The attack methodology and victimology suggest a China-nexus threat actor, highlighting the need for improved security measures and vigilance against emerging threats. Author: AlienVault
Related Tags:
log poisoning
Ghost RAT
Nezha
AntSword
china chopper
T1036.004
T1569.002
remote access trojan
T1547.001
Associated Indicators:
35E0B22139FB27D2C9721AEDF5770D893423BF029E1F56BE92485FF8FCE210F3
7B2599ED54B72DAEC0ACFD32744C7A9A77B19E6CF4E1651837175E4606DBC958
AD5E5B00F58396F5A518680E7084DC7DD5F2CC2B
6F336F372C5A642B57413363265E7D7E
D757EC4D5350843C44DD34A95DCB3A50
45.207.220.12
38.246.250.201
172.245.52.169