NGC4020 Attacks: DameWare Mini Remote Control Vulnerability
Jan. 31, 2025, 11:06 a.m.
Description
The Solar 4RAYS team investigated a cyberattack on an industrial company, uncovering that attackers exploited a vulnerability in DameWare Mini Remote Control to deliver malware and disable security protections. The NGC4020 group initially compromised systems in December 2022 using CVE-2019-3980. They deployed Java-based reverse shells, QuasarRAT, and custom malware to disable antivirus software. The attackers used a stolen expired code-signing certificate to load a malicious kernel driver. While they successfully disabled security controls, an error in task creation prevented further attack progression. The report provides technical details on the malware components and evasion techniques used.
Tags
Date
- Created: Jan. 31, 2025, 9:54 a.m.
- Published: Jan. 31, 2025, 9:54 a.m.
- Modified: Jan. 31, 2025, 11:06 a.m.
Attack Patterns
- Java ReverseTcp
- QuasarRAT
- NGC4020
- T1553.006
- T1543.003
- T1574.002
- T1571
- T1562.001
- T1070
- T1218
- T1055
- T1036
- T1140
- T1027
- T1112
- T1090
- T1078
- T1068
- T1003
- T1059
Additional Informations
- Manufacturing
- Russian Federation