NGC4020 Attacks: DameWare Mini Remote Control Vulnerability

Jan. 31, 2025, 11:06 a.m.

Description

The Solar 4RAYS team investigated a cyberattack on an industrial company, uncovering that attackers exploited a vulnerability in DameWare Mini Remote Control to deliver malware and disable security protections. The NGC4020 group initially compromised systems in December 2022 using CVE-2019-3980. They deployed Java-based reverse shells, QuasarRAT, and custom malware to disable antivirus software. The attackers used a stolen expired code-signing certificate to load a malicious kernel driver. While they successfully disabled security controls, an error in task creation prevented further attack progression. The report provides technical details on the malware components and evasion techniques used.

External References

https://rt-solar.ru/solar-4rays/blog/5202
https://otx.alienvault.com/pulse/679c9df3247a575708aecc8a
Tags
vulnerability
quasarrat
reverse shell
antivirus bypass
2025-01-31
dameware

Date

  • Created: Jan. 31, 2025, 9:54 a.m.
  • Published: Jan. 31, 2025, 9:54 a.m.
  • Modified: Jan. 31, 2025, 11:06 a.m.

Attack Patterns

  • Java ReverseTcp
  • QuasarRAT
  • NGC4020
  • T1553.006
  • T1543.003
  • T1574.002
  • T1571
  • T1562.001
  • T1070
  • T1218
  • T1055
  • T1036
  • T1140
  • T1027
  • T1112
  • T1090
  • T1078
  • T1068
  • T1003
  • T1059

Additional Informations

  • Manufacturing
  • Russian Federation