W64/ClopMFT.BVF!tr

Analysis

W64/ClopMFT.BVF!tr is a generic detection for a trojan.
Since this is a generic detection, malware that are detected as W64/ClopMFT.BVF!tr may have varying behaviour.
Below are some of its observed characteristics/behaviours:

• This malware is related to the GoAnywhere MFT RCE outbreak. It involves a pre-authentication command injection vulnerability found in GoAnywhere MFT, a secure file transfer software.


• The vulnerability is also known as CVE-2023-0669. By exploiting this vulnerability, attackers may be able to gain remote code execution on the victim's system to deploy malicious payloads, including ransomware, and steal data.


• This malware has been associated with the following third party article/advisory.

https://nvd.nist.gov/vuln/detail/CVE-2023-0669
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0669



• Following are some of the near/exact IOCs/file hash associated with this detection:
  
  • Md5: 82d4025b84cf569ec82d21918d641540
    Sha256: c042ad2947caf4449295a51f9d640d722b5a6ec6957523ebf68cddb87ef3545c
  • Md5: ee1ccb6a0e38bf95e44b73c3c46268c5
    Sha256: 0e3a14638456f4451fe8d76fdc04e591fba942c2f16da31857ca66293a58a4c3
  • Md5: dbecfe9d5421d319534e0bfa5a6ac162
    Sha256: c9b874d54c18e895face055eeb6faa2da7965a336d70303d0bd6047bec27a29d

Outbreak Alert

Fortra (formerly, knowns as HelpSystems) GoAnywhere MFT contains a pre-authentication remote code execution vulnerability in the License Response Servlet.

View the full Outbreak Alert Report

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.