W64/ClopMFT.BVF!tr
Analysis
W64/ClopMFT.BVF!tr is a generic detection for a trojan.
Since this is a generic detection, malware that are detected as W64/ClopMFT.BVF!tr may have varying behaviour.
Below are some of its observed characteristics/behaviours:
- This malware is related to the GoAnywhere MFT RCE outbreak. It involves a pre-authentication command injection vulnerability found in GoAnywhere MFT, a secure file transfer software.
- The vulnerability is also known as CVE-2023-0669. By exploiting this vulnerability, attackers may be able to gain remote code execution on the victim's system to deploy malicious payloads, including ransomware, and steal data.
- This malware has been associated with the following third party article/advisory.
https://nvd.nist.gov/vuln/detail/CVE-2023-0669 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0669
- Md5: 82d4025b84cf569ec82d21918d641540
Sha256: c042ad2947caf4449295a51f9d640d722b5a6ec6957523ebf68cddb87ef3545c - Md5: ee1ccb6a0e38bf95e44b73c3c46268c5
Sha256: 0e3a14638456f4451fe8d76fdc04e591fba942c2f16da31857ca66293a58a4c3 - Md5: dbecfe9d5421d319534e0bfa5a6ac162
Sha256: c9b874d54c18e895face055eeb6faa2da7965a336d70303d0bd6047bec27a29d
Outbreak Alert
Fortra (formerly, knowns as HelpSystems) GoAnywhere MFT contains a pre-authentication remote code execution vulnerability in the License Response Servlet.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
FortiClient | |
FortiAPS | |
FortiAPU | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |