SYMBOLCOMMON_NAMEaka. SYNONYMS
php.dewmode (Back to overview)

DEWMODE

FireEye discovered the DEWMODE webshell starting mid-December 2020 after exploitation of zero-day vulnerabilities in Accellion's File Transfer Appliance. It is a PHP webshell that allows threat actors to view and download files in the victim machine. It also contains cleanup function to remove itself and clean the Apache log.

References
2021-03-12Recorded FutureInsikt Group®
@techreport{group:20210312:dewmode:c28007f, author = {Insikt Group®}, title = {{DEWMODE Web Shell Used on Accellion FTA Appliances}}, date = {2021-03-12}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/mtp-2021-0312.pdf}, language = {English}, urldate = {2021-03-16} } DEWMODE Web Shell Used on Accellion FTA Appliances
DEWMODE
2021-03-01FireEyeFireEye, Mandiant
@techreport{fireeye:20210301:accellion:46e70cd, author = {FireEye and Mandiant}, title = {{ACCELLION, INC. File Transfer Appliance (FTA) Security Assessment}}, date = {2021-03-01}, institution = {FireEye}, url = {https://www.accellion.com/sites/default/files/trust-center/accellion-fta-attack-mandiant-report-full.pdf}, language = {English}, urldate = {2021-03-11} } ACCELLION, INC. File Transfer Appliance (FTA) Security Assessment
DEWMODE
2021-02-24US-CERTUS-CERT, CISA
@online{uscert:20210224:malware:a4ab797, author = {US-CERT and CISA}, title = {{Malware Analysis Report (AR21-055A): Accellion FTA}}, date = {2021-02-24}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-055a}, language = {English}, urldate = {2021-02-25} } Malware Analysis Report (AR21-055A): Accellion FTA
DEWMODE
2021-02-22FireEyeAndrew Moore, Genevieve Stark, Isif Ibrahima, Van Ta, Kimberly Goody
@online{moore:20210222:cyber:a641e26, author = {Andrew Moore and Genevieve Stark and Isif Ibrahima and Van Ta and Kimberly Goody}, title = {{Cyber Criminals Exploit Accellion FTA for Data Theft and Extortion}}, date = {2021-02-22}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html}, language = {English}, urldate = {2021-02-25} } Cyber Criminals Exploit Accellion FTA for Data Theft and Extortion
DEWMODE Clop

There is no Yara-Signature yet.