A "persistent attacker group" with alleged ties to Hezbollah has retooled its malware arsenal with a new version of a remote access Trojan (RAT) to break into companies worldwide and extract valuable information.
Using the three flaws in the servers (CVE-2019-3396, CVE-2019-11581, and CVE-2012-3152) as an attack vector to gain an initial foothold, the attackers then injected a web shell and a JSP file browser, both of which were used to move laterally across the network, fetch additional malware, and download the Explosive RAT, which comes with capabilities to record keystrokes, capture screenshots, and execute arbitrary commands.