Friday, May 3, 2024
HomeMalwaresMalware Analysis of Jaguar Tooth
Malwares

Malware Analysis of Jaguar Tooth

By Robin
0
307

National Cyber Security Centre (NCSC) published a malware analysis report (MAR) on Jaguar Tooth in April 2023. These MARs are intended to help the network defenders and organizations to build a thorough understanding of the indicators to foster threat hunting and threat modeling.

This is a part of series of 15 articles describing fifteen malwares.

A PDF version of the report is also availabls on NCSC’s website .

The Jaguar Tooth Malware

The Jaguar Tooth Malware is a Cisco IOS malware that collects device information and enables backdoor access. The malware installed on infected routers modifies the router’s authentication mechanism to accept any password for any local user, allowing unauthenticated backdoor access. It can collect device and network information by issuing IOS CLI commands.

Executive summary

  • Jaguar Tooth is non-persistent malware that targets Cisco IOS routers.
  • Collects device information and exfiltrates over Trivial File Transfer Protocol (TFTP).
  • Enables unauthenticated backdoor access.
  • It is deployed and executed via exploitation of the patched Simple Network Management Protocol (SNMP) vulnerability CVE-2017-6742.

Jaguar Tooth is composed of a number of payloads and patches.

It enables unauthenticated backdoor access by patching Cisco IOS authentication routines. This grants access to existing local accounts without checking the provided password, when connecting via Telnet or physical session. Further details are discussed in the ‘Functionality (Unauthenticated backdoor)’ section of this report.

The malware also creates a new process, called Service Policy Lock, that automatically collects information and exfiltrates it over TFTP. This includes device information such as the running configuration, firmware version, directory listing of flash memory, and network information including the Address Resolution Protocol (ARP) and routing tables, interfaces and other connected routers.

Further details are discussed in the ‘Functionality (Device information exfiltration)’ section of the attached report.

To be the first one to read security news, subscribe to our LinkedIn page and to our news updates.

Previous articleLastPass Data Breach
Next article7 Chrome Settings you need to Customise now
Robinhttps://cybermetrics.eu
RELATED ARTICLES

Most Popular

Load more

Recent Comments

722 Ransomware Attacks Occurred in last 3 months, and its rising - Cybermetrics on Ukrainian couple arrested for spreading Ransomwares
722 Ransomware Attacks Occurred in last 3 months, and its rising - Cybermetrics on Cuban Ransomware hacks Microsoft Exchange Servers
Santhosh Gunasekaran on Microsoft suspends new sales in Russia: other firms join hands with Microsoft
Hackers exploiting Log4Shell in VMware Horizon - Cybermetrics on Special Report – Apache Log4j Vulnerability (CVE-2021-44228)
CSIA Publishes Free Cybersecurity Services And Tools - Cybermetrics on Zero Trust Architecture by NIST

© cybermetrics, 2022