Tuesday, November 19, 2024
HomeMalwaresMalware Analysis of Jaguar Tooth

Malware Analysis of Jaguar Tooth

National Cyber Security Centre (NCSC) published a malware analysis report (MAR) on Jaguar Tooth in April 2023. These MARs are intended to help the network defenders and organizations to build a thorough understanding of the indicators to foster threat hunting and threat modeling.

This is a part of series of 15 articles describing fifteen malwares.

A PDF version of the report is also availabls on NCSC’s website .

The Jaguar Tooth Malware

The Jaguar Tooth Malware is a Cisco IOS malware that collects device information and enables backdoor access. The malware installed on infected routers modifies the router’s authentication mechanism to accept any password for any local user, allowing unauthenticated backdoor access. It can collect device and network information by issuing IOS CLI commands.

Executive summary

  • Jaguar Tooth is non-persistent malware that targets Cisco IOS routers.
  • Collects device information and exfiltrates over Trivial File Transfer Protocol (TFTP).
  • Enables unauthenticated backdoor access.
  • It is deployed and executed via exploitation of the patched Simple Network Management Protocol (SNMP) vulnerability CVE-2017-6742.

Jaguar Tooth is composed of a number of payloads and patches.

It enables unauthenticated backdoor access by patching Cisco IOS authentication routines. This grants access to existing local accounts without checking the provided password, when connecting via Telnet or physical session. Further details are discussed in the ‘Functionality (Unauthenticated backdoor)’ section of this report.

The malware also creates a new process, called Service Policy Lock, that automatically collects information and exfiltrates it over TFTP. This includes device information such as the running configuration, firmware version, directory listing of flash memory, and network information including the Address Resolution Protocol (ARP) and routing tables, interfaces and other connected routers.

Further details are discussed in the ‘Functionality (Device information exfiltration)’ section of the attached report.

To be the first one to read security news, subscribe to our LinkedIn page and to our news updates.

RELATED ARTICLES

Most Popular

Recent Comments