CERT-FR report extended - sandworm intrusion set campaign targeting Centreon systems

Severity: mediumType: campaign

AI Analysis

Technical Summary

The CERT-FR report details an ongoing cyber espionage campaign attributed to the Sandworm intrusion set, a threat actor group known for sophisticated and persistent attacks. This campaign specifically targets Centreon systems, which are widely used IT infrastructure monitoring solutions. The attackers exploit public-facing Centreon applications (MITRE ATT&CK T1190) to gain initial access, leveraging vulnerabilities or misconfigurations in these web-facing components. Once inside, the adversaries deploy server software components (T1505) and create or modify system processes (T1543) to establish persistence. They also schedule tasks or jobs (T1053) to maintain footholds and execute malicious payloads. The attackers use command and scripting interpreters (T1059) to execute arbitrary commands and abuse elevation control mechanisms (T1548) to escalate privileges. They perform file and directory discovery (T1083) to map the environment and deobfuscate or decode files (T1140) to analyze or prepare payloads. Communications with command and control (C2) servers are conducted over encrypted channels (T1573) using application layer protocols (T1071), enabling stealthy data exfiltration (T1041). The campaign is highly targeted, with a focus on French organizations, reflecting the strategic interest of the Sandworm group in this region. No patches are currently available for the exploited vulnerabilities, and no known exploits are publicly documented, indicating a potentially zero-day or custom exploit scenario. The campaign's sophistication and persistence suggest a high level of attacker capability and intent to maintain long-term access for espionage or sabotage purposes.

Potential Impact

European organizations, particularly those in France, face significant risks from this campaign. Compromise of Centreon monitoring systems can lead to widespread visibility into critical IT infrastructure, enabling attackers to manipulate monitoring data, disable alerts, or gain deeper network access. This undermines operational integrity and can delay detection of further intrusions. The ability to execute arbitrary commands and escalate privileges threatens confidentiality and integrity of sensitive data and systems. Encrypted exfiltration channels complicate detection and response efforts. Given Centreon's role in monitoring industrial control systems and IT environments, successful attacks could disrupt essential services, impacting sectors such as energy, manufacturing, and government. The campaign's persistence and stealth increase the likelihood of prolonged undetected presence, amplifying potential damage and complicating remediation efforts.

Mitigation Recommendations

Organizations should implement a multi-layered defense strategy tailored to Centreon environments. Immediate steps include: 1) Conducting thorough security assessments of Centreon deployments, focusing on public-facing interfaces to identify and remediate vulnerabilities or misconfigurations. 2) Applying network segmentation to isolate Centreon servers from critical infrastructure and limit lateral movement. 3) Enhancing monitoring for anomalous scheduled tasks, process creations, and command execution patterns indicative of attacker activity. 4) Deploying endpoint detection and response (EDR) solutions capable of detecting abuse of elevation mechanisms and suspicious scripting activity. 5) Enforcing strict access controls and multi-factor authentication for administrative interfaces. 6) Utilizing network traffic analysis tools to detect encrypted C2 communications and unusual data exfiltration patterns. 7) Establishing incident response plans specific to Centreon compromise scenarios, including forensic readiness. 8) Engaging with Centreon vendor and security communities for updates and threat intelligence sharing. Given the absence of patches, proactive detection and containment are critical to mitigating risk.

Affected Countries

France, Germany, United Kingdom, Italy, Spain, Belgium, Netherlands

Indicators of Compromise

comment: Backdoors related to Sandworm
snort: alert tcp any any -> any any ( sid:2000210015; msg:"P.A.S. webshell - passwd BruteForce form parameters"; \ flow:to_server,established; content:"POST"; http_method; \ content:"br=&brp%5B%5D="; http_client_body; fast_pattern; \ pcre:"/br=&brp%5B%5D=[hfmysp]&h%5B[hfmysp]%5D=.{1,64}&p%5B[hfmysp]%5D=[0-9]{1,5}/"; http_client_body;)
snort: alert tcp any any -> any any ( sid:2000210001; msg:"P.A.S. webshell - Explorer - download file"; \ flow:to_server,established; content:"POST"; http_method; \ content:"fe=&fdw=%2F"; http_client_body; offset:0) alert tcp any any -> any any ( sid:2000210002; msg:"P.A.S. webshell - Explorer - copy file"; \ flow:to_server,established; content:"POST"; http_method; \ content:"fe=&fcf=%2F"; http_client_body; offset:0) alert tcp any any -> any any ( sid:2000210003; msg:"P.A.S. webshell - Explorer - move file"; \ flow:to_server,established; content:"POST"; http_method; \ content:"fe=&fm=%2F"; http_client_body; offset:0) alert tcp any any -> any any ( sid:2000210004; msg:"P.A.S. webshell - Explorer - del file"; \ flow:to_server,established; content:"POST"; http_method; \ content:"fe=&fd=%2F"; http_client_body; offset:0) alert tcp any any -> any any ( sid:2000210005; msg:"P.A.S. webshell - Explorer - multi file download"; \ flow:to_server,established; content:"POST"; http_method; \ content:"fe=&fc%5B%5D=%2F"; http_client_body; offset:0; \ content:"&fdwa=Download"; http_client_body; ) alert tcp any any -> any any ( sid:2000210006; msg:"P.A.S. webshell - Explorer - multi file copy"; \ flow:to_server,established; content:"POST"; http_method; \ content:"fe=&fc%5B%5D=%2F"; http_client_body; offset:0; \ content:"&fca=Copy"; http_client_body;) alert tcp any any -> any any ( sid:2000210007; msg:"P.A.S. webshell - Explorer - multi file move"; \ flow:to_server,established; content:"POST"; http_method; \ content:"fe=&fc%5B%5D=%2F"; http_client_body; offset:0; \ content:"&fma=Move"; http_client_body; ) alert tcp any any -> any any ( sid:2000210008; msg:"P.A.S. webshell - Explorer - multi file delete"; \ flow:to_server,established; content:"POST"; http_method; \ content:"fe=&fc%5B%5D=%2F"; http_client_body; offset:0; \ content:"&fda=Delete"; http_client_body; ) alert tcp any any -> any any ( sid:2000210009; msg:"P.A.S. webshell - Explorer - paste"; \ flow:to_server,established; content:"POST"; http_method; \ content:"fe=&fbp=Paste"; http_client_body; offset:0; )
snort: alert tcp any any -> any any ( sid:2000210000; msg:"P.A.S. webshell - Response Footer"; \ flow:to_client,established; content:"200"; http_stat_code; \ file_data; content:"<fieldset class=\"footer\"><table width=\"100%\" border=\"0\"><tr><td>P.A.S. v";)
snort: alert tcp any any -> any any ( sid:2000210012; msg:"P.A.S. webshell - Network Tools - Bind Port"; \ flow:to_server,established; content:"POST"; http_method; \ content:"pb="; offset:0; http_client_body; \ pcre:"/pb=[0-9]{1,5}&nt=bp/"; ) alert tcp any any -> any any ( sid:2000210013; msg:"P.A.S. webshell - Network Tools - Back-connect"; \ flow:to_server,established; content:"POST"; http_method; \ content:"hbc="; offset:0; http_client_body; \ pcre:"/hbc=[a-z0-9.-]{4,63}&pbc=[0-9]{1,5}&nt=bc/"; ) alert tcp any any -> any any ( sid:2000210014; msg:"P.A.S. webshell - Network Tools - Port scanner"; \ flow:to_server,established; content:"POST"; http_method; \ content:"hs="; offset:0; http_client_body; \ pcre:"/hs=[a-z0-9.-]{4,63}&pf=[0-9]{1,5}&pl=[0-9]{1,5}&sc=[0-9]{1,5}&nt=ps/"; )
snort: alert tcp any any -> any any ( sid:2000211001; msg:"P.A.S. webshell - Password cookie"; \ flow:established; content:"g__g_="; http_cookie; offset:0; ) alert tcp any any -> any any ( sid:2000211002; msg:"P.A.S. webshell - Password form var"; \ flow:to_server,established; content:"POST"; http_method; \ content:"g__g_="; http_cookie; http_client_body; offset:0; )
snort: alert tcp any any -> any any ( sid:2000210016; msg:"P.A.S. webshell - Bind shell session"; \ content:"Hello from P.A.S. Bind Port"; ) alert tcp any any -> any any ( sid:2000210017; msg:"P.A.S. webshell - Reverse shell session"; \ content:"Hello from P.A.S. BackConnect"; )
snort: alert tcp any any -> any any ( sid:2000210010; msg:"P.A.S. webshell - Searcher form parameters"; \ flow:to_server,established; content:"POST"; http_method; \ content:"fe=&fsr="; offset:0; fast_pattern; \ pcre:"/fe=&fsr=[0-2]&fst=[0-2]&fsn=(\*|[A-Za-z0-9 *._%-]+)&fsp=[A-Za-z0-9 *._%-]+&fs=%3E&fss=.*/";)
snort: alert tcp any any -> any any ( sid:2000210011; msg:"P.A.S. webshell - SQL-client connect parameters"; \ flow:to_server,established; content:"POST"; http_method; \ content:"sc%5Btp%5D="; offset:0; http_client_body; fast_pattern; \ pcre:"/sc%5Btp%5D=(mysql|mssql|pg)&sc%5Bha%5D=/"; http_client_body;)
target-org: Centreon
file: centreon_module_linux_app64
hash: e1ff729f45b587a5ebbc8a8a97a7923fc4ada14de4973704c9b4b89c50fd1146
hash: a739f44390037b3d0a3942cd43d161a7c45fd7e7
hash: 92ef0aaf5f622b1253e5763f11a08857
file: search.php
hash: 893750547255b848a273bd1668e128a5e169011e79a7f5c7bb86cc5d7b2153bc
hash: c69db1b120d21bd603f13006d87e817fed016667
hash: 84837778682450cdca43d1397afd2310
file: DB-Drop.php
hash: 928d8dde63b0255feffc3d03db30aa76f7ed8913238321cc101083c2c5056ffa
hash: b7afb8c91f8f9df4f18764c25251576a0f8bef6f
hash: a89251cd4c15909a8e15256ead40584e
file: /bin/backup
hash: ebe98d5e1ab6966ec1e292fafbd5ef21c2b15bd7c7bb871d8e756971b8b6877a
hash: 5a58e46e5b8f468445f848f8eca741eddebcef3e
hash: 9885fcdda12167b2f598b2d22de07d5b
text: all
yara: /* configuration file */ rule exaramel_configuration_key { meta: author = "FR/ANSSI/SDO" description = "Encryption key for the configuration file in sample e1ff72[...]" TLP = "White" strings: $ = "odhyrfjcnfkdtslt" condition: all of them } rule exaramel_configuration_name_encrypted { meta: author = "FR/ANSSI/SDO" description = "Name of the configuration file in sample e1ff72[...]" TLP = "White" strings: $ = "configtx.json" condition: all of them } rule exaramel_configuration_file_plaintext { meta: author = "FR/ANSSI/SDO" description = "Content of the configuration file (plaintext)" TLP = "White" strings: $ = /{"Hosts":\[".{10,512}"\],"Proxy":".{0,512}","Version":".{1,32}","Guid":"/ condition: all of them } rule exaramel_configuration_file_ciphertext { meta: author = "FR/ANSSI/SDO" description = "Content of the configuration file (encrypted with key odhyrfjcnfkdtslt, sample e1ff72[...]" TLP = "White" strings: $ = {6F B6 08 E9 A3 0C 8D 5E DD BE D4} // encrypted with key odhyrfjcnfkdtslt condition: all of them } /* persistence */ private rule exaramel_persistence_file_systemd { meta: author = "FR/ANSSI/SDO" description = "Beginning of the file /etc/systemd/system/syslogd.service created for persistence with systemd" TLP = "White" strings: $ = /\[Unit\]\nDescription=Syslog daemon\n\n\[Service\]\nWorkingDirectory=.{1,512}\nExecStartPre=\/bin\/rm \-f \/tmp\/\.applocktx\n/ condition: all of them } private rule exaramel_persistence_file_upstart { meta: author = "FR/ANSSI/SDO" description = "Part of the file /etc/init/syslogd.conf created for persistence with upstart" TLP = "White" strings: $ = /start on runlevel \[2345\]\nstop on runlevel \[06\]\n\nrespawn\n\nscript\nrm \-f \/tmp\/\.applocktx\nchdir/ condition: all of them } private rule exaramel_persistence_file_systemv { meta: author = "FR/ANSSI/SDO" description = "Part of the file /etc/init.d/syslogd created for persistence with upstart" TLP = "White" strings: $ = "# Short-Description: Syslog service for monitoring \n### END INIT INFO\n\nrm -f /tmp/.applocktx && cd " condition: all of them } rule exaramel_persistence_file { meta: author = "FR/ANSSI/SDO" description = "File created for persistence. Depends on the environment" TLP = "White" condition: exaramel_persistence_file_systemd or exaramel_persistence_file_upstart or exaramel_persistence_file_systemv } /* misc */ rule exaramel_socket_path { meta: author = "FR/ANSSI/SDO" description = "Path of the unix socket created to prevent concurrent executions" TLP = "White" strings: $ = "/tmp/.applocktx" condition: all of them } rule exaramel_task_names { meta: author = "FR/ANSSI/SDO" description = "Name of the tasks received by the CC" TLP = "White" strings: $ = "App.Delete" $ = "App.SetServer" $ = "App.SetProxy" $ = "App.SetTimeout" $ = "App.Update" $ = "IO.ReadFile" $ = "IO.WriteFile" $ = "OS.ShellExecute" condition: all of them } rule exaramel_struct { meta: author = "FR/ANSSI/SDO" description = "Beginning of type _type struct for some of the most important structs" TLP = "White" strings: $struct_le_config = {70 00 00 00 00 00 00 00 58 00 00 00 00 00 00 00 47 2d 28 42 0? [2] 19} $struct_le_worker = {30 00 00 00 00 00 00 00 30 00 00 00 00 00 00 00 46 6a 13 e2 0? [2] 19} $struct_le_client = {20 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 7b 6a 49 84 0? [2] 19} $struct_le_report = {30 00 00 00 00 00 00 00 28 00 00 00 00 00 00 00 bf 35 0d f9 0? [2] 19} $struct_le_task = {50 00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 88 60 a1 c5 0? [2] 19} condition: any of them } private rule exaramel_strings_url { meta: author = "FR/ANSSI/SDO" description = "Misc strings coming from URL parts" TLP = "White" strings: $url1 = "/tasks.get/" $url2 = "/time.get/" $url3 = "/time.set" $url4 = "/tasks.report" $url5 = "/attachment.get/" $url6 = "/auth/app" condition: 5 of ($url*) } private rule exaramel_strings_typo { meta: author = "FR/ANSSI/SDO" description = "Misc strings with typo" TLP = "White" strings: $typo1 = "/sbin/init | awk " $typo2 = "Syslog service for monitoring \n" $typo3 = "Error.Can't update app! Not enough update archive." $typo4 = ":\"metod\"" condition: 3 of ($typo*) } private rule exaramel_strings_persistence { meta: author = "FR/ANSSI/SDO" description = "Misc strings describing persistence methods" TLP = "White" strings: $ = "systemd" $ = "upstart" $ = "systemV" $ = "freebsd rc" condition: all of them } private rule exaramel_strings_report { meta: author = "FR/ANSSI/SDO" description = "Misc strings coming from report file name" TLP = "White" strings: $ = "systemdupdate.rep" $ = "upstartupdate.rep" $ = "remove.rep" condition: all of them } rule exaramel_strings { meta: author = "FR/ANSSI/SDO" description = "Misc strings including URLs, typos, supported startup systems and report file names" TLP = "White" condition: exaramel_strings_typo or (exaramel_strings_url and exaramel_strings_persistence) or (exaramel_strings_persistence and exaramel_strings_report) or (exaramel_strings_url and exaramel_strings_report) }
text: all
yara: rule PAS_webshell { meta: author = "FR/ANSSI/SDO" description = "Detects P.A.S. PHP webshell - Based on DHS/FBI JAR-16-2029 (Grizzly Steppe)" TLP = "White" strings: $php = "<?php" $base64decode = /='base'\.$\d+(\*|\/)\d+$\.'_de'\.'code'/ $strreplace = "(str_replace(" $md5 = ".substr(md5(strrev($" nocase $gzinflate = "gzinflate" $cookie = "_COOKIE" $isset = "isset" condition: (filesize > 20KB and filesize < 200KB) and #cookie == 2 and #isset == 3 and all of them }
text: all
yara: rule PAS_webshell_PerlNetworkScript { meta: author = "FR/ANSSI/SDO" description = "Detects PERL scripts created by P.A.S. webshell to supports network functionnalities" TLP = "White" strings: $pl_start = "#!/usr/bin/perl\n$SIG{'CHLD'}='IGNORE'; use IO::Socket; use FileHandle;" $pl_status = "$o=\" [OK]\";$e=\" Error: \"" $pl_socket = "socket(SOCKET, PF_INET, SOCK_STREAM,$tcp) or die print \"$l$e$!$l" $msg1 = "print \"$l OK! I\\'m successful connected.$l\"" $msg2 = "print \"$l OK! I\\'m accept connection.$l\"" condition: filesize < 6000 and ($pl_start at 0 and all of ($pl*)) or any of ($msg*) }
text: all
yara: rule PAS_webshell_SQLDumpFile { meta: author = "FR/ANSSI/SDO" description = "Detects SQL dump file created by P.A.S. webshell" TLP = "White" strings: $ = "-- [ SQL Dump created by P.A.S. ] --" condition: all of them }
text: all
yara: rule PAS_webshell_ZIPArchiveFile { meta: author = "FR/ANSSI/SDO" description = "Detects an archive file created by P.A.S. for download operation" TLP = "White" strings: $ = /Archive created by P\.A\.S\. v.{1,30}\nHost: : .{1,200}\nDate : [0-9]{1,2}-[0-9]{1,2}-[0-9]{4}/ condition: all of them }
link: https://www.cert.ssi.gouv.fr/ioc/CERTFR-2021-IOC-002/
link: https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-004/
text: The following indicators, SNORT rules and YARA rules are from ANSSI’s analysis of an intrusion campaign targeting the monitoring software Centreon attributed to the intrusion set Sandworm which resulted in the breach of several French entities. This intrusion campaign is described in the following report CERTFR-2021-CTI-005. These technical elements are provided to help detecting malicious activities in logs, on systems and inside live network trafic. Every detection with these elements cannot be considered as a proof of intrusion and should be investigated to confirm. Some elements are detecting tools shared between several attackers so their detection is not sufficient to link an intrusion to this campaign. ANSSI is interested in every incident discovered and linked to this campaign.
file: CERTFR-2021-CTI-004.pdf
text: CERTFR-2021-CTI-004

CERT-FR report extended - sandworm intrusion set campaign targeting Centreon systems

Severity: medium

Type: campaign

CERT-FR report extended - sandworm intrusion set campaign targeting Centreon systems

Technical Summary

Potential Impact

Mitigation Recommendations

Affected Countries

France, Germany, United Kingdom, Italy, Spain, Belgium, Netherlands

Indicators of Compromise

comment: Backdoors related to Sandworm
snort: alert tcp any any -> any any ( sid:2000210015; msg:"P.A.S. webshell - passwd BruteForce form parameters"; \ flow:to_server,established; content:"POST"; http_method; \ content:"br=&brp%5B%5D="; http_client_body; fast_pattern; \ pcre:"/br=&brp%5B%5D=[hfmysp]&h%5B[hfmysp]%5D=.{1,64}&p%5B[hfmysp]%5D=[0-9]{1,5}/"; http_client_body;)
snort: alert tcp any any -> any any ( sid:2000210001; msg:"P.A.S. webshell - Explorer - download file"; \ flow:to_server,established; content:"POST"; http_method; \ content:"fe=&fdw=%2F"; http_client_body; offset:0) alert tcp any any -> any any ( sid:2000210002; msg:"P.A.S. webshell - Explorer - copy file"; \ flow:to_server,established; content:"POST"; http_method; \ content:"fe=&fcf=%2F"; http_client_body; offset:0) alert tcp any any -> any any ( sid:2000210003; msg:"P.A.S. webshell - Explorer - move file"; \ flow:to_server,established; content:"POST"; http_method; \ content:"fe=&fm=%2F"; http_client_body; offset:0) alert tcp any any -> any any ( sid:2000210004; msg:"P.A.S. webshell - Explorer - del file"; \ flow:to_server,established; content:"POST"; http_method; \ content:"fe=&fd=%2F"; http_client_body; offset:0) alert tcp any any -> any any ( sid:2000210005; msg:"P.A.S. webshell - Explorer - multi file download"; \ flow:to_server,established; content:"POST"; http_method; \ content:"fe=&fc%5B%5D=%2F"; http_client_body; offset:0; \ content:"&fdwa=Download"; http_client_body; ) alert tcp any any -> any any ( sid:2000210006; msg:"P.A.S. webshell - Explorer - multi file copy"; \ flow:to_server,established; content:"POST"; http_method; \ content:"fe=&fc%5B%5D=%2F"; http_client_body; offset:0; \ content:"&fca=Copy"; http_client_body;) alert tcp any any -> any any ( sid:2000210007; msg:"P.A.S. webshell - Explorer - multi file move"; \ flow:to_server,established; content:"POST"; http_method; \ content:"fe=&fc%5B%5D=%2F"; http_client_body; offset:0; \ content:"&fma=Move"; http_client_body; ) alert tcp any any -> any any ( sid:2000210008; msg:"P.A.S. webshell - Explorer - multi file delete"; \ flow:to_server,established; content:"POST"; http_method; \ content:"fe=&fc%5B%5D=%2F"; http_client_body; offset:0; \ content:"&fda=Delete"; http_client_body; ) alert tcp any any -> any any ( sid:2000210009; msg:"P.A.S. webshell - Explorer - paste"; \ flow:to_server,established; content:"POST"; http_method; \ content:"fe=&fbp=Paste"; http_client_body; offset:0; )
snort: alert tcp any any -> any any ( sid:2000210000; msg:"P.A.S. webshell - Response Footer"; \ flow:to_client,established; content:"200"; http_stat_code; \ file_data; content:"<fieldset class=\"footer\"><table width=\"100%\" border=\"0\"><tr><td>P.A.S. v";)
snort: alert tcp any any -> any any ( sid:2000210012; msg:"P.A.S. webshell - Network Tools - Bind Port"; \ flow:to_server,established; content:"POST"; http_method; \ content:"pb="; offset:0; http_client_body; \ pcre:"/pb=[0-9]{1,5}&nt=bp/"; ) alert tcp any any -> any any ( sid:2000210013; msg:"P.A.S. webshell - Network Tools - Back-connect"; \ flow:to_server,established; content:"POST"; http_method; \ content:"hbc="; offset:0; http_client_body; \ pcre:"/hbc=[a-z0-9.-]{4,63}&pbc=[0-9]{1,5}&nt=bc/"; ) alert tcp any any -> any any ( sid:2000210014; msg:"P.A.S. webshell - Network Tools - Port scanner"; \ flow:to_server,established; content:"POST"; http_method; \ content:"hs="; offset:0; http_client_body; \ pcre:"/hs=[a-z0-9.-]{4,63}&pf=[0-9]{1,5}&pl=[0-9]{1,5}&sc=[0-9]{1,5}&nt=ps/"; )
snort: alert tcp any any -> any any ( sid:2000211001; msg:"P.A.S. webshell - Password cookie"; \ flow:established; content:"g__g_="; http_cookie; offset:0; ) alert tcp any any -> any any ( sid:2000211002; msg:"P.A.S. webshell - Password form var"; \ flow:to_server,established; content:"POST"; http_method; \ content:"g__g_="; http_cookie; http_client_body; offset:0; )
snort: alert tcp any any -> any any ( sid:2000210016; msg:"P.A.S. webshell - Bind shell session"; \ content:"Hello from P.A.S. Bind Port"; ) alert tcp any any -> any any ( sid:2000210017; msg:"P.A.S. webshell - Reverse shell session"; \ content:"Hello from P.A.S. BackConnect"; )
snort: alert tcp any any -> any any ( sid:2000210010; msg:"P.A.S. webshell - Searcher form parameters"; \ flow:to_server,established; content:"POST"; http_method; \ content:"fe=&fsr="; offset:0; fast_pattern; \ pcre:"/fe=&fsr=[0-2]&fst=[0-2]&fsn=(\*|[A-Za-z0-9 *._%-]+)&fsp=[A-Za-z0-9 *._%-]+&fs=%3E&fss=.*/";)
snort: alert tcp any any -> any any ( sid:2000210011; msg:"P.A.S. webshell - SQL-client connect parameters"; \ flow:to_server,established; content:"POST"; http_method; \ content:"sc%5Btp%5D="; offset:0; http_client_body; fast_pattern; \ pcre:"/sc%5Btp%5D=(mysql|mssql|pg)&sc%5Bha%5D=/"; http_client_body;)
target-org: Centreon
file: centreon_module_linux_app64
hash: e1ff729f45b587a5ebbc8a8a97a7923fc4ada14de4973704c9b4b89c50fd1146
hash: a739f44390037b3d0a3942cd43d161a7c45fd7e7
hash: 92ef0aaf5f622b1253e5763f11a08857
file: search.php
hash: 893750547255b848a273bd1668e128a5e169011e79a7f5c7bb86cc5d7b2153bc
hash: c69db1b120d21bd603f13006d87e817fed016667
hash: 84837778682450cdca43d1397afd2310
file: DB-Drop.php
hash: 928d8dde63b0255feffc3d03db30aa76f7ed8913238321cc101083c2c5056ffa
hash: b7afb8c91f8f9df4f18764c25251576a0f8bef6f
hash: a89251cd4c15909a8e15256ead40584e
file: /bin/backup
hash: ebe98d5e1ab6966ec1e292fafbd5ef21c2b15bd7c7bb871d8e756971b8b6877a
hash: 5a58e46e5b8f468445f848f8eca741eddebcef3e
hash: 9885fcdda12167b2f598b2d22de07d5b
text: all
yara: /* configuration file */ rule exaramel_configuration_key { meta: author = "FR/ANSSI/SDO" description = "Encryption key for the configuration file in sample e1ff72[...]" TLP = "White" strings: $ = "odhyrfjcnfkdtslt" condition: all of them } rule exaramel_configuration_name_encrypted { meta: author = "FR/ANSSI/SDO" description = "Name of the configuration file in sample e1ff72[...]" TLP = "White" strings: $ = "configtx.json" condition: all of them } rule exaramel_configuration_file_plaintext { meta: author = "FR/ANSSI/SDO" description = "Content of the configuration file (plaintext)" TLP = "White" strings: $ = /{"Hosts":\[".{10,512}"\],"Proxy":".{0,512}","Version":".{1,32}","Guid":"/ condition: all of them } rule exaramel_configuration_file_ciphertext { meta: author = "FR/ANSSI/SDO" description = "Content of the configuration file (encrypted with key odhyrfjcnfkdtslt, sample e1ff72[...]" TLP = "White" strings: $ = {6F B6 08 E9 A3 0C 8D 5E DD BE D4} // encrypted with key odhyrfjcnfkdtslt condition: all of them } /* persistence */ private rule exaramel_persistence_file_systemd { meta: author = "FR/ANSSI/SDO" description = "Beginning of the file /etc/systemd/system/syslogd.service created for persistence with systemd" TLP = "White" strings: $ = /\[Unit\]\nDescription=Syslog daemon\n\n\[Service\]\nWorkingDirectory=.{1,512}\nExecStartPre=\/bin\/rm \-f \/tmp\/\.applocktx\n/ condition: all of them } private rule exaramel_persistence_file_upstart { meta: author = "FR/ANSSI/SDO" description = "Part of the file /etc/init/syslogd.conf created for persistence with upstart" TLP = "White" strings: $ = /start on runlevel \[2345\]\nstop on runlevel \[06\]\n\nrespawn\n\nscript\nrm \-f \/tmp\/\.applocktx\nchdir/ condition: all of them } private rule exaramel_persistence_file_systemv { meta: author = "FR/ANSSI/SDO" description = "Part of the file /etc/init.d/syslogd created for persistence with upstart" TLP = "White" strings: $ = "# Short-Description: Syslog service for monitoring \n### END INIT INFO\n\nrm -f /tmp/.applocktx && cd " condition: all of them } rule exaramel_persistence_file { meta: author = "FR/ANSSI/SDO" description = "File created for persistence. Depends on the environment" TLP = "White" condition: exaramel_persistence_file_systemd or exaramel_persistence_file_upstart or exaramel_persistence_file_systemv } /* misc */ rule exaramel_socket_path { meta: author = "FR/ANSSI/SDO" description = "Path of the unix socket created to prevent concurrent executions" TLP = "White" strings: $ = "/tmp/.applocktx" condition: all of them } rule exaramel_task_names { meta: author = "FR/ANSSI/SDO" description = "Name of the tasks received by the CC" TLP = "White" strings: $ = "App.Delete" $ = "App.SetServer" $ = "App.SetProxy" $ = "App.SetTimeout" $ = "App.Update" $ = "IO.ReadFile" $ = "IO.WriteFile" $ = "OS.ShellExecute" condition: all of them } rule exaramel_struct { meta: author = "FR/ANSSI/SDO" description = "Beginning of type _type struct for some of the most important structs" TLP = "White" strings: $struct_le_config = {70 00 00 00 00 00 00 00 58 00 00 00 00 00 00 00 47 2d 28 42 0? [2] 19} $struct_le_worker = {30 00 00 00 00 00 00 00 30 00 00 00 00 00 00 00 46 6a 13 e2 0? [2] 19} $struct_le_client = {20 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 7b 6a 49 84 0? [2] 19} $struct_le_report = {30 00 00 00 00 00 00 00 28 00 00 00 00 00 00 00 bf 35 0d f9 0? [2] 19} $struct_le_task = {50 00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 88 60 a1 c5 0? [2] 19} condition: any of them } private rule exaramel_strings_url { meta: author = "FR/ANSSI/SDO" description = "Misc strings coming from URL parts" TLP = "White" strings: $url1 = "/tasks.get/" $url2 = "/time.get/" $url3 = "/time.set" $url4 = "/tasks.report" $url5 = "/attachment.get/" $url6 = "/auth/app" condition: 5 of ($url*) } private rule exaramel_strings_typo { meta: author = "FR/ANSSI/SDO" description = "Misc strings with typo" TLP = "White" strings: $typo1 = "/sbin/init | awk " $typo2 = "Syslog service for monitoring \n" $typo3 = "Error.Can't update app! Not enough update archive." $typo4 = ":\"metod\"" condition: 3 of ($typo*) } private rule exaramel_strings_persistence { meta: author = "FR/ANSSI/SDO" description = "Misc strings describing persistence methods" TLP = "White" strings: $ = "systemd" $ = "upstart" $ = "systemV" $ = "freebsd rc" condition: all of them } private rule exaramel_strings_report { meta: author = "FR/ANSSI/SDO" description = "Misc strings coming from report file name" TLP = "White" strings: $ = "systemdupdate.rep" $ = "upstartupdate.rep" $ = "remove.rep" condition: all of them } rule exaramel_strings { meta: author = "FR/ANSSI/SDO" description = "Misc strings including URLs, typos, supported startup systems and report file names" TLP = "White" condition: exaramel_strings_typo or (exaramel_strings_url and exaramel_strings_persistence) or (exaramel_strings_persistence and exaramel_strings_report) or (exaramel_strings_url and exaramel_strings_report) }
text: all
yara: rule PAS_webshell { meta: author = "FR/ANSSI/SDO" description = "Detects P.A.S. PHP webshell - Based on DHS/FBI JAR-16-2029 (Grizzly Steppe)" TLP = "White" strings: $php = "<?php" $base64decode = /='base'\.$\d+(\*|\/)\d+$\.'_de'\.'code'/ $strreplace = "(str_replace(" $md5 = ".substr(md5(strrev($" nocase $gzinflate = "gzinflate" $cookie = "_COOKIE" $isset = "isset" condition: (filesize > 20KB and filesize < 200KB) and #cookie == 2 and #isset == 3 and all of them }
text: all
yara: rule PAS_webshell_PerlNetworkScript { meta: author = "FR/ANSSI/SDO" description = "Detects PERL scripts created by P.A.S. webshell to supports network functionnalities" TLP = "White" strings: $pl_start = "#!/usr/bin/perl\n$SIG{'CHLD'}='IGNORE'; use IO::Socket; use FileHandle;" $pl_status = "$o=\" [OK]\";$e=\" Error: \"" $pl_socket = "socket(SOCKET, PF_INET, SOCK_STREAM,$tcp) or die print \"$l$e$!$l" $msg1 = "print \"$l OK! I\\'m successful connected.$l\"" $msg2 = "print \"$l OK! I\\'m accept connection.$l\"" condition: filesize < 6000 and ($pl_start at 0 and all of ($pl*)) or any of ($msg*) }
text: all
yara: rule PAS_webshell_SQLDumpFile { meta: author = "FR/ANSSI/SDO" description = "Detects SQL dump file created by P.A.S. webshell" TLP = "White" strings: $ = "-- [ SQL Dump created by P.A.S. ] --" condition: all of them }
text: all
yara: rule PAS_webshell_ZIPArchiveFile { meta: author = "FR/ANSSI/SDO" description = "Detects an archive file created by P.A.S. for download operation" TLP = "White" strings: $ = /Archive created by P\.A\.S\. v.{1,30}\nHost: : .{1,200}\nDate : [0-9]{1,2}-[0-9]{1,2}-[0-9]{4}/ condition: all of them }
link: https://www.cert.ssi.gouv.fr/ioc/CERTFR-2021-IOC-002/
link: https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-004/
text: The following indicators, SNORT rules and YARA rules are from ANSSI’s analysis of an intrusion campaign targeting the monitoring software Centreon attributed to the intrusion set Sandworm which resulted in the breach of several French entities. This intrusion campaign is described in the following report CERTFR-2021-CTI-005. These technical elements are provided to help detecting malicious activities in logs, on systems and inside live network trafic. Every detection with these elements cannot be considered as a proof of intrusion and should be investigated to confirm. Some elements are detecting tools shared between several attackers so their detection is not sufficient to link an intrusion to this campaign. ANSSI is interested in every incident discovered and linked to this campaign.
file: CERTFR-2021-CTI-004.pdf
text: CERTFR-2021-CTI-004

Source: CIRCL OSINT Feed

Published: Tue Feb 16 2021

CERT-FR report extended - sandworm intrusion set campaign targeting Centreon systems

Medium

Published: Tue Feb 16 2021 (02/16/2021, 00:00:00 UTC)

Source: CIRCL OSINT Feed

Vendor/Project: type

Product: osint

Description

CERT-FR report extended - sandworm intrusion set campaign targeting Centreon systems

AI-Powered Analysis

AILast updated: 07/05/2025, 22:56:06 UTC

Technical Analysis

Potential Impact

Mitigation Recommendations

Affected Countries

Need more detailed analysis?Get Pro

Pro Feature

For access to advanced analysis and higher rate limits, contact root@offseq.com

Technical Details

Uuid: eb4ee171-8930-4c15-8917-9af8775417fb
Original Timestamp: 1613463604

Indicators of Compromise

Comment

Value	Description	Copy
commentBackdoors related to Sandworm	Merged from event 82379

Snort

Value	Description	Copy
snortalert tcp any any -> any any ( sid:2000210015; msg:"P.A.S. webshell - passwd BruteForce form parameters"; \ flow:to_server,established; content:"POST"; http_method; \ content:"br=&brp%5B%5D="; http_client_body; fast_pattern; \ pcre:"/br=&brp%5B%5D=[hfmysp]&h%5B[hfmysp]%5D=.{1,64}&p%5B[hfmysp]%5D=[0-9]{1,5}/"; http_client_body;)	—
snortalert tcp any any -> any any ( sid:2000210001; msg:"P.A.S. webshell - Explorer - download file"; \ flow:to_server,established; content:"POST"; http_method; \ content:"fe=&fdw=%2F"; http_client_body; offset:0) alert tcp any any -> any any ( sid:2000210002; msg:"P.A.S. webshell - Explorer - copy file"; \ flow:to_server,established; content:"POST"; http_method; \ content:"fe=&fcf=%2F"; http_client_body; offset:0) alert tcp any any -> any any ( sid:2000210003; msg:"P.A.S. webshell - Explorer - move file"; \ flow:to_server,established; content:"POST"; http_method; \ content:"fe=&fm=%2F"; http_client_body; offset:0) alert tcp any any -> any any ( sid:2000210004; msg:"P.A.S. webshell - Explorer - del file"; \ flow:to_server,established; content:"POST"; http_method; \ content:"fe=&fd=%2F"; http_client_body; offset:0) alert tcp any any -> any any ( sid:2000210005; msg:"P.A.S. webshell - Explorer - multi file download"; \ flow:to_server,established; content:"POST"; http_method; \ content:"fe=&fc%5B%5D=%2F"; http_client_body; offset:0; \ content:"&fdwa=Download"; http_client_body; ) alert tcp any any -> any any ( sid:2000210006; msg:"P.A.S. webshell - Explorer - multi file copy"; \ flow:to_server,established; content:"POST"; http_method; \ content:"fe=&fc%5B%5D=%2F"; http_client_body; offset:0; \ content:"&fca=Copy"; http_client_body;) alert tcp any any -> any any ( sid:2000210007; msg:"P.A.S. webshell - Explorer - multi file move"; \ flow:to_server,established; content:"POST"; http_method; \ content:"fe=&fc%5B%5D=%2F"; http_client_body; offset:0; \ content:"&fma=Move"; http_client_body; ) alert tcp any any -> any any ( sid:2000210008; msg:"P.A.S. webshell - Explorer - multi file delete"; \ flow:to_server,established; content:"POST"; http_method; \ content:"fe=&fc%5B%5D=%2F"; http_client_body; offset:0; \ content:"&fda=Delete"; http_client_body; ) alert tcp any any -> any any ( sid:2000210009; msg:"P.A.S. webshell - Explorer - paste"; \ flow:to_server,established; content:"POST"; http_method; \ content:"fe=&fbp=Paste"; http_client_body; offset:0; )	—
snortalert tcp any any -> any any ( sid:2000210000; msg:"P.A.S. webshell - Response Footer"; \ flow:to_client,established; content:"200"; http_stat_code; \ file_data; content:"<fieldset class=\"footer\"><table width=\"100%\" border=\"0\"><tr><td>P.A.S. v";)	—
snortalert tcp any any -> any any ( sid:2000210012; msg:"P.A.S. webshell - Network Tools - Bind Port"; \ flow:to_server,established; content:"POST"; http_method; \ content:"pb="; offset:0; http_client_body; \ pcre:"/pb=[0-9]{1,5}&nt=bp/"; ) alert tcp any any -> any any ( sid:2000210013; msg:"P.A.S. webshell - Network Tools - Back-connect"; \ flow:to_server,established; content:"POST"; http_method; \ content:"hbc="; offset:0; http_client_body; \ pcre:"/hbc=[a-z0-9.-]{4,63}&pbc=[0-9]{1,5}&nt=bc/"; ) alert tcp any any -> any any ( sid:2000210014; msg:"P.A.S. webshell - Network Tools - Port scanner"; \ flow:to_server,established; content:"POST"; http_method; \ content:"hs="; offset:0; http_client_body; \ pcre:"/hs=[a-z0-9.-]{4,63}&pf=[0-9]{1,5}&pl=[0-9]{1,5}&sc=[0-9]{1,5}&nt=ps/"; )	—
snortalert tcp any any -> any any ( sid:2000211001; msg:"P.A.S. webshell - Password cookie"; \ flow:established; content:"g__g_="; http_cookie; offset:0; ) alert tcp any any -> any any ( sid:2000211002; msg:"P.A.S. webshell - Password form var"; \ flow:to_server,established; content:"POST"; http_method; \ content:"g__g_="; http_cookie; http_client_body; offset:0; )	—
snortalert tcp any any -> any any ( sid:2000210016; msg:"P.A.S. webshell - Bind shell session"; \ content:"Hello from P.A.S. Bind Port"; ) alert tcp any any -> any any ( sid:2000210017; msg:"P.A.S. webshell - Reverse shell session"; \ content:"Hello from P.A.S. BackConnect"; )	—
snortalert tcp any any -> any any ( sid:2000210010; msg:"P.A.S. webshell - Searcher form parameters"; \ flow:to_server,established; content:"POST"; http_method; \ content:"fe=&fsr="; offset:0; fast_pattern; \ pcre:"/fe=&fsr=[0-2]&fst=[0-2]&fsn=(\\|[A-Za-z0-9 ._%-]+)&fsp=[A-Za-z0-9 ._%-]+&fs=%3E&fss=./";)	—
snortalert tcp any any -> any any ( sid:2000210011; msg:"P.A.S. webshell - SQL-client connect parameters"; \ flow:to_server,established; content:"POST"; http_method; \ content:"sc%5Btp%5D="; offset:0; http_client_body; fast_pattern; \ pcre:"/sc%5Btp%5D=(mysql\|mssql\|pg)&sc%5Bha%5D=/"; http_client_body;)	—

Target org

Value	Description	Copy
target-orgCentreon	—

File

Value	Description	Copy
filecentreon_module_linux_app64	Merged from event 82379
filesearch.php	Merged from event 82379
fileDB-Drop.php	Merged from event 82379
file/bin/backup	Merged from event 82379
fileCERTFR-2021-CTI-004.pdf	—

Hash

Value	Description	Copy
hashe1ff729f45b587a5ebbc8a8a97a7923fc4ada14de4973704c9b4b89c50fd1146	Merged from event 82379
hasha739f44390037b3d0a3942cd43d161a7c45fd7e7	Merged from event 82379
hash92ef0aaf5f622b1253e5763f11a08857	Merged from event 82379
hash893750547255b848a273bd1668e128a5e169011e79a7f5c7bb86cc5d7b2153bc	Merged from event 82379
hashc69db1b120d21bd603f13006d87e817fed016667	Merged from event 82379
hash84837778682450cdca43d1397afd2310	Merged from event 82379
hash928d8dde63b0255feffc3d03db30aa76f7ed8913238321cc101083c2c5056ffa	Merged from event 82379
hashb7afb8c91f8f9df4f18764c25251576a0f8bef6f	Merged from event 82379
hasha89251cd4c15909a8e15256ead40584e	Merged from event 82379
hashebe98d5e1ab6966ec1e292fafbd5ef21c2b15bd7c7bb871d8e756971b8b6877a	Merged from event 82379
hash5a58e46e5b8f468445f848f8eca741eddebcef3e	Merged from event 82379
hash9885fcdda12167b2f598b2d22de07d5b	Merged from event 82379

Text

Value	Description	Copy
textall	—
textall	—
textall	—
textall	—
textall	—
textThe following indicators, SNORT rules and YARA rules are from ANSSI’s analysis of an intrusion campaign targeting the monitoring software Centreon attributed to the intrusion set Sandworm which resulted in the breach of several French entities. This intrusion campaign is described in the following report CERTFR-2021-CTI-005. These technical elements are provided to help detecting malicious activities in logs, on systems and inside live network trafic. Every detection with these elements cannot be considered as a proof of intrusion and should be investigated to confirm. Some elements are detecting tools shared between several attackers so their detection is not sufficient to link an intrusion to this campaign. ANSSI is interested in every incident discovered and linked to this campaign.	—
textCERTFR-2021-CTI-004	—

Yara

Value	Description	Copy
yara/* configuration file / rule exaramel_configuration_key { meta: author = "FR/ANSSI/SDO" description = "Encryption key for the configuration file in sample e1ff72[...]" TLP = "White" strings: $ = "odhyrfjcnfkdtslt" condition: all of them } rule exaramel_configuration_name_encrypted { meta: author = "FR/ANSSI/SDO" description = "Name of the configuration file in sample e1ff72[...]" TLP = "White" strings: $ = "configtx.json" condition: all of them } rule exaramel_configuration_file_plaintext { meta: author = "FR/ANSSI/SDO" description = "Content of the configuration file (plaintext)" TLP = "White" strings: $ = /{"Hosts":\[".{10,512}"\],"Proxy":".{0,512}","Version":".{1,32}","Guid":"/ condition: all of them } rule exaramel_configuration_file_ciphertext { meta: author = "FR/ANSSI/SDO" description = "Content of the configuration file (encrypted with key odhyrfjcnfkdtslt, sample e1ff72[...]" TLP = "White" strings: $ = {6F B6 08 E9 A3 0C 8D 5E DD BE D4} // encrypted with key odhyrfjcnfkdtslt condition: all of them } / persistence / private rule exaramel_persistence_file_systemd { meta: author = "FR/ANSSI/SDO" description = "Beginning of the file /etc/systemd/system/syslogd.service created for persistence with systemd" TLP = "White" strings: $ = /\[Unit\]\nDescription=Syslog daemon\n\n\[Service\]\nWorkingDirectory=.{1,512}\nExecStartPre=\/bin\/rm \-f \/tmp\/\.applocktx\n/ condition: all of them } private rule exaramel_persistence_file_upstart { meta: author = "FR/ANSSI/SDO" description = "Part of the file /etc/init/syslogd.conf created for persistence with upstart" TLP = "White" strings: $ = /start on runlevel \[2345\]\nstop on runlevel \[06\]\n\nrespawn\n\nscript\nrm \-f \/tmp\/\.applocktx\nchdir/ condition: all of them } private rule exaramel_persistence_file_systemv { meta: author = "FR/ANSSI/SDO" description = "Part of the file /etc/init.d/syslogd created for persistence with upstart" TLP = "White" strings: $ = "# Short-Description: Syslog service for monitoring \n### END INIT INFO\n\nrm -f /tmp/.applocktx && cd " condition: all of them } rule exaramel_persistence_file { meta: author = "FR/ANSSI/SDO" description = "File created for persistence. Depends on the environment" TLP = "White" condition: exaramel_persistence_file_systemd or exaramel_persistence_file_upstart or exaramel_persistence_file_systemv } / misc / rule exaramel_socket_path { meta: author = "FR/ANSSI/SDO" description = "Path of the unix socket created to prevent concurrent executions" TLP = "White" strings: $ = "/tmp/.applocktx" condition: all of them } rule exaramel_task_names { meta: author = "FR/ANSSI/SDO" description = "Name of the tasks received by the CC" TLP = "White" strings: $ = "App.Delete" $ = "App.SetServer" $ = "App.SetProxy" $ = "App.SetTimeout" $ = "App.Update" $ = "IO.ReadFile" $ = "IO.WriteFile" $ = "OS.ShellExecute" condition: all of them } rule exaramel_struct { meta: author = "FR/ANSSI/SDO" description = "Beginning of type _type struct for some of the most important structs" TLP = "White" strings: $struct_le_config = {70 00 00 00 00 00 00 00 58 00 00 00 00 00 00 00 47 2d 28 42 0? [2] 19} $struct_le_worker = {30 00 00 00 00 00 00 00 30 00 00 00 00 00 00 00 46 6a 13 e2 0? [2] 19} $struct_le_client = {20 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 7b 6a 49 84 0? [2] 19} $struct_le_report = {30 00 00 00 00 00 00 00 28 00 00 00 00 00 00 00 bf 35 0d f9 0? [2] 19} $struct_le_task = {50 00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 88 60 a1 c5 0? [2] 19} condition: any of them } private rule exaramel_strings_url { meta: author = "FR/ANSSI/SDO" description = "Misc strings coming from URL parts" TLP = "White" strings: $url1 = "/tasks.get/" $url2 = "/time.get/" $url3 = "/time.set" $url4 = "/tasks.report" $url5 = "/attachment.get/" $url6 = "/auth/app" condition: 5 of ($url) } private rule exaramel_strings_typo { meta: author = "FR/ANSSI/SDO" description = "Misc strings with typo" TLP = "White" strings: $typo1 = "/sbin/init \| awk " $typo2 = "Syslog service for monitoring \n" $typo3 = "Error.Can't update app! Not enough update archive." $typo4 = ":\"metod\"" condition: 3 of ($typo*) } private rule exaramel_strings_persistence { meta: author = "FR/ANSSI/SDO" description = "Misc strings describing persistence methods" TLP = "White" strings: $ = "systemd" $ = "upstart" $ = "systemV" $ = "freebsd rc" condition: all of them } private rule exaramel_strings_report { meta: author = "FR/ANSSI/SDO" description = "Misc strings coming from report file name" TLP = "White" strings: $ = "systemdupdate.rep" $ = "upstartupdate.rep" $ = "remove.rep" condition: all of them } rule exaramel_strings { meta: author = "FR/ANSSI/SDO" description = "Misc strings including URLs, typos, supported startup systems and report file names" TLP = "White" condition: exaramel_strings_typo or (exaramel_strings_url and exaramel_strings_persistence) or (exaramel_strings_persistence and exaramel_strings_report) or (exaramel_strings_url and exaramel_strings_report) }	—
yararule PAS_webshell { meta: author = "FR/ANSSI/SDO" description = "Detects P.A.S. PHP webshell - Based on DHS/FBI JAR-16-2029 (Grizzly Steppe)" TLP = "White" strings: $php = "<?php" $base64decode = /='base'\.$\d+(\*\|\/)\d+$\.'_de'\.'code'/ $strreplace = "(str_replace(" $md5 = ".substr(md5(strrev($" nocase $gzinflate = "gzinflate" $cookie = "_COOKIE" $isset = "isset" condition: (filesize > 20KB and filesize < 200KB) and #cookie == 2 and #isset == 3 and all of them }	—
yararule PAS_webshell_PerlNetworkScript { meta: author = "FR/ANSSI/SDO" description = "Detects PERL scripts created by P.A.S. webshell to supports network functionnalities" TLP = "White" strings: $pl_start = "#!/usr/bin/perl\n$SIG{'CHLD'}='IGNORE'; use IO::Socket; use FileHandle;" $pl_status = "$o=\" [OK]\";$e=\" Error: \"" $pl_socket = "socket(SOCKET, PF_INET, SOCK_STREAM,$tcp) or die print \"$l$e$!$l" $msg1 = "print \"$l OK! I\\'m successful connected.$l\"" $msg2 = "print \"$l OK! I\\'m accept connection.$l\"" condition: filesize < 6000 and ($pl_start at 0 and all of ($pl)) or any of ($msg) }	—
yararule PAS_webshell_SQLDumpFile { meta: author = "FR/ANSSI/SDO" description = "Detects SQL dump file created by P.A.S. webshell" TLP = "White" strings: $ = "-- [ SQL Dump created by P.A.S. ] --" condition: all of them }	—
yararule PAS_webshell_ZIPArchiveFile { meta: author = "FR/ANSSI/SDO" description = "Detects an archive file created by P.A.S. for download operation" TLP = "White" strings: $ = /Archive created by P\.A\.S\. v.{1,30}\nHost: : .{1,200}\nDate : [0-9]{1,2}-[0-9]{1,2}-[0-9]{4}/ condition: all of them }	—

Link

Value	Description	Copy
linkhttps://www.cert.ssi.gouv.fr/ioc/CERTFR-2021-IOC-002/	—
linkhttps://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-004/	—

Threat ID: 68359ca35d5f0974d01fd5cf

Added to database: 5/27/2025, 11:06:11 AM

Last enriched: 7/5/2025, 10:56:06 PM

Last updated: 8/12/2025, 4:06:11 PM

Related Threats

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

External Links

Search on Google

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

CERT-FR report extended - sandworm intrusion set campaign targeting Centreon systems

AI Analysis

Technical Summary

Potential Impact

Mitigation Recommendations

Affected Countries

Indicators of Compromise

CERT-FR report extended - sandworm intrusion set campaign targeting Centreon systems

Description

AI-Powered Analysis

Technical Analysis

Potential Impact

Mitigation Recommendations

Affected Countries

Technical Details

Indicators of Compromise

Comment

Snort

Target org

File

Hash

Text

Yara

Link

Related Threats

ThreatFox IOCs for 2025-08-15

The Hidden Infrastructure Behind VexTrio's TDS

ThreatFox IOCs for 2025-08-14

Malicious JavaScript Injects Fullscreen Iframe On a WordPress Website

ThreatFox IOCs for 2025-08-13

Actions

External Links

Need enhanced features?

Latest Threats

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility