Date: 05/26/2025
Severity: Medium
Summary
A Chinese-speaking threat group, tracked as UAT-6382, is exploiting a zero-day vulnerability (CVE-2025-0994) in Cityworks, a popular asset management system, to gain remote code execution. The attackers deploy web shells such as AntSword and Chopper on IIS servers. Following initial access, they use Rust-based loaders called TetraLoader, built with the MaLoader framework, to deliver Cobalt Strike and VSHell malware for persistent access.
Indicators of Compromise (IOC) List
URL/Domains | cdn.phototagx.com www.roomako.com lgaircon.xyz https://www.roomako.com/jquery-3.3.1.min.js https://lgaircon.xyz/owa/OPWiaTU-ZEbuwIAKGPHoQAP006-PTsjBGKQUxZorq2 https://cdn.lgaircon.xyz/jquery-3.3.1.min.js https://cdn.phototagx.com/ http://192.210.239.172:3219/LVLWPH.exe http://192.210.239.172:3219/MCUCAT.exe http://192.210.239.172:3219/TJPLYT.exe http://192.210.239.172:3219/z44.exe |
IP Address | 192.210.239.172 |
Hash | 14ed3878b6623c287283a8a80020f68e1cb6bfc37b236f33a95f3a64c4f4611f
4ffc33bdc8527a2e8cb87e49cdc16c3b1480dfc135e507d552f581a67d1850a9
1de72c03927bcd2810ce98205ff871ef1ebf4344fba187e126e50caa1e43250b
1c38e3cda8ac6d79d9da40834367697a209c6b07e6b3ab93b3a4f375b161a901
C02d50d0eb3974818091b8dd91a8bbb8cdefd94d4568a4aea8e1dcdd8869f738
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | domainname like "cdn.phototagx.com" or siteurl like "cdn.phototagx.com" or url like "cdn.phototagx.com" or domainname like "https://cdn.phototagx.com/" or siteurl like "https://cdn.phototagx.com/" or url like "https://cdn.phototagx.com/" or domainname like "lgaircon.xyz" or siteurl like "lgaircon.xyz" or url like "lgaircon.xyz" or domainname like "http://192.210.239.172:3219/MCUCAT.exe" or siteurl like "http://192.210.239.172:3219/MCUCAT.exe" or url like "http://192.210.239.172:3219/MCUCAT.exe" or domainname like "http://192.210.239.172:3219/LVLWPH.exe" or siteurl like "http://192.210.239.172:3219/LVLWPH.exe" or url like "http://192.210.239.172:3219/LVLWPH.exe" or domainname like "http://192.210.239.172:3219/z44.exe" or siteurl like "http://192.210.239.172:3219/z44.exe" or url like "http://192.210.239.172:3219/z44.exe" or domainname like "www.roomako.com" or siteurl like "www.roomako.com" or url like "www.roomako.com" or domainname like "https://www.roomako.com/jquery-3.3.1.min.js" or siteurl like "https://www.roomako.com/jquery-3.3.1.min.js" or url like "https://www.roomako.com/jquery-3.3.1.min.js" or domainname like "https://lgaircon.xyz/owa/OPWiaTU-ZEbuwIAKGPHoQAP006-PTsjBGKQUxZorq2" or siteurl like "https://lgaircon.xyz/owa/OPWiaTU-ZEbuwIAKGPHoQAP006-PTsjBGKQUxZorq2" or url like "https://lgaircon.xyz/owa/OPWiaTU-ZEbuwIAKGPHoQAP006-PTsjBGKQUxZorq2" or domainname like "https://cdn.lgaircon.xyz/jquery-3.3.1.min.js" or siteurl like "https://cdn.lgaircon.xyz/jquery-3.3.1.min.js" or url like "https://cdn.lgaircon.xyz/jquery-3.3.1.min.js" or domainname like "http://192.210.239.172:3219/TJPLYT.exe" or siteurl like "http://192.210.239.172:3219/TJPLYT.exe" or url like "http://192.210.239.172:3219/TJPLYT.exe" |
Detection Query 2 | dstipaddress IN ("192.210.239.172") or srcipaddress IN ("192.210.239.172") |
Detection Query 3 | sha256hash IN ("4ffc33bdc8527a2e8cb87e49cdc16c3b1480dfc135e507d552f581a67d1850a9","14ed3878b6623c287283a8a80020f68e1cb6bfc37b236f33a95f3a64c4f4611f","1c38e3cda8ac6d79d9da40834367697a209c6b07e6b3ab93b3a4f375b161a901","1de72c03927bcd2810ce98205ff871ef1ebf4344fba187e126e50caa1e43250b","C02d50d0eb3974818091b8dd91a8bbb8cdefd94d4568a4aea8e1dcdd8869f738")
|
Reference:
https://blog.talosintelligence.com/uat-6382-exploits-cityworks-vulnerability/