Full Report
Between February and May 2025, the intrusion set known as Mimo exploited CVE-2025-32432, a critical unauthenticated RCE in Craft CMS, to deploy a multi-stage infection chain observed via honeypots. The attack began by injecting a PHP webshell through a crafted GET request, fol...
Analysis Summary
# Incident Report: Mimo Campaign Exploiting Craft CMS RCE
## Executive Summary
Between February and May 2025, the threat actor Mimo exploited an unauthenticated Remote Code Execution (RCE) vulnerability (CVE-2025-32432) in Craft CMS via honeypots. The resulting multi-stage infection chain led to the deployment of a PHP webshell, followed by the installation of cryptocurrency mining software (XMRig) and residential proxyware (IPRoyal) for resource monetization.
## Incident Details
- Discovery Date: Between February and May 2025 (Observed via honeypots)
- Incident Date: February – May 2025
- Affected Organization: Organizations using exploitable versions of Craft CMS (Specific targets undisclosed)
- Sector: Not explicitly stated (Likely utilizing vulnerable public-facing web applications)
- Geography: Not explicitly stated (Attribution suggests operator may reside in Turkey)
## Timeline of Events
### Initial Access
- Date/Time: Beginning February 2025
- Vector: Exploitation of CVE-2025-32432 (Critical Unauthenticated RCE in Craft CMS).
- Details: Attack began with a crafted **GET request** used to inject a PHP webshell. A subsequent **POST request** exploited a deserialization flaw to execute arbitrary commands, activating the webshell.
### Lateral Movement
- Details: The executed webshell downloaded a remote shell script (`4l4md4r.sh`), which deployed a Go-based loader. This loader then fetched and executed secondary payloads onto the compromised system.
### Data Exfiltration/Impact
- Details: Primary impact was resource hijacking through the deployment of **XMRig** (cryptomining) and **IPRoyal** (residential proxyware) to monetize victim bandwidth.
### Detection & Response
- Date/Time: Finalized May 2025 (Observed via honeypots).
- Details: Detection occurred through observations on Mimo's honeypot infrastructure. Response actions were not detailed in the context, but internal analysis and attribution were performed.
## Attack Methodology
- Initial Access: Vulnerability Exploitation (CVE-2025-32432 in Craft CMS) via crafted GET/POST HTTP requests.
- Persistence: Likely established via the deployed Go-based loader and potentially the configured webshell. Used LD_PRELOAD hijacking via `alamdar.so` to conceal processes and files.
- Privilege Escalation: Not explicitly detailed, but RCE implies execution with the privileges of the web application service.
- Defense Evasion: Used **LD_PRELOAD hijacking** to hide malware processes and files. Implemented **process-killing routines** to remove competitive cryptominers.
- Credential Access: Not reported.
- Discovery: Not reported.
- Lateral Movement: Not explicitly detailed beyond initial payload deployment stage.
- Collection: Targeting system resources (CPU/Bandwidth) via mining and proxy software.
- Exfiltration: N/A (Monetization focused on resource usage rather than traditional data theft).
- Impact: Resource hijacking (Cryptomining and Proxy deployment).
## Impact Assessment
- Financial: Victim organizations incurred costs related to resource utilization (CPU cycles) and potential bandwidth abuse via proxy services.
- Data Breach: No direct data breach reported; impact was focused on operational resource compromise.
- Operational: Compromise of web servers leading to CPU contention and unauthorized network usage.
- Reputational: Potential reputational damage due to hosting malicious proxy services or being associated with cryptomining activities.
## Indicators of Compromise
- Network Indicators: N/A (No specific IPs/URLs provided or required to be defanged).
- File Indicators: `4l4md4r.sh` (Shell script), `alamdar.so` (Malicious shared object).
- Behavioral Indicators: Arbitrary command execution via Craft CMS deserialization flaw; process hiding via LD_PRELOAD; targeting and termination of other cryptomining processes.
## Response Actions
- Containment Measures: Not detailed, but would involve patching CVE-2025-32432 immediately and isolating compromised hosts.
- Eradication Steps: Removal of the webshell, `4l4md4r.sh`, the Go loader, XMRig, IPRoyal, and the malicious shared object (`alamdar.so`).
- Recovery Actions: Rebuilding affected systems from known good backups and ensuring all Craft CMS instances are patched.
## Lessons Learned
- Unpatched critical public-facing vulnerabilities (1-day exploits) pose an immediate and severe risk of resource hijacking if not addressed rapidly.
- Defense evasion techniques, such as LD_PRELOAD hijacking, demonstrate a sophisticated approach to maintaining persistence and hiding secondary payloads.
## Recommendations
- Immediately patch all instances of Craft CMS against CVE-2025-32432.
- Implement strict egress filtering to monitor and block unauthorized outbound connections associated with known cryptomining pools or proxy communication channels.
- Enhance endpoint detection capabilities to specifically look for suspicious library loading (LD_PRELOAD manipulation) and the presence of known cryptomining binaries (XMRig).