Today's Core Dump is brought to you by ThreatPerspective

Threat Intelligence

From BRICKSTORM to GRIMBOLT: UNC6201 Exploiting a Dell RecoverPoint for Virtual Machines Zero-Day

Type

GRIMBOLT

wss://149.248.11.71/rest/apisession

C2 Endpoint

GRIMBOLT

149.248.11.71

C2 IP
















YARA Rules

G_APT_BackdoorToehold_GRIMBOLT_1

rule G_APT_BackdoorToehold_GRIMBOLT_1 {   meta:     author = "Google Threat Intelligence Group (GTIG)"   strings:     $s1 = { 40 00 00 00 41 18 00 00 00 4B 21 20 C2 2C 08 23 02 }     $s2 = { B3 C3 BB 41 0D ?? ?? ?? 00 81 02 0C ?? ?? ?? 00 }     $s3 = { 39 08 01 49 30 A0 52 30 00 00 00 DB 40 09 00 02 00 80 65 BC 98 }     $s4 = { 2F 00 72 00 6F 00 75 00 74 00 65 79 23 E8 03 0E 00 00 00 2F 00 70 00 72 00 6F 00 63 00 2F 00 73 00 65 00 6C 00 66 00 2F 00 65 00 78 00 65 }   condition:     (uint32(0) == 0x464c457f) //linux     and all of ($s*) }

G_Hunting_BackdoorToehold_GRIMBOLT_1

rule G_Hunting_BackdoorToehold_GRIMBOLT_1 {     meta:         author = "Google Threat Intelligence Group (GTIG)"     strings:         $s1 = "[!] Error : Plexor is nul" ascii wide         $s2 = "port must within 0~6553" ascii wide         $s3 = "[*] Disposing.." ascii wide         $s4 = "[!] Connection error. Kill Pty" ascii wide         $s5 = "[!] Unkown message type" ascii wide         $s6 = "[!] Bad dat" ascii wide     condition:         (               (uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550) or             uint32(0) == 0x464c457f or             uint32(0) == 0xfeedface or             uint32(0) == 0xcefaedfe or             uint32(0) == 0xfeedfacf or             uint32(0) == 0xcffaedfe or             uint32(0) == 0xcafebabe or             uint32(0) == 0xbebafeca or             uint32(0) == 0xcafebabf or             uint32(0) == 0xbfbafeca         ) and any of them }

G_APT_BackdoorWebshell_SLAYSTYLE_4

rule G_APT_BackdoorWebshell_SLAYSTYLE_4 { meta: author = "Google Threat Intelligence Group (GTIG)" strings: $str1 = "<%@page import=\"java.io" ascii wide $str2 = "Base64.getDecoder().decode(c.substring(1)" ascii wide $str3 = "{\"/bin/sh\",\"-c\"" ascii wide $str4 = "Runtime.getRuntime().exec(" ascii wide $str5 = "ByteArrayOutputStream();" ascii wide $str6 = ".printStackTrace(" ascii wide condition: $str1 at 0 and all of them }

Google Security Operations (SecOps)


Google Security Operations (SecOps) customers have access to these broad category rules and more under the “Mandiant Frontline Threats” and “Mandiant Hunting Rules” rule packs. The activity discussed in the blog post is detected in Google SecOps under the rule names:

  • Web Archive File Write To Tomcat Directory

  • Remote Application Deployment via Tomcat Manager

  • Suspicious File Write To Tomcat Cache Directory

  • Kbox Distribution Script Modification

  • Multiple DNS-over-HTTPS Services Queried

  • Unknown Endpoint Generating DNS-over-HTTPS and Web Application Development Services Communication

  • Unknown Endpoint Generating Google DNS-over-HTTPS and Cloudflare Hosted IP Communication

  • Unknown Endpoint Generating Google DNS-over-HTTPS and Amazon Hosted IP Communication

Acknowledgements


We appreciate Dell for their collaboration against this threat. This analysis would not have been possible without the assistance from across Google Threat Intelligence Group, Mandiant Consulting and FLARE. We would like to specifically thank Jakub Jozwiak and Allan Sepillo from GTIG Research and Discovery (RAD).



Published: 2026-02-17T14:00:00











© Segmentation Fault . All rights reserved.

Privacy | Terms of Use | Contact Us