misp-circl-feed/feeds/circl/stix-2.1/81866b54-7f4b-42f0-bcc1-84b7d8578e74.json

942 lines
81 KiB
JSON
Raw Normal View History

2024-08-07 08:13:15 +00:00
{
"type": "bundle",
"id": "bundle--81866b54-7f4b-42f0-bcc1-84b7d8578e74",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-31T19:53:34.000Z",
"modified": "2024-01-31T19:53:34.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--81866b54-7f4b-42f0-bcc1-84b7d8578e74",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-31T19:53:34.000Z",
"modified": "2024-01-31T19:53:34.000Z",
"name": "OSINT - KrustyLoader - Rust malware linked to Ivanti ConnectSecure compromises",
"published": "2024-01-31T19:53:42Z",
"object_refs": [
"indicator--ad6ea915-1393-45a3-96fd-1811a8b8c8f2",
"indicator--0f532a6d-c58d-4dff-9028-cdfab0ac6a28",
"indicator--126235d8-f3f5-4ec2-a932-c95e8ac9798d",
"indicator--d2a47041-3eda-4d3f-bb6a-49a36d2afb28",
"indicator--5823f5f4-2cd3-49a3-9b9f-6c72a1c1c348",
"indicator--9f8b50f5-d0a5-41e3-9f3d-f5287375a75d",
"indicator--9afa633f-e168-4cd3-9599-e150775b160d",
"indicator--f5f3cf23-f45a-4b5d-a29d-3ad97e0cb519",
"indicator--4cec77a8-bc9a-4ae8-b6bd-fc15160f5d24",
"indicator--779bd25d-2134-4088-8251-3af9bf76e53c",
"indicator--d319c8b3-4870-45bf-b444-b72b583e9df7",
"indicator--dad9449c-29de-4aab-b298-f3c9e1d369eb",
"x-misp-object--d5aed2a3-349c-4b4b-bace-99ec4a7ce781",
"indicator--343eabeb-41ac-47e8-aaa9-e7de6dea3d97",
"x-misp-object--2f97ed0a-ca8d-42bd-a593-791296fac41a",
"indicator--dc9874f6-bfc6-4736-9118-6108af933e16",
"indicator--c71f8917-710d-4424-ac5d-3acf660331e8",
"indicator--1af4ea7c-c429-4301-bb30-9e07b1e2a0dd",
"indicator--8f8f83da-b449-4f62-8d99-0b519b3a0960",
"indicator--948fa32b-6eaf-423c-a025-5649b56cecf2",
"indicator--7cdf0234-4f0e-474e-a903-861f2d3da40d",
"indicator--ab9ca726-84ff-4100-af55-9fe90a7a2434",
"indicator--48fb75d1-d567-4360-8977-abeede3f56f7",
"indicator--9e1e286c-c8fd-4a42-9284-237030894dee",
"indicator--a6175dea-b390-4788-a69e-835940de95cf",
"indicator--01e9ed60-f0f6-4168-bd22-aa1ceec6a479",
"indicator--2140ab53-ee01-4cfe-9174-b35ae7e43d8f",
"indicator--4764a31d-89d0-438c-b399-cb7981041950",
"indicator--e57b9ba2-bc61-48cf-b2d3-eff17548c4a0",
"indicator--983924f8-2fd3-400a-8af0-e6eb88c9c47c",
"indicator--46364464-737e-4d07-86ce-651524453c47",
"indicator--4cc0f927-92e5-41b0-86b2-54644406aa6d",
"indicator--35de57af-16b4-4d68-bd64-77c60384c996",
"indicator--36a21306-6be1-4007-81fe-8f6754eeea8f",
"note--7b9a9467-7bd1-4364-a4c2-c6c50edbf0f3"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"type:OSINT",
"osint:lifetime=\"perpetual\"",
"osint:certainty=\"50\"",
"tlp:clear",
"misp-galaxy:mitre-attack-pattern=\"Exploit Public-Facing Application - T1190\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--ad6ea915-1393-45a3-96fd-1811a8b8c8f2",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-30T15:38:22.000Z",
"modified": "2024-01-30T15:38:22.000Z",
"description": "Linux Rust downloader",
"pattern": "[file:hashes.SHA256 = '47ff0ae9220a09bfad2a2fb1e2fa2c8ffe5e9cb0466646e2a940ac2e0cf55d04']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-01-30T15:38:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--0f532a6d-c58d-4dff-9028-cdfab0ac6a28",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-30T15:38:22.000Z",
"modified": "2024-01-30T15:38:22.000Z",
"description": "Linux Rust downloader",
"pattern": "[file:hashes.SHA256 = '816754f6eaf72d2e9c69fe09dcbe50576f7a052a1a450c2a19f01f57a6e13c17']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-01-30T15:38:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--126235d8-f3f5-4ec2-a932-c95e8ac9798d",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-30T15:38:22.000Z",
"modified": "2024-01-30T15:38:22.000Z",
"description": "Linux Rust downloader",
"pattern": "[file:hashes.SHA256 = 'c26da19e17423ce4cb4c8c47ebc61d009e77fc1ac4e87ce548cf25b8e4f4dc28']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-01-30T15:38:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--d2a47041-3eda-4d3f-bb6a-49a36d2afb28",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-30T15:38:22.000Z",
"modified": "2024-01-30T15:38:22.000Z",
"description": "Linux Rust downloader",
"pattern": "[file:hashes.SHA256 = 'c7ddd58dcb7d9e752157302d516de5492a70be30099c2f806cb15db49d466026']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-01-30T15:38:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5823f5f4-2cd3-49a3-9b9f-6c72a1c1c348",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-30T15:38:22.000Z",
"modified": "2024-01-30T15:38:22.000Z",
"description": "Linux Rust downloader",
"pattern": "[file:hashes.SHA256 = 'd14122fa7883b89747f273c44b1f71b81669a088764e97256f97b4b20d945ed0']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-01-30T15:38:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--9f8b50f5-d0a5-41e3-9f3d-f5287375a75d",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-30T15:38:22.000Z",
"modified": "2024-01-30T15:38:22.000Z",
"description": "Linux Rust downloader",
"pattern": "[file:hashes.SHA256 = '6f684f3a8841d5665d083dcf62e67b19e141d845f6c13ee8ba0b6ccdec591a01']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-01-30T15:38:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--9afa633f-e168-4cd3-9599-e150775b160d",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-30T15:38:22.000Z",
"modified": "2024-01-30T15:38:22.000Z",
"description": "Linux Rust downloader",
"pattern": "[file:hashes.SHA256 = 'a4e1b07bb8d6685755feca89899d9ead490efa9a6b6ccc00af6aaea071549960']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-01-30T15:38:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--f5f3cf23-f45a-4b5d-a29d-3ad97e0cb519",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-30T15:38:22.000Z",
"modified": "2024-01-30T15:38:22.000Z",
"description": "Linux Rust downloader",
"pattern": "[file:hashes.SHA256 = 'ef792687b8bcd3c03bed4b09c4722bba921536802afe01f7cdb01cc7c3c60815']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-01-30T15:38:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--4cec77a8-bc9a-4ae8-b6bd-fc15160f5d24",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-30T15:38:22.000Z",
"modified": "2024-01-30T15:38:22.000Z",
"description": "Linux Rust downloader",
"pattern": "[file:hashes.SHA256 = '76902d101997df43cd6d3ac10470314a82cb73fa91d212b97c8f210d1fa8271f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-01-30T15:38:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--779bd25d-2134-4088-8251-3af9bf76e53c",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-30T15:38:22.000Z",
"modified": "2024-01-30T15:38:22.000Z",
"description": "Linux Rust downloader",
"pattern": "[file:hashes.SHA256 = 'e47b86b8df43c8c1898abef15b8b7feffe533ae4e1a09e7294dd95f752b0fbb2']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-01-30T15:38:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--d319c8b3-4870-45bf-b444-b72b583e9df7",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-30T15:38:22.000Z",
"modified": "2024-01-30T15:38:22.000Z",
"description": "Linux Rust downloader",
"pattern": "[file:hashes.SHA256 = '73657c062a7cc50a3d51853ec4df904bcb291fdc9cdd08eecaecb78826eb49b6']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-01-30T15:38:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--dad9449c-29de-4aab-b298-f3c9e1d369eb",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-30T15:38:22.000Z",
"modified": "2024-01-30T15:38:22.000Z",
"description": "Linux Rust downloader",
"pattern": "[file:hashes.SHA256 = '030eb56e155fb01d7b190866aaa8b3128f935afd0b7a7b2178dc8e2eb84228b0']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-01-30T15:38:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--d5aed2a3-349c-4b4b-bace-99ec4a7ce781",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-30T15:39:52.000Z",
"modified": "2024-01-30T15:39:52.000Z",
"labels": [
"misp:name=\"script\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "attachment",
"object_relation": "script-as-attachment",
"value": "krusty_extractor.py",
"category": "External analysis",
"uuid": "f751818e-0c5f-44be-8633-b8ec180cb970",
"data": "IyEvdXNyL2Jpbi9lbnYgcHl0aG9uMwojCiMga3J1c3R5X2V4dHJhY3Rvci5weQojIENvcHlyaWdodCAoQykgMjAyNCAtIFN5bmFja3RpdiwgVGjDqW8gTGV0YWlsbGV1cgojIGNvbnRhY3RAc3luYWNrdGl2LmNvbQojCiMgVGhpcyBwcm9ncmFtIGlzIGZyZWUgc29mdHdhcmU6IHlvdSBjYW4gcmVkaXN0cmlidXRlIGl0IGFuZC9vciBtb2RpZnkKIyBpdCB1bmRlciB0aGUgdGVybXMgb2YgdGhlIEdOVSBBZmZlcm8gR2VuZXJhbCBQdWJsaWMgTGljZW5zZSBhcyBwdWJsaXNoZWQgYnkKIyB0aGUgRnJlZSBTb2Z0d2FyZSBGb3VuZGF0aW9uLCBlaXRoZXIgdmVyc2lvbiAzIG9mIHRoZSBMaWNlbnNlLCBvcgojIChhdCB5b3VyIG9wdGlvbikgYW55IGxhdGVyIHZlcnNpb24uCiMKIyBUaGlzIHByb2dyYW0gaXMgZGlzdHJpYnV0ZWQgaW4gdGhlIGhvcGUgdGhhdCBpdCB3aWxsIGJlIHVzZWZ1bCwKIyBidXQgV0lUSE9VVCBBTlkgV0FSUkFOVFk7IHdpdGhvdXQgZXZlbiB0aGUgaW1wbGllZCB3YXJyYW50eSBvZgojIE1FUkNIQU5UQUJJTElUWSBvciBGSVRORVNTIEZPUiBBIFBBUlRJQ1VMQVIgUFVSUE9TRS4gIFNlZSB0aGUKIyBHTlUgQWZmZXJvIEdlbmVyYWwgUHVibGljIExpY2Vuc2UgZm9yIG1vcmUgZGV0YWlscy4KIwojIFlvdSBzaG91bGQgaGF2ZSByZWNlaXZlZCBhIGNvcHkgb2YgdGhlIEdOVSBBZmZlcm8gR2VuZXJhbCBQdWJsaWMgTGljZW5zZQojIGFsb25nIHdpdGggdGhpcyBwcm9ncmFtLiAgSWYgbm90LCBzZWUgPGh0dHA6Ly93d3cuZ251Lm9yZy9saWNlbnNlcy8+LgoKCmZyb20gQ3J5cHRvLkNpcGhlciBpbXBvcnQgQUVTCmZyb20gQ3J5cHRvLkhhc2ggaW1wb3J0IFNIQTI1Ngpmcm9tIGJpbmFzY2lpIGltcG9ydCB1bmhleGxpZnkKaW1wb3J0IHN5cwoKCmRlZiB4b3IoYSxiKToKICAgIHJldHVybiBieXRlcyhbeF5iIGZvciB4IGluIGFdKQoKaWYgbGVuKHN5cy5hcmd2KSA8IDI6CiAgICBwcmludCgidXNhZ2U6IHB5dGhvbiBjcnVzdHlfZGVjcnlwdG8ucHkgLi9lbGYiKQogICAgZXhpdCgpCgpFTEYgPSBzeXMuYXJndlsxXQoKd2l0aCBvcGVuKEVMRiwgInJiIikgYXMgRUxGaDoKICAgIGRhdGEgPSBFTEZoLnJlYWQoKQoKaCA9IFNIQTI1Ni5uZXcoKQpoLnVwZGF0ZShkYXRhKQoKcHJpbnQoZiJTYW1wbGUgU0hBMjU2c3VtOiB7aC5oZXhkaWdlc3QoKX0iKQoKZW5kID0gZGF0YS5maW5kKGIifHx8fHx8fHx8fHx8fHx8fHwiKQpzdGFydCA9IGVuZCAtIDB4MTAwCnN0YXJ0ID0gc3RhcnQgKyBkYXRhW3N0YXJ0OmVuZF0uZmluZChiIi90bXAvIikgKyA1CkVOQ1JZUFRFRCA9ICB1bmhleGxpZnkoZGF0YVtzdGFydDplbmRdKQoKIyA0MCA4MCBmNSBYWCA9PSB4b3IgYnBsLCBYWApiZWZvcmVfeG9ya2V5ID0gZGF0YS5maW5kKGJ5dGVzLmZyb21oZXgoIkZGRkY0MDgwRjUiKSkKWE9SS0VZID0gZGF0YVtiZWZvcmVfeG9ya2V5K2xlbihieXRlcy5mcm9taGV4KCJGRkZGNDA4MEY1IikpXQpwcmludChmIlhPUiBLRVk6IHtoZXgoWE9SS0VZKX0iKQplbmNyeXB0ZWRfc3RhZ2UyID0geG9yKEVOQ1JZUFRFRCwgWE9SS0VZKQoKc3RhcnQgPSBzdGFydCAtIGxlbigiL3RtcC8iKSAtIDMyCkFFU0tFWSA9IGRhdGFbc3RhcnQ6c3RhcnQrMTZdCgpzdGFydCArPSAxNgpBRVNJViA9IGRhdGFbc3RhcnQ6c3RhcnQrMTZdCgpTRUdNRU5UX1NJWkUgPSAxMjgKCnByaW50KGYiQUVTLTEyOCBDRkIgS0VZOiB7QUVTS0VZLmhleCgpfSIpCnByaW50KGYiQUVTLTEyOCBDRkIgSVY6IHtBRVNJVi5oZXgoKX0iKQpjaXBoZXIgPSBBRVMubmV3KEFFU0tFWSwgQUVTLk1PREVfQ0ZCLCBpdj1BRVNJViwgc2VnbWVudF9zaXplPVNFR01FTlRfU0laRSkKZGVjcnlwdGVkID0gY2lwaGVyLmRlY3J5cHQoZW5jcnlwdGVkX3N0YWdlMikKcHJpbnQoZiJEZWNyeXB0ZWQgU3RhZ2UgSG9zdGVyIFVSTDoge2RlY3J5cHRlZC5kZWNvZGUoJ3V0Zi04Jyl9IikK"
},
{
"type": "text",
"object_relation": "language",
"value": "Python",
"category": "Other",
"uuid": "37360b05-e581-4c8f-9bd0-9e9fc8138eda"
},
{
"type": "text",
"object_relation": "comment",
"value": "https://github.com/synacktiv/krustyloader-analysis/blob/main/krusty_extractor.py",
"category": "Other",
"uuid": "b217f1d1-95cf-4414-8a55-194b4e96d8f2"
},
{
"type": "text",
"object_relation": "state",
"value": "Trusted",
"category": "Other",
"uuid": "0f38e30e-5a0a-4f37-911d-c16b585541cd"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "script"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--343eabeb-41ac-47e8-aaa9-e7de6dea3d97",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-30T15:40:50.000Z",
"modified": "2024-01-30T15:40:50.000Z",
"description": "Yara rule that detects Linux KrustyLoader",
"pattern": "// KrustyLoader.yar\r\n// Copyright (C) 2024 - Synacktiv, Th\u00e9o Letailleur\r\n// contact@synacktiv.com\r\n//\r\n// This program is free software: you can redistribute it and/or modify\r\n// it under the terms of the GNU Affero General Public License as published by\r\n// the Free Software Foundation, either version 3 of the License, or\r\n// (at your option) any later version.\r\n//\r\n// This program is distributed in the hope that it will be useful,\r\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\r\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\r\n// GNU Affero General Public License for more details.\r\n//\r\n// You should have received a copy of the GNU Affero General Public License\r\n// along with this program. If not, see <http://www.gnu.org/licenses/>.\r\n\r\nrule Linux_Downloader_KrustyLoader\r\n{\r\n meta:\r\n author = \\\\\"Theo Letailleur, Synacktiv\\\\\"\r\n source = \\\\\"Synacktiv\\\\\"\r\n status = \\\\\"RELEASED\\\\\"\r\n sharing = \\\\\"TLP:WHITE\\\\\"\r\n category = \\\\\"MALWARE\\\\\"\r\n malware = \\\\\"KrustyLoader\\\\\"\r\n description = \\\\\"Yara rule that detects Linux KrustyLoader\\\\\"\r\n\r\n strings:\r\n $tokio_worker = \\\\\"TOKIO_WORKER_THREADS\\\\\"\r\n $tmpdir = \\\\\"/tmp/\\\\\"\r\n\r\n // Load \\\\\"/proc/self/exe\\\\\" string\r\n $proc_self_exe = {\r\n 48 B? 73 65 6C 66 2F 65 78 65 // mov r64, 6578652F666C6573h\r\n 48 8D B4 24 ?? ?? 00 00 // lea rsi, [rsp+????h]\r\n 48 89 46 0? // mov [rsi+6], r64\r\n 48 B? 2F 70 72 6F 63 2F 73 65 // mov r64, 65732F636F72702Fh\r\n 48 89 0? // mov [rsi], r64\r\n }\r\n\r\n $pipe_suffix = \\\\\"|||||||||||||||||||||||||||\\\\\"\r\n\r\n // AES key expansion\r\n $aeskeygenassist = {\r\n 660F3ADF0601 // aeskeygenassist xmm0, xmmword ptr [rsi], 1\r\n 660F7F07 // movdqa xmmword ptr [rdi], xmm0\r\n C3 // retn\r\n }\r\n\r\n // AES InvMixColumns\r\n $aesinvmixcol = {\r\n 660F38DB06 // aesimc xmm0, xmmword ptr [rsi]\r\n 660F7F07 // movdqa xmmword ptr [rdi], xmm0\r\n C3 // retn\r\n }\r\n\r\n condition:\r\n uint32(0) == 0x464C457F and\r\n (\r\n all of them\r\n )\r\n}",
"pattern_type": "yara",
"pattern_version": "2.1",
"valid_from": "2024-01-30T15:40:50Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "misc"
}
],
"labels": [
"misp:name=\"yara\"",
"misp:meta-category=\"misc\"",
"misp:to_ids=\"True\""
],
"x_misp_context": "all"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--2f97ed0a-ca8d-42bd-a593-791296fac41a",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-30T15:41:59.000Z",
"modified": "2024-01-30T15:41:59.000Z",
"labels": [
"misp:name=\"report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "link",
"object_relation": "link",
"value": "https://www.synacktiv.com/en/publications/krustyloader-rust-malware-linked-to-ivanti-connectsecure-compromises",
"category": "External analysis",
"uuid": "9041edfd-8412-44f3-9f5a-481ad8c459af"
},
{
"type": "text",
"object_relation": "summary",
"value": "On 10th January 2024, Ivanti disclosed two zero-day critical vulnerabilities affecting Connect Secure VPN product: CVE-2024-21887 and CVE-2023-46805 allowing unauthenticated remote code execution. Volexity and Mandiant published articles reporting how these vulnerabilities were actively exploited by a threat actor. On 18th January, Volexity published new observations including hashes of Rust payloads downloaded on compromised Ivanti Connect Secure instances. This article presents a malware analysis of these unidentified Rust payloads that I labelled as KrustyLoader.",
"category": "Other",
"uuid": "4c97b4af-78e0-4ba6-ac00-9ad305a0e8c7"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--dc9874f6-bfc6-4736-9118-6108af933e16",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-30T15:43:08.000Z",
"modified": "2024-01-30T15:43:08.000Z",
"description": "030eb56e155fb01d7b190866aaa8b3128f935afd0b7a7b2178dc8e2eb84228b0: Enriched via the virustotal module",
"pattern": "[file:hashes.MD5 = 'deff93081ccb3fda7a12f6e9e3ad15ad' AND file:hashes.SHA1 = '40b88819594091111c93bd9578b82dedd0823362' AND file:hashes.SHA256 = '030eb56e155fb01d7b190866aaa8b3128f935afd0b7a7b2178dc8e2eb84228b0' AND file:hashes.SSDEEP = '24576:aR4f424TMgHBwOmA8vzHhyKDnPAzRDLZUaWX:aR4xzgHVmAIHhnDnIR+aWX' AND file:hashes.VHASH = '1cbe32fb065a3318a29a9156aa4e9083' AND file:x_misp_tlsh = 't147154b07fda204bdd9b9c834861ea273f639b85c421176377bd85b302e25a20df2db95']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-01-30T15:43:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--c71f8917-710d-4424-ac5d-3acf660331e8",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-30T15:43:30.000Z",
"modified": "2024-01-30T15:43:30.000Z",
"description": "73657c062a7cc50a3d51853ec4df904bcb291fdc9cdd08eecaecb78826eb49b6: Enriched via the virustotal module",
"pattern": "[file:hashes.MD5 = '322778ac48bb0e0da65c0288b76b1133' AND file:hashes.SHA1 = '1bc9a9190b86d42f5c74735da669e76a5c7ff6fe' AND file:hashes.SHA256 = '73657c062a7cc50a3d51853ec4df904bcb291fdc9cdd08eecaecb78826eb49b6' AND file:hashes.SSDEEP = '24576:aR4f424TMgHBwOmA8vzHhyKDjPAzRDLZUaWX:aR4xzgHVmAIHhnDjIR+aWX' AND file:hashes.VHASH = '1cbe32fb065a3318a29a9156aa4e9083' AND file:x_misp_tlsh = 't172154b07fda204bdd9b9c834861ea273f639b85c421176377bd85b302e25a20df2db95']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-01-30T15:43:30Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--1af4ea7c-c429-4301-bb30-9e07b1e2a0dd",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-30T15:43:42.000Z",
"modified": "2024-01-30T15:43:42.000Z",
"description": "e47b86b8df43c8c1898abef15b8b7feffe533ae4e1a09e7294dd95f752b0fbb2: Enriched via the virustotal module",
"pattern": "[file:hashes.MD5 = 'cbf6325a11ba974278f2b9038a4b99d7' AND file:hashes.SHA1 = '8c7fdcd3a192a37bdbb8e6877a9b8e14c07dd8d5' AND file:hashes.SHA256 = 'e47b86b8df43c8c1898abef15b8b7feffe533ae4e1a09e7294dd95f752b0fbb2' AND file:hashes.SSDEEP = '24576:aR4f424TMgHBwOmA8vzHhyKDRPAzRDLZUaWX:aR4xzgHVmAIHhnDRIR+aWX' AND file:hashes.VHASH = '1cbe32fb065a3318a29a9156aa4e9083' AND file:x_misp_tlsh = 't1ba154b07fda204bdd9b9c834861ea273f639b85c421176377bd85b302e25a20df2db95']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-01-30T15:43:42Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--8f8f83da-b449-4f62-8d99-0b519b3a0960",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-30T15:43:58.000Z",
"modified": "2024-01-30T15:43:58.000Z",
"description": "d14122fa7883b89747f273c44b1f71b81669a088764e97256f97b4b20d945ed0: Enriched via the virustotal module",
"pattern": "[file:hashes.MD5 = '5c4cfb6ac2cd3213bace688f0fa2f14e' AND file:hashes.SHA1 = '913b0c9dc8b30d53ea73911c5683c2dc04c14e3b' AND file:hashes.SHA256 = 'd14122fa7883b89747f273c44b1f71b81669a088764e97256f97b4b20d945ed0' AND file:hashes.SSDEEP = '24576:aR4f424TMgHBwOmA8vzHhyKDWPAzRDLZUaWX:aR4xzgHVmAIHhnDWIR+aWX' AND file:hashes.VHASH = '1cbe32fb065a3318a29a9156aa4e9083' AND file:x_misp_tlsh = 't1d8154b07fda204bdd9b9c834861ea273f639b85c421176377bd85b302e25a20df2db95']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-01-30T15:43:58Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--948fa32b-6eaf-423c-a025-5649b56cecf2",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-30T15:44:08.000Z",
"modified": "2024-01-30T15:44:08.000Z",
"description": "6f684f3a8841d5665d083dcf62e67b19e141d845f6c13ee8ba0b6ccdec591a01: Enriched via the virustotal module",
"pattern": "[file:hashes.MD5 = '4a626140da1009f199afde2581d28d0b' AND file:hashes.SHA1 = 'ba56f6e5b9e7b0137cc237d338471c99480fee96' AND file:hashes.SHA256 = '6f684f3a8841d5665d083dcf62e67b19e141d845f6c13ee8ba0b6ccdec591a01' AND file:hashes.SSDEEP = '24576:aR4f424TMgHBwOmA8vzHhyKDkPAzRDLZUaWX:aR4xzgHVmAIHhnDkIR+aWX' AND file:hashes.VHASH = '1cbe32fb065a3318a29a9156aa4e9083' AND file:x_misp_tlsh = 't116154b07fda204bdd9b9c834861ea273f639b85c421176377bd85b302e25a20df2db95']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-01-30T15:44:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--7cdf0234-4f0e-474e-a903-861f2d3da40d",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-30T15:44:25.000Z",
"modified": "2024-01-30T15:44:25.000Z",
"description": "a4e1b07bb8d6685755feca89899d9ead490efa9a6b6ccc00af6aaea071549960: Enriched via the virustotal module",
"pattern": "[file:hashes.MD5 = 'd71d37de5bae9a33ce2aa4908178b209' AND file:hashes.SHA1 = 'a19bdf4f7ccc68470c172e67ffe4a1bdef5d7bc4' AND file:hashes.SHA256 = 'a4e1b07bb8d6685755feca89899d9ead490efa9a6b6ccc00af6aaea071549960' AND file:hashes.SSDEEP = '24576:aR4f424TMgHBwOmA8vzHhyKD6PAzRDLZUaWX:aR4xzgHVmAIHhnD6IR+aWX' AND file:hashes.VHASH = '1cbe32fb065a3318a29a9156aa4e9083' AND file:x_misp_tlsh = 't1c3154b07fda204bdd9b9c834861ea273f639b85c421176377bd85b302e25a20df2db95']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-01-30T15:44:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--ab9ca726-84ff-4100-af55-9fe90a7a2434",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-30T15:45:13.000Z",
"modified": "2024-01-30T15:45:13.000Z",
"description": "ef792687b8bcd3c03bed4b09c4722bba921536802afe01f7cdb01cc7c3c60815: Enriched via the virustotal module",
"pattern": "[url:value = 'http://blaze-uk.s3.amazonaws.com/WymRvUz1HeRw3']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-01-30T15:45:13Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"url\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--48fb75d1-d567-4360-8977-abeede3f56f7",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-30T15:45:13.000Z",
"modified": "2024-01-30T15:45:13.000Z",
"description": "ef792687b8bcd3c03bed4b09c4722bba921536802afe01f7cdb01cc7c3c60815: Enriched via the virustotal module",
"pattern": "[file:hashes.MD5 = 'fc67817ea351dd6f0f0dcdb32a524c54' AND file:hashes.SHA1 = 'f62d0f71441979785b44c8d062fcf7371fa5eb34' AND file:hashes.SHA256 = 'ef792687b8bcd3c03bed4b09c4722bba921536802afe01f7cdb01cc7c3c60815' AND file:hashes.SSDEEP = '24576:aR4f424TMgHBwOmA8vzHhyKDlPAzRDLZUaWX:aR4xzgHVmAIHhnDlIR+aWX' AND file:hashes.VHASH = '1cbe32fb065a3318a29a9156aa4e9083' AND file:x_misp_tlsh = 't1b5154b07fda204bdd9b9c834861ea273f639b85c421176377bd85b302e25a20df2db95']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-01-30T15:45:13Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--9e1e286c-c8fd-4a42-9284-237030894dee",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-30T15:45:30.000Z",
"modified": "2024-01-30T15:45:30.000Z",
"description": "76902d101997df43cd6d3ac10470314a82cb73fa91d212b97c8f210d1fa8271f: Enriched via the virustotal module",
"pattern": "[file:hashes.MD5 = 'c17113b1361002aff47459eb0d5bfd3b' AND file:hashes.SHA1 = '61ec1f157f92cd7110b8324689d40e289ea1dc1a' AND file:hashes.SHA256 = '76902d101997df43cd6d3ac10470314a82cb73fa91d212b97c8f210d1fa8271f' AND file:hashes.SSDEEP = '24576:aR4f424TMgHBwOmA8vzHhyKD1PAzRDLZUaWX:aR4xzgHVmAIHhnD1IR+aWX' AND file:hashes.VHASH = '1cbe32fb065a3318a29a9156aa4e9083' AND file:x_misp_tlsh = 't1b2154b07fda204bdd9b9c834861ea273f639b85c421176377bd85b302e25a20df2db95']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-01-30T15:45:30Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--a6175dea-b390-4788-a69e-835940de95cf",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-30T15:46:01.000Z",
"modified": "2024-01-30T15:46:01.000Z",
"description": "030eb56e155fb01d7b190866aaa8b3128f935afd0b7a7b2178dc8e2eb84228b0: Enriched via the virustotal module",
"pattern": "[url:value = 'http://book4timepublic.s3.amazonaws.com/gEsD2heW4crIT']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-01-30T15:46:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"url\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--01e9ed60-f0f6-4168-bd22-aa1ceec6a479",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-30T15:46:21.000Z",
"modified": "2024-01-30T15:46:21.000Z",
"description": "816754f6eaf72d2e9c69fe09dcbe50576f7a052a1a450c2a19f01f57a6e13c17: Enriched via the virustotal module",
"pattern": "[url:value = 'http://blooming.s3.amazonaws.com/Ea7fbW98CyM5O']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-01-30T15:46:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"url\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--2140ab53-ee01-4cfe-9174-b35ae7e43d8f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-30T15:46:21.000Z",
"modified": "2024-01-30T15:46:21.000Z",
"description": "816754f6eaf72d2e9c69fe09dcbe50576f7a052a1a450c2a19f01f57a6e13c17: Enriched via the virustotal module",
"pattern": "[file:hashes.MD5 = '63b0574cbe77d6231513f32e0d042484' AND file:hashes.SHA1 = '55c2197c88cd3cef23b5f9062c6bdbb6f4b28094' AND file:hashes.SHA256 = '816754f6eaf72d2e9c69fe09dcbe50576f7a052a1a450c2a19f01f57a6e13c17' AND file:hashes.SSDEEP = '24576:aR4f424TMgHBwOmA8vzHhyKDHPAzRDLZUaWX:aR4xzgHVmAIHhnDHIR+aWX' AND file:hashes.VHASH = '1cbe32fb065a3318a29a9156aa4e9083' AND file:x_misp_tlsh = 't1f4154b07fda204bdd9b9c834861ea273f639b85c421176377bd85b302e25a20df2db95']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-01-30T15:46:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--4764a31d-89d0-438c-b399-cb7981041950",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-31T19:34:42.000Z",
"modified": "2024-01-31T19:34:42.000Z",
"description": "CHAINLINE web shell",
"pattern": "[file:hashes.MD5 = '3045f5b3d355a9ab26ab6f44cc831a83' AND file:name = 'health.py']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-01-31T19:34:42Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--e57b9ba2-bc61-48cf-b2d3-eff17548c4a0",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-31T19:38:21.000Z",
"modified": "2024-01-31T19:38:21.000Z",
"description": "WARPWIRE credential harvester variant",
"pattern": "[file:hashes.MD5 = '8eb042da6ba683ef1bae460af103cc44' AND file:name = 'lastauthserverused.js']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-01-31T19:38:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--983924f8-2fd3-400a-8af0-e6eb88c9c47c",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-31T19:38:56.000Z",
"modified": "2024-01-31T19:38:56.000Z",
"description": "WARPWIRE credential harvester variant",
"pattern": "[file:hashes.MD5 = 'a739bd4c2b9f3679f43579711448786f' AND file:name = 'lastauthserverused.js']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-01-31T19:38:56Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--46364464-737e-4d07-86ce-651524453c47",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-31T19:39:29.000Z",
"modified": "2024-01-31T19:39:29.000Z",
"description": "WARPWIRE credential harvester variant",
"pattern": "[file:hashes.MD5 = 'a81813f70151a022ea1065b7f4d6b5ab' AND file:name = 'lastauthserverused.js']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-01-31T19:39:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--4cc0f927-92e5-41b0-86b2-54644406aa6d",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-31T19:39:58.000Z",
"modified": "2024-01-31T19:39:58.000Z",
"description": "WARPWIRE credential harvester",
"pattern": "[file:hashes.MD5 = 'd0c7a334a4d9dcd3c6335ae13bee59ea' AND file:name = 'lastauthserverused.js']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-01-31T19:39:58Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--35de57af-16b4-4d68-bd64-77c60384c996",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-31T19:40:40.000Z",
"modified": "2024-01-31T19:40:40.000Z",
"description": "WARPWIRE credential harvester variant",
"pattern": "[file:hashes.MD5 = 'e8489983d73ed30a4240a14b1f161254' AND file:name = 'lastauthserverused.js']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-01-31T19:40:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--36a21306-6be1-4007-81fe-8f6754eeea8f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-31T19:41:13.000Z",
"modified": "2024-01-31T19:41:13.000Z",
"description": "FRAMESTING web shell",
"pattern": "[file:hashes.MD5 = '465600cece80861497e8c1c86a07a23e' AND file:name = 'category.py']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-01-31T19:41:13Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "note",
"spec_version": "2.1",
"id": "note--7b9a9467-7bd1-4364-a4c2-c6c50edbf0f3",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-30T15:37:35.000Z",
"modified": "2024-01-30T15:37:35.000Z",
"abstract": "Report from - https://www.synacktiv.com/en/publications/krustyloader-rust-malware-linked-to-ivanti-connectsecure-compromises (1706629030)",
"content": "# KrustyLoader - Rust malware linked to Ivanti ConnectSecure compromises\r\n\r\n Written by Th\u00c3\u00a9o Letailleur - 29/01/2024 - in CSIRT - Download On 10th January 2024, Ivanti disclosed two zero-day critical vulnerabilities affecting Connect Secure VPN product: CVE-2024-21887 and CVE-2023-46805 allowing unauthenticated remote code execution. Volexity and Mandiant published articles reporting how these vulnerabilities were actively exploited by a threat actor. On 18th January, Volexity published new observations including hashes of Rust payloads downloaded on compromised Ivanti Connect Secure instances. This article presents a malware analysis of these unidentified Rust payloads that I labelled as KrustyLoader.\r\n\r\n ## Introduction\r\n\r\n On 10th January 2024, Ivanti disclosed two zero-day critical vulnerabilities affecting Connect Secure VPN product: CVE-2024-21887 and CVE-2023-468051 allowing unauthenticated remote code execution. Volexity2 and Mandiant3 published several articles showing how these vulnerabilities were actively exploited by a threat actor, tracked by Volexity as UTA0178 and by Mandiant as UNC5221.\r\n\r\n On 18th January, Volexity published new indicators of compromise4 including Rust payloads downloaded on compromised Ivanti Connect Secure appliances. Then on 21st and 24th of January, I published two posts on X5\u00c2 6 summarizing the behaviour of those 12 Rust payloads. They share almost 100% code similarity and their main purpose is to download and execute a Sliver backdoor. I personally labelled this piece of malware as *KrustyLoader*.\r\n\r\n Therefore, the purpose of this article is to provide more insights on this malware, reversing tips, as well as a script that automatically extracts the encrypted URL from any similar sample.\r\n\r\n ## Basic information\r\n\r\n KrustyLoader basic information SHA256 47ff0ae9220a09bfad2a2fb1e2fa2c8ffe5e9cb0466646e2a940ac2e0cf55d04\r\n\r\n 816754f6eaf72d2e9c69fe09dcbe50576f7a052a1a450c2a19f01f57a6e13c17\r\n\r\n c26da19e17423ce4cb4c8c47ebc61d009e77fc1ac4e87ce548cf25b8e4f4dc28\r\n\r\n c7ddd58dcb7d9e752157302d516de5492a70be30099c2f806cb15db49d466026\r\n\r\n d14122fa7883b89747f273c44b1f71b81669a088764e97256f97b4b20d945ed0\r\n\r\n 6f684f3a8841d5665d083dcf62e67b19e141d845f6c13ee8ba0b6ccdec591a01\r\n\r\n a4e1b07bb8d6685755feca89899d9ead490efa9a6b6ccc00af6aaea071549960\r\n\r\n ef792687b8bcd3c03bed4b09c4722bba921536802afe01f7cdb01cc7c3c60815\r\n\r\n 76902d101997df43cd6d3ac10470314a82cb73fa91d212b97c8f210d1fa8271f\r\n\r\n e47b86b8df43c8c1898abef15b8b7feffe533ae4e1a09e7294dd95f752b0fbb2\r\n\r\n 73657c062a7cc50a3d51853ec4df904bcb291fdc9cdd08eecaecb78826eb49b6\r\n\r\n 030eb56e155fb01d7b190866aaa8b3128f935afd0b7a7b2178dc8e2eb84228b0\r\n\r\n File type ELF 64-bit LSB pie executable x86\\_64 stripped, static-pie linked File size 878824 bytes Threat Linux Rust downloader \u00c2 \r\n\r\n Screenshots and extracts on this article are based on sample *030eb56e1[...]84228b0* (the highlighted hash above), but \u00e2\u0080\u0093 as they are similar \u00e2\u0080\u0093 the logic is the same for the other payloads.\r\n\r\n ## Code analysis approach\r\n\r\n *You will not find a deep analysis into assembly code with tons of IDA screenshots, because it does not bring much value in this context. However, I find more interesting to explain what is my approach to quickly spot the useful parts of the code and get a general idea of its behaviour.*\r\n\r\n Usually we would start from the entry point and determine the flow of execution, symbols, and API functions. However, there are several difficulties to consider when reversing a Rust-based executable:\r\n\r\n \r\n * The executable is statically linked, meaning that libraries are embedded into the executable, including Rust crates and the libc: it adds lots of functions that are not important to spend time during malware analysis.\r\n * Since Rust is a high-level programming language, its abstractions tend to bring a \u00e2\u0080\u009cnatural\u00e2\u0080\u009d obfuscation to the program cod
"object_refs": [
"report--81866b54-7f4b-42f0-bcc1-84b7d8578e74"
]
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}