{
"Event": {
"analysis": "0",
"date": "2024-01-30",
"extends_uuid": "",
"info": "OSINT - KrustyLoader - Rust malware linked to Ivanti ConnectSecure compromises",
"publish_timestamp": "1706730822",
"published": true,
"threat_level_id": "1",
"timestamp": "1706730814",
"uuid": "81866b54-7f4b-42f0-bcc1-84b7d8578e74",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#004646",
"local": false,
"name": "type:OSINT",
"relationship_type": ""
},
{
"colour": "#0071c3",
"local": false,
"name": "osint:lifetime=\"perpetual\"",
"relationship_type": ""
},
{
"colour": "#0087e8",
"local": false,
"name": "osint:certainty=\"50\"",
"relationship_type": ""
},
{
"colour": "#ffffff",
"local": false,
"name": "tlp:white",
"relationship_type": ""
},
{
"colour": "#ffffff",
"local": false,
"name": "tlp:clear",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:mitre-attack-pattern=\"Exploit Public-Facing Application - T1190\"",
"relationship_type": ""
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "Linux Rust downloader",
"deleted": false,
"disable_correlation": false,
"timestamp": "1706629102",
"to_ids": true,
"type": "sha256",
"uuid": "ad6ea915-1393-45a3-96fd-1811a8b8c8f2",
"value": "47ff0ae9220a09bfad2a2fb1e2fa2c8ffe5e9cb0466646e2a940ac2e0cf55d04"
},
{
"category": "Payload delivery",
"comment": "Linux Rust downloader",
"deleted": false,
"disable_correlation": false,
"timestamp": "1706629102",
"to_ids": true,
"type": "sha256",
"uuid": "0f532a6d-c58d-4dff-9028-cdfab0ac6a28",
"value": "816754f6eaf72d2e9c69fe09dcbe50576f7a052a1a450c2a19f01f57a6e13c17"
},
{
"category": "Payload delivery",
"comment": "Linux Rust downloader",
"deleted": false,
"disable_correlation": false,
"timestamp": "1706629102",
"to_ids": true,
"type": "sha256",
"uuid": "126235d8-f3f5-4ec2-a932-c95e8ac9798d",
"value": "c26da19e17423ce4cb4c8c47ebc61d009e77fc1ac4e87ce548cf25b8e4f4dc28"
},
{
"category": "Payload delivery",
"comment": "Linux Rust downloader",
"deleted": false,
"disable_correlation": false,
"timestamp": "1706629102",
"to_ids": true,
"type": "sha256",
"uuid": "d2a47041-3eda-4d3f-bb6a-49a36d2afb28",
"value": "c7ddd58dcb7d9e752157302d516de5492a70be30099c2f806cb15db49d466026"
},
{
"category": "Payload delivery",
"comment": "Linux Rust downloader",
"deleted": false,
"disable_correlation": false,
"timestamp": "1706629102",
"to_ids": true,
"type": "sha256",
"uuid": "5823f5f4-2cd3-49a3-9b9f-6c72a1c1c348",
"value": "d14122fa7883b89747f273c44b1f71b81669a088764e97256f97b4b20d945ed0"
},
{
"category": "Payload delivery",
"comment": "Linux Rust downloader",
"deleted": false,
"disable_correlation": false,
"timestamp": "1706629102",
"to_ids": true,
"type": "sha256",
"uuid": "9f8b50f5-d0a5-41e3-9f3d-f5287375a75d",
"value": "6f684f3a8841d5665d083dcf62e67b19e141d845f6c13ee8ba0b6ccdec591a01"
},
{
"category": "Payload delivery",
"comment": "Linux Rust downloader",
"deleted": false,
"disable_correlation": false,
"timestamp": "1706629102",
"to_ids": true,
"type": "sha256",
"uuid": "9afa633f-e168-4cd3-9599-e150775b160d",
"value": "a4e1b07bb8d6685755feca89899d9ead490efa9a6b6ccc00af6aaea071549960"
},
{
"category": "Payload delivery",
"comment": "Linux Rust downloader",
"deleted": false,
"disable_correlation": false,
"timestamp": "1706629102",
"to_ids": true,
"type": "sha256",
"uuid": "f5f3cf23-f45a-4b5d-a29d-3ad97e0cb519",
"value": "ef792687b8bcd3c03bed4b09c4722bba921536802afe01f7cdb01cc7c3c60815"
},
{
"category": "Payload delivery",
"comment": "Linux Rust downloader",
"deleted": false,
"disable_correlation": false,
"timestamp": "1706629102",
"to_ids": true,
"type": "sha256",
"uuid": "4cec77a8-bc9a-4ae8-b6bd-fc15160f5d24",
"value": "76902d101997df43cd6d3ac10470314a82cb73fa91d212b97c8f210d1fa8271f"
},
{
"category": "Payload delivery",
"comment": "Linux Rust downloader",
"deleted": false,
"disable_correlation": false,
"timestamp": "1706629102",
"to_ids": true,
"type": "sha256",
"uuid": "779bd25d-2134-4088-8251-3af9bf76e53c",
"value": "e47b86b8df43c8c1898abef15b8b7feffe533ae4e1a09e7294dd95f752b0fbb2"
},
{
"category": "Payload delivery",
"comment": "Linux Rust downloader",
"deleted": false,
"disable_correlation": false,
"timestamp": "1706629102",
"to_ids": true,
"type": "sha256",
"uuid": "d319c8b3-4870-45bf-b444-b72b583e9df7",
"value": "73657c062a7cc50a3d51853ec4df904bcb291fdc9cdd08eecaecb78826eb49b6"
},
{
"category": "Payload delivery",
"comment": "Linux Rust downloader",
"deleted": false,
"disable_correlation": false,
"timestamp": "1706629102",
"to_ids": true,
"type": "sha256",
"uuid": "dad9449c-29de-4aab-b298-f3c9e1d369eb",
"value": "030eb56e155fb01d7b190866aaa8b3128f935afd0b7a7b2178dc8e2eb84228b0"
}
],
"Object": [
{
"comment": "",
"deleted": false,
"description": "Object describing a computer program written to be run in a special run-time environment. The script or shell script can be used for malicious activities but also as support tools for threat analysts.",
"meta-category": "misc",
"name": "script",
"template_uuid": "6bce7d01-dbec-4054-b3c2-3655a19382e2",
"template_version": "7",
"timestamp": "1706629192",
"uuid": "d5aed2a3-349c-4b4b-bace-99ec4a7ce781",
"Attribute": [
{
"category": "External analysis",
"comment": "",
"data": "IyEvdXNyL2Jpbi9lbnYgcHl0aG9uMwojCiMga3J1c3R5X2V4dHJhY3Rvci5weQojIENvcHlyaWdodCAoQykgMjAyNCAtIFN5bmFja3RpdiwgVGjDqW8gTGV0YWlsbGV1cgojIGNvbnRhY3RAc3luYWNrdGl2LmNvbQojCiMgVGhpcyBwcm9ncmFtIGlzIGZyZWUgc29mdHdhcmU6IHlvdSBjYW4gcmVkaXN0cmlidXRlIGl0IGFuZC9vciBtb2RpZnkKIyBpdCB1bmRlciB0aGUgdGVybXMgb2YgdGhlIEdOVSBBZmZlcm8gR2VuZXJhbCBQdWJsaWMgTGljZW5zZSBhcyBwdWJsaXNoZWQgYnkKIyB0aGUgRnJlZSBTb2Z0d2FyZSBGb3VuZGF0aW9uLCBlaXRoZXIgdmVyc2lvbiAzIG9mIHRoZSBMaWNlbnNlLCBvcgojIChhdCB5b3VyIG9wdGlvbikgYW55IGxhdGVyIHZlcnNpb24uCiMKIyBUaGlzIHByb2dyYW0gaXMgZGlzdHJpYnV0ZWQgaW4gdGhlIGhvcGUgdGhhdCBpdCB3aWxsIGJlIHVzZWZ1bCwKIyBidXQgV0lUSE9VVCBBTlkgV0FSUkFOVFk7IHdpdGhvdXQgZXZlbiB0aGUgaW1wbGllZCB3YXJyYW50eSBvZgojIE1FUkNIQU5UQUJJTElUWSBvciBGSVRORVNTIEZPUiBBIFBBUlRJQ1VMQVIgUFVSUE9TRS4gIFNlZSB0aGUKIyBHTlUgQWZmZXJvIEdlbmVyYWwgUHVibGljIExpY2Vuc2UgZm9yIG1vcmUgZGV0YWlscy4KIwojIFlvdSBzaG91bGQgaGF2ZSByZWNlaXZlZCBhIGNvcHkgb2YgdGhlIEdOVSBBZmZlcm8gR2VuZXJhbCBQdWJsaWMgTGljZW5zZQojIGFsb25nIHdpdGggdGhpcyBwcm9ncmFtLiAgSWYgbm90LCBzZWUgPGh0dHA6Ly93d3cuZ251Lm9yZy9saWNlbnNlcy8+LgoKCmZyb20gQ3J5cHRvLkNpcGhlciBpbXBvcnQgQUVTCmZyb20gQ3J5cHRvLkhhc2ggaW1wb3J0IFNIQTI1Ngpmcm9tIGJpbmFzY2lpIGltcG9ydCB1bmhleGxpZnkKaW1wb3J0IHN5cwoKCmRlZiB4b3IoYSxiKToKICAgIHJldHVybiBieXRlcyhbeF5iIGZvciB4IGluIGFdKQoKaWYgbGVuKHN5cy5hcmd2KSA8IDI6CiAgICBwcmludCgidXNhZ2U6IHB5dGhvbiBjcnVzdHlfZGVjcnlwdG8ucHkgLi9lbGYiKQogICAgZXhpdCgpCgpFTEYgPSBzeXMuYXJndlsxXQoKd2l0aCBvcGVuKEVMRiwgInJiIikgYXMgRUxGaDoKICAgIGRhdGEgPSBFTEZoLnJlYWQoKQoKaCA9IFNIQTI1Ni5uZXcoKQpoLnVwZGF0ZShkYXRhKQoKcHJpbnQoZiJTYW1wbGUgU0hBMjU2c3VtOiB7aC5oZXhkaWdlc3QoKX0iKQoKZW5kID0gZGF0YS5maW5kKGIifHx8fHx8fHx8fHx8fHx8fHwiKQpzdGFydCA9IGVuZCAtIDB4MTAwCnN0YXJ0ID0gc3RhcnQgKyBkYXRhW3N0YXJ0OmVuZF0uZmluZChiIi90bXAvIikgKyA1CkVOQ1JZUFRFRCA9ICB1bmhleGxpZnkoZGF0YVtzdGFydDplbmRdKQoKIyA0MCA4MCBmNSBYWCA9PSB4b3IgYnBsLCBYWApiZWZvcmVfeG9ya2V5ID0gZGF0YS5maW5kKGJ5dGVzLmZyb21oZXgoIkZGRkY0MDgwRjUiKSkKWE9SS0VZID0gZGF0YVtiZWZvcmVfeG9ya2V5K2xlbihieXRlcy5mcm9taGV4KCJGRkZGNDA4MEY1IikpXQpwcmludChmIlhPUiBLRVk6IHtoZXgoWE9SS0VZKX0iKQplbmNyeXB0ZWRfc3RhZ2UyID0geG9yKEVOQ1JZUFRFRCwgWE9SS0VZKQoKc3RhcnQgPSBzdGFydCAtIGxlbigiL3RtcC8iKSAtIDMyCkFFU0tFWSA9IGRhdGFbc3RhcnQ6c3RhcnQrMTZdCgpzdGFydCArPSAxNgpBRVNJViA9IGRhdGFbc3RhcnQ6c3RhcnQrMTZdCgpTRUdNRU5UX1NJWkUgPSAxMjgKCnByaW50KGYiQUVTLTEyOCBDRkIgS0VZOiB7QUVTS0VZLmhleCgpfSIpCnByaW50KGYiQUVTLTEyOCBDRkIgSVY6IHtBRVNJVi5oZXgoKX0iKQpjaXBoZXIgPSBBRVMubmV3KEFFU0tFWSwgQUVTLk1PREVfQ0ZCLCBpdj1BRVNJViwgc2VnbWVudF9zaXplPVNFR01FTlRfU0laRSkKZGVjcnlwdGVkID0gY2lwaGVyLmRlY3J5cHQoZW5jcnlwdGVkX3N0YWdlMikKcHJpbnQoZiJEZWNyeXB0ZWQgU3RhZ2UgSG9zdGVyIFVSTDoge2RlY3J5cHRlZC5kZWNvZGUoJ3V0Zi04Jyl9IikK",
"deleted": false,
"disable_correlation": false,
"object_relation": "script-as-attachment",
"timestamp": "1706629192",
"to_ids": false,
"type": "attachment",
"uuid": "f751818e-0c5f-44be-8633-b8ec180cb970",
"value": "krusty_extractor.py"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "language",
"timestamp": "1706629192",
"to_ids": false,
"type": "text",
"uuid": "37360b05-e581-4c8f-9bd0-9e9fc8138eda",
"value": "Python"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "comment",
"timestamp": "1706629192",
"to_ids": false,
"type": "text",
"uuid": "b217f1d1-95cf-4414-8a55-194b4e96d8f2",
"value": "https://github.com/synacktiv/krustyloader-analysis/blob/main/krusty_extractor.py"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "state",
"timestamp": "1706629192",
"to_ids": false,
"type": "text",
"uuid": "0f38e30e-5a0a-4f37-911d-c16b585541cd",
"value": "Trusted"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1706629250",
"uuid": "343eabeb-41ac-47e8-aaa9-e7de6dea3d97",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "comment",
"timestamp": "1706629250",
"to_ids": false,
"type": "comment",
"uuid": "19745aab-6802-4bd4-9ce8-2c137263214e",
"value": "Yara rule that detects Linux KrustyLoader"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "context",
"timestamp": "1706629250",
"to_ids": false,
"type": "text",
"uuid": "30a9ed56-45b3-4d81-9913-929b0874b6f6",
"value": "all"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1706629250",
"to_ids": true,
"type": "yara",
"uuid": "25579d73-a3f6-44c7-8bc2-0b3478c3b2be",
"value": "// KrustyLoader.yar\r\n// Copyright (C) 2024 - Synacktiv, Th\u00e9o Letailleur\r\n// contact@synacktiv.com\r\n//\r\n// This program is free software: you can redistribute it and/or modify\r\n// it under the terms of the GNU Affero General Public License as published by\r\n// the Free Software Foundation, either version 3 of the License, or\r\n// (at your option) any later version.\r\n//\r\n// This program is distributed in the hope that it will be useful,\r\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\r\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\r\n// GNU Affero General Public License for more details.\r\n//\r\n// You should have received a copy of the GNU Affero General Public License\r\n// along with this program. If not, see .\r\n\r\nrule Linux_Downloader_KrustyLoader\r\n{\r\n meta:\r\n author = \"Theo Letailleur, Synacktiv\"\r\n source = \"Synacktiv\"\r\n status = \"RELEASED\"\r\n sharing = \"TLP:WHITE\"\r\n category = \"MALWARE\"\r\n malware = \"KrustyLoader\"\r\n description = \"Yara rule that detects Linux KrustyLoader\"\r\n\r\n strings:\r\n $tokio_worker = \"TOKIO_WORKER_THREADS\"\r\n $tmpdir = \"/tmp/\"\r\n\r\n // Load \"/proc/self/exe\" string\r\n $proc_self_exe = {\r\n 48 B? 73 65 6C 66 2F 65 78 65 // mov r64, 6578652F666C6573h\r\n 48 8D B4 24 ?? ?? 00 00 // lea rsi, [rsp+????h]\r\n 48 89 46 0? // mov [rsi+6], r64\r\n 48 B? 2F 70 72 6F 63 2F 73 65 // mov r64, 65732F636F72702Fh\r\n 48 89 0? // mov [rsi], r64\r\n }\r\n\r\n $pipe_suffix = \"|||||||||||||||||||||||||||\"\r\n\r\n // AES key expansion\r\n $aeskeygenassist = {\r\n 660F3ADF0601 // aeskeygenassist xmm0, xmmword ptr [rsi], 1\r\n 660F7F07 // movdqa xmmword ptr [rdi], xmm0\r\n C3 // retn\r\n }\r\n\r\n // AES InvMixColumns\r\n $aesinvmixcol = {\r\n 660F38DB06 // aesimc xmm0, xmmword ptr [rsi]\r\n 660F7F07 // movdqa xmmword ptr [rdi], xmm0\r\n C3 // retn\r\n }\r\n\r\n condition:\r\n uint32(0) == 0x464C457F and\r\n (\r\n all of them\r\n )\r\n}"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Report object to describe a report along with its metadata.",
"meta-category": "misc",
"name": "report",
"template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df",
"template_version": "8",
"timestamp": "1706629319",
"uuid": "2f97ed0a-ca8d-42bd-a593-791296fac41a",
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "link",
"timestamp": "1706629319",
"to_ids": false,
"type": "link",
"uuid": "9041edfd-8412-44f3-9f5a-481ad8c459af",
"value": "https://www.synacktiv.com/en/publications/krustyloader-rust-malware-linked-to-ivanti-connectsecure-compromises"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "summary",
"timestamp": "1706629319",
"to_ids": false,
"type": "text",
"uuid": "4c97b4af-78e0-4ba6-ac00-9ad305a0e8c7",
"value": "On 10th January 2024, Ivanti disclosed two zero-day critical vulnerabilities affecting Connect Secure VPN product: CVE-2024-21887 and CVE-2023-46805 allowing unauthenticated remote code execution. Volexity and Mandiant published articles reporting how these vulnerabilities were actively exploited by a threat actor. On 18th January, Volexity published new observations including hashes of Rust payloads downloaded on compromised Ivanti Connect Secure instances. This article presents a malware analysis of these unidentified Rust payloads that I labelled as KrustyLoader."
}
]
},
{
"comment": "030eb56e155fb01d7b190866aaa8b3128f935afd0b7a7b2178dc8e2eb84228b0: Enriched via the virustotal module",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1706629388",
"uuid": "dc9874f6-bfc6-4736-9118-6108af933e16",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1706629388",
"to_ids": true,
"type": "md5",
"uuid": "0291fee6-8080-40cd-89b6-95afd0abd1ed",
"value": "deff93081ccb3fda7a12f6e9e3ad15ad"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1706629388",
"to_ids": true,
"type": "sha1",
"uuid": "3145b3d8-929b-47b7-a9c7-6128c9b59ce8",
"value": "40b88819594091111c93bd9578b82dedd0823362"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1706629388",
"to_ids": true,
"type": "sha256",
"uuid": "7d1f9fc5-8547-486e-8283-bc0f9057add5",
"value": "030eb56e155fb01d7b190866aaa8b3128f935afd0b7a7b2178dc8e2eb84228b0"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "tlsh",
"timestamp": "1706629388",
"to_ids": true,
"type": "tlsh",
"uuid": "74a6d721-22b8-435b-baca-2e98aa4ed456",
"value": "t147154b07fda204bdd9b9c834861ea273f639b85c421176377bd85b302e25a20df2db95"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "vhash",
"timestamp": "1706629388",
"to_ids": true,
"type": "vhash",
"uuid": "9732b0e3-754e-4419-b07a-642582e81924",
"value": "1cbe32fb065a3318a29a9156aa4e9083"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ssdeep",
"timestamp": "1706629388",
"to_ids": true,
"type": "ssdeep",
"uuid": "fa6e1155-e8d1-437d-b018-baa22feeff5c",
"value": "24576:aR4f424TMgHBwOmA8vzHhyKDnPAzRDLZUaWX:aR4xzgHVmAIHhnDnIR+aWX"
}
]
},
{
"comment": "73657c062a7cc50a3d51853ec4df904bcb291fdc9cdd08eecaecb78826eb49b6: Enriched via the virustotal module",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1706629410",
"uuid": "c71f8917-710d-4424-ac5d-3acf660331e8",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1706629410",
"to_ids": true,
"type": "md5",
"uuid": "a0fd81e0-4f9f-4ea7-9c3c-447060c630e4",
"value": "322778ac48bb0e0da65c0288b76b1133"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1706629410",
"to_ids": true,
"type": "sha1",
"uuid": "526f819c-a746-4a0f-96b1-e97c52b1ade0",
"value": "1bc9a9190b86d42f5c74735da669e76a5c7ff6fe"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1706629410",
"to_ids": true,
"type": "sha256",
"uuid": "7c697f14-b4e8-4a61-8a94-00396fa39603",
"value": "73657c062a7cc50a3d51853ec4df904bcb291fdc9cdd08eecaecb78826eb49b6"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "tlsh",
"timestamp": "1706629410",
"to_ids": true,
"type": "tlsh",
"uuid": "925fc014-ff57-42ec-ae1d-123980d4d3ed",
"value": "t172154b07fda204bdd9b9c834861ea273f639b85c421176377bd85b302e25a20df2db95"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "vhash",
"timestamp": "1706629410",
"to_ids": true,
"type": "vhash",
"uuid": "46eb4d04-7380-47e5-81ce-58ab778ae1af",
"value": "1cbe32fb065a3318a29a9156aa4e9083"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ssdeep",
"timestamp": "1706629410",
"to_ids": true,
"type": "ssdeep",
"uuid": "c98a75a3-49dc-4d38-a4ec-c6e2cc1881c6",
"value": "24576:aR4f424TMgHBwOmA8vzHhyKDjPAzRDLZUaWX:aR4xzgHVmAIHhnDjIR+aWX"
}
]
},
{
"comment": "e47b86b8df43c8c1898abef15b8b7feffe533ae4e1a09e7294dd95f752b0fbb2: Enriched via the virustotal module",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1706629422",
"uuid": "1af4ea7c-c429-4301-bb30-9e07b1e2a0dd",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1706629422",
"to_ids": true,
"type": "md5",
"uuid": "778b198f-3ad5-4c48-830b-ed33030348c8",
"value": "cbf6325a11ba974278f2b9038a4b99d7"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1706629422",
"to_ids": true,
"type": "sha1",
"uuid": "1532c06a-e334-47ef-bd77-a7af15a288ec",
"value": "8c7fdcd3a192a37bdbb8e6877a9b8e14c07dd8d5"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1706629422",
"to_ids": true,
"type": "sha256",
"uuid": "fa72bd4c-7fb5-42b0-94b8-370a2ef436a1",
"value": "e47b86b8df43c8c1898abef15b8b7feffe533ae4e1a09e7294dd95f752b0fbb2"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "tlsh",
"timestamp": "1706629422",
"to_ids": true,
"type": "tlsh",
"uuid": "ef90f3d1-3fe3-4eef-b23f-861e93bccc63",
"value": "t1ba154b07fda204bdd9b9c834861ea273f639b85c421176377bd85b302e25a20df2db95"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "vhash",
"timestamp": "1706629422",
"to_ids": true,
"type": "vhash",
"uuid": "676cb936-d22d-4308-a00d-8192e14e8edc",
"value": "1cbe32fb065a3318a29a9156aa4e9083"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ssdeep",
"timestamp": "1706629422",
"to_ids": true,
"type": "ssdeep",
"uuid": "d123b8db-ea9d-4024-948b-f9cf1c27b364",
"value": "24576:aR4f424TMgHBwOmA8vzHhyKDRPAzRDLZUaWX:aR4xzgHVmAIHhnDRIR+aWX"
}
]
},
{
"comment": "d14122fa7883b89747f273c44b1f71b81669a088764e97256f97b4b20d945ed0: Enriched via the virustotal module",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1706629438",
"uuid": "8f8f83da-b449-4f62-8d99-0b519b3a0960",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1706629438",
"to_ids": true,
"type": "md5",
"uuid": "968f9330-69ba-4378-9ff4-1fee47373c8d",
"value": "5c4cfb6ac2cd3213bace688f0fa2f14e"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1706629438",
"to_ids": true,
"type": "sha1",
"uuid": "212aa59f-4253-4134-97fb-c5b484476642",
"value": "913b0c9dc8b30d53ea73911c5683c2dc04c14e3b"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1706629438",
"to_ids": true,
"type": "sha256",
"uuid": "08f038f5-aae4-427d-bafa-dd1de0dee442",
"value": "d14122fa7883b89747f273c44b1f71b81669a088764e97256f97b4b20d945ed0"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "tlsh",
"timestamp": "1706629438",
"to_ids": true,
"type": "tlsh",
"uuid": "f40095d0-876c-4f0c-b8e8-278b71fcc459",
"value": "t1d8154b07fda204bdd9b9c834861ea273f639b85c421176377bd85b302e25a20df2db95"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "vhash",
"timestamp": "1706629438",
"to_ids": true,
"type": "vhash",
"uuid": "ced0f459-2453-46ff-9fe8-e153b3abedc0",
"value": "1cbe32fb065a3318a29a9156aa4e9083"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ssdeep",
"timestamp": "1706629438",
"to_ids": true,
"type": "ssdeep",
"uuid": "c796ed54-a700-4522-9633-76bb23025e4a",
"value": "24576:aR4f424TMgHBwOmA8vzHhyKDWPAzRDLZUaWX:aR4xzgHVmAIHhnDWIR+aWX"
}
]
},
{
"comment": "6f684f3a8841d5665d083dcf62e67b19e141d845f6c13ee8ba0b6ccdec591a01: Enriched via the virustotal module",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1706629448",
"uuid": "948fa32b-6eaf-423c-a025-5649b56cecf2",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1706629448",
"to_ids": true,
"type": "md5",
"uuid": "5d434e74-64f0-44e8-a302-87d09a9c1159",
"value": "4a626140da1009f199afde2581d28d0b"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1706629448",
"to_ids": true,
"type": "sha1",
"uuid": "2ba63bad-8cc4-4168-8a71-f4664e88dde6",
"value": "ba56f6e5b9e7b0137cc237d338471c99480fee96"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1706629448",
"to_ids": true,
"type": "sha256",
"uuid": "6130a761-d36b-4b97-9ef3-233333af7521",
"value": "6f684f3a8841d5665d083dcf62e67b19e141d845f6c13ee8ba0b6ccdec591a01"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "tlsh",
"timestamp": "1706629448",
"to_ids": true,
"type": "tlsh",
"uuid": "5549cbd2-ce6b-4ae7-b4ee-cffa9c32d8da",
"value": "t116154b07fda204bdd9b9c834861ea273f639b85c421176377bd85b302e25a20df2db95"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "vhash",
"timestamp": "1706629448",
"to_ids": true,
"type": "vhash",
"uuid": "51fa9738-4f73-46e3-8f5f-bb13896d36fc",
"value": "1cbe32fb065a3318a29a9156aa4e9083"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ssdeep",
"timestamp": "1706629448",
"to_ids": true,
"type": "ssdeep",
"uuid": "ed6aefb6-b5a4-45eb-ba38-947fd64e9f1a",
"value": "24576:aR4f424TMgHBwOmA8vzHhyKDkPAzRDLZUaWX:aR4xzgHVmAIHhnDkIR+aWX"
}
]
},
{
"comment": "a4e1b07bb8d6685755feca89899d9ead490efa9a6b6ccc00af6aaea071549960: Enriched via the virustotal module",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1706629465",
"uuid": "7cdf0234-4f0e-474e-a903-861f2d3da40d",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1706629465",
"to_ids": true,
"type": "md5",
"uuid": "b9e10435-c627-4205-a1af-b4258dbc194b",
"value": "d71d37de5bae9a33ce2aa4908178b209"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1706629465",
"to_ids": true,
"type": "sha1",
"uuid": "84392d15-2e7c-4894-9cc2-842739a16467",
"value": "a19bdf4f7ccc68470c172e67ffe4a1bdef5d7bc4"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1706629465",
"to_ids": true,
"type": "sha256",
"uuid": "db16c5c8-30a2-4b13-b232-f00cb69adfac",
"value": "a4e1b07bb8d6685755feca89899d9ead490efa9a6b6ccc00af6aaea071549960"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "tlsh",
"timestamp": "1706629465",
"to_ids": true,
"type": "tlsh",
"uuid": "78cdf27f-d7fe-473f-9a02-130ac6ac8f53",
"value": "t1c3154b07fda204bdd9b9c834861ea273f639b85c421176377bd85b302e25a20df2db95"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "vhash",
"timestamp": "1706629465",
"to_ids": true,
"type": "vhash",
"uuid": "ed0c6553-c4b5-4d7d-822f-a0e339b270e4",
"value": "1cbe32fb065a3318a29a9156aa4e9083"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ssdeep",
"timestamp": "1706629465",
"to_ids": true,
"type": "ssdeep",
"uuid": "fe96cd2f-0edb-4f4c-962f-664173bde493",
"value": "24576:aR4f424TMgHBwOmA8vzHhyKD6PAzRDLZUaWX:aR4xzgHVmAIHhnD6IR+aWX"
}
]
},
{
"comment": "ef792687b8bcd3c03bed4b09c4722bba921536802afe01f7cdb01cc7c3c60815: Enriched via the virustotal module",
"deleted": false,
"description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
"meta-category": "network",
"name": "url",
"template_uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",
"template_version": "9",
"timestamp": "1706629513",
"uuid": "ab9ca726-84ff-4100-af55-9fe90a7a2434",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "url",
"timestamp": "1706629513",
"to_ids": true,
"type": "url",
"uuid": "221edb45-45e4-403e-b344-18a4a3824670",
"value": "http://blaze-uk.s3.amazonaws.com/WymRvUz1HeRw3"
}
]
},
{
"comment": "ef792687b8bcd3c03bed4b09c4722bba921536802afe01f7cdb01cc7c3c60815: Enriched via the virustotal module",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1706629513",
"uuid": "48fb75d1-d567-4360-8977-abeede3f56f7",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1706629513",
"to_ids": true,
"type": "md5",
"uuid": "11c4ab64-2b45-4f07-8158-3e39f048d2a3",
"value": "fc67817ea351dd6f0f0dcdb32a524c54"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1706629513",
"to_ids": true,
"type": "sha1",
"uuid": "27c5f500-4ff1-45b1-9754-6aa5103ca07a",
"value": "f62d0f71441979785b44c8d062fcf7371fa5eb34"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1706629513",
"to_ids": true,
"type": "sha256",
"uuid": "bd1a7321-730c-474e-b1bd-fb3162c53eed",
"value": "ef792687b8bcd3c03bed4b09c4722bba921536802afe01f7cdb01cc7c3c60815"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "tlsh",
"timestamp": "1706629513",
"to_ids": true,
"type": "tlsh",
"uuid": "f808c3e9-f685-49ff-8505-e824a3a0f52d",
"value": "t1b5154b07fda204bdd9b9c834861ea273f639b85c421176377bd85b302e25a20df2db95"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "vhash",
"timestamp": "1706629513",
"to_ids": true,
"type": "vhash",
"uuid": "905748be-3a36-42d0-ad2c-d3387970952e",
"value": "1cbe32fb065a3318a29a9156aa4e9083"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ssdeep",
"timestamp": "1706629513",
"to_ids": true,
"type": "ssdeep",
"uuid": "cd533038-4d78-4b64-bb63-fc4f9aad1518",
"value": "24576:aR4f424TMgHBwOmA8vzHhyKDlPAzRDLZUaWX:aR4xzgHVmAIHhnDlIR+aWX"
}
]
},
{
"comment": "76902d101997df43cd6d3ac10470314a82cb73fa91d212b97c8f210d1fa8271f: Enriched via the virustotal module",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1706629530",
"uuid": "9e1e286c-c8fd-4a42-9284-237030894dee",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1706629530",
"to_ids": true,
"type": "md5",
"uuid": "60435072-863c-4ae3-9f55-f18f28351594",
"value": "c17113b1361002aff47459eb0d5bfd3b"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1706629530",
"to_ids": true,
"type": "sha1",
"uuid": "f1007aca-2728-4ab5-8246-2654a1b67a08",
"value": "61ec1f157f92cd7110b8324689d40e289ea1dc1a"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1706629530",
"to_ids": true,
"type": "sha256",
"uuid": "6bb5f372-eb58-4d49-b91f-8691b8e06c2c",
"value": "76902d101997df43cd6d3ac10470314a82cb73fa91d212b97c8f210d1fa8271f"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "tlsh",
"timestamp": "1706629530",
"to_ids": true,
"type": "tlsh",
"uuid": "6aabdd6c-482d-44a5-8188-3301415c4647",
"value": "t1b2154b07fda204bdd9b9c834861ea273f639b85c421176377bd85b302e25a20df2db95"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "vhash",
"timestamp": "1706629530",
"to_ids": true,
"type": "vhash",
"uuid": "54b8798e-9044-4f1b-81b6-2767e11bade3",
"value": "1cbe32fb065a3318a29a9156aa4e9083"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ssdeep",
"timestamp": "1706629530",
"to_ids": true,
"type": "ssdeep",
"uuid": "ac5d0abe-616d-4929-bc40-7450576a0f4f",
"value": "24576:aR4f424TMgHBwOmA8vzHhyKD1PAzRDLZUaWX:aR4xzgHVmAIHhnD1IR+aWX"
}
]
},
{
"comment": "030eb56e155fb01d7b190866aaa8b3128f935afd0b7a7b2178dc8e2eb84228b0: Enriched via the virustotal module",
"deleted": false,
"description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
"meta-category": "network",
"name": "url",
"template_uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",
"template_version": "9",
"timestamp": "1706629561",
"uuid": "a6175dea-b390-4788-a69e-835940de95cf",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "url",
"timestamp": "1706629561",
"to_ids": true,
"type": "url",
"uuid": "22ad1133-dd9a-4134-9a9a-f24ab2315a03",
"value": "http://book4timepublic.s3.amazonaws.com/gEsD2heW4crIT"
}
]
},
{
"comment": "816754f6eaf72d2e9c69fe09dcbe50576f7a052a1a450c2a19f01f57a6e13c17: Enriched via the virustotal module",
"deleted": false,
"description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
"meta-category": "network",
"name": "url",
"template_uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",
"template_version": "9",
"timestamp": "1706629581",
"uuid": "01e9ed60-f0f6-4168-bd22-aa1ceec6a479",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "url",
"timestamp": "1706629581",
"to_ids": true,
"type": "url",
"uuid": "4cb889b4-6b9f-44ee-9c14-26d58eb9cccb",
"value": "http://blooming.s3.amazonaws.com/Ea7fbW98CyM5O"
}
]
},
{
"comment": "816754f6eaf72d2e9c69fe09dcbe50576f7a052a1a450c2a19f01f57a6e13c17: Enriched via the virustotal module",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1706629581",
"uuid": "2140ab53-ee01-4cfe-9174-b35ae7e43d8f",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1706629581",
"to_ids": true,
"type": "md5",
"uuid": "22a064f5-080f-4c68-a751-ff85a8c43e95",
"value": "63b0574cbe77d6231513f32e0d042484"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1706629581",
"to_ids": true,
"type": "sha1",
"uuid": "e86447a0-b365-4075-a8d3-8938331002cd",
"value": "55c2197c88cd3cef23b5f9062c6bdbb6f4b28094"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1706629581",
"to_ids": true,
"type": "sha256",
"uuid": "d3d99289-c4c4-4567-a943-f0da2398da48",
"value": "816754f6eaf72d2e9c69fe09dcbe50576f7a052a1a450c2a19f01f57a6e13c17"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "tlsh",
"timestamp": "1706629581",
"to_ids": true,
"type": "tlsh",
"uuid": "59cc0487-fe0d-4218-844c-193c657e79bf",
"value": "t1f4154b07fda204bdd9b9c834861ea273f639b85c421176377bd85b302e25a20df2db95"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "vhash",
"timestamp": "1706629581",
"to_ids": true,
"type": "vhash",
"uuid": "d54a50e7-a13e-4458-bb80-62885aa3098b",
"value": "1cbe32fb065a3318a29a9156aa4e9083"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ssdeep",
"timestamp": "1706629581",
"to_ids": true,
"type": "ssdeep",
"uuid": "d4a62b15-24f6-47d4-8bfd-6f2f9f1ed288",
"value": "24576:aR4f424TMgHBwOmA8vzHhyKDHPAzRDLZUaWX:aR4xzgHVmAIHhnDHIR+aWX"
}
]
},
{
"comment": "CHAINLINE web shell",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1706729682",
"uuid": "4764a31d-89d0-438c-b399-cb7981041950",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "filename",
"timestamp": "1706729682",
"to_ids": true,
"type": "filename",
"uuid": "81c13b88-eccf-489e-a199-60b57e417d19",
"value": "health.py"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1706729682",
"to_ids": true,
"type": "md5",
"uuid": "8c41de06-9ee3-4ade-aa0b-13140b9c79cf",
"value": "3045f5b3d355a9ab26ab6f44cc831a83"
}
]
},
{
"comment": "WARPWIRE credential harvester variant",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1706729901",
"uuid": "e57b9ba2-bc61-48cf-b2d3-eff17548c4a0",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "filename",
"timestamp": "1706729901",
"to_ids": true,
"type": "filename",
"uuid": "b1ed19f8-9729-4e49-a794-a34b0f8c4a08",
"value": "lastauthserverused.js"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1706729901",
"to_ids": true,
"type": "md5",
"uuid": "c131a04c-16a5-4228-984b-1e36f5f85539",
"value": "8eb042da6ba683ef1bae460af103cc44"
}
]
},
{
"comment": "WARPWIRE credential harvester variant",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1706729936",
"uuid": "983924f8-2fd3-400a-8af0-e6eb88c9c47c",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "filename",
"timestamp": "1706729936",
"to_ids": true,
"type": "filename",
"uuid": "05e82bff-f99b-4a40-a65b-a6d100406ea3",
"value": "lastauthserverused.js"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1706729936",
"to_ids": true,
"type": "md5",
"uuid": "bd717784-19da-41f0-b8db-30ee1aca89a8",
"value": "a739bd4c2b9f3679f43579711448786f"
}
]
},
{
"comment": "WARPWIRE credential harvester variant",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1706729969",
"uuid": "46364464-737e-4d07-86ce-651524453c47",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "filename",
"timestamp": "1706729969",
"to_ids": true,
"type": "filename",
"uuid": "9f5f3ad7-4957-4405-8ff8-de719271af45",
"value": "lastauthserverused.js"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1706729969",
"to_ids": true,
"type": "md5",
"uuid": "f2a751b0-9d12-4c91-95e8-93ba3b7fbb4e",
"value": "a81813f70151a022ea1065b7f4d6b5ab"
}
]
},
{
"comment": "WARPWIRE credential harvester",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1706729998",
"uuid": "4cc0f927-92e5-41b0-86b2-54644406aa6d",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "filename",
"timestamp": "1706729998",
"to_ids": true,
"type": "filename",
"uuid": "35f5aa5b-5f16-496b-887b-92be5fa8c9d4",
"value": "lastauthserverused.js"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1706729998",
"to_ids": true,
"type": "md5",
"uuid": "2b5355d0-8d3b-4c5f-9664-35e9588240c9",
"value": "d0c7a334a4d9dcd3c6335ae13bee59ea"
}
]
},
{
"comment": "WARPWIRE credential harvester variant",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1706730040",
"uuid": "35de57af-16b4-4d68-bd64-77c60384c996",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "filename",
"timestamp": "1706730040",
"to_ids": true,
"type": "filename",
"uuid": "437c1bcd-766e-4e77-a123-971e5bb6d269",
"value": "lastauthserverused.js"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1706730040",
"to_ids": true,
"type": "md5",
"uuid": "c6235f72-a846-4087-b1d5-bd6dc967efb4",
"value": "e8489983d73ed30a4240a14b1f161254"
}
]
},
{
"comment": "FRAMESTING web shell",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1706730073",
"uuid": "36a21306-6be1-4007-81fe-8f6754eeea8f",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "filename",
"timestamp": "1706730073",
"to_ids": true,
"type": "filename",
"uuid": "3e46f09e-4df8-4b85-a1bf-04da9bf5eb61",
"value": "category.py"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1706730073",
"to_ids": true,
"type": "md5",
"uuid": "add8c276-8092-4857-9cf5-5043337a99a7",
"value": "465600cece80861497e8c1c86a07a23e"
}
]
}
],
"EventReport": [
{
"name": "Report from - https://www.synacktiv.com/en/publications/krustyloader-rust-malware-linked-to-ivanti-connectsecure-compromises (1706629030)",
"content": "# KrustyLoader - Rust malware linked to Ivanti ConnectSecure compromises\r\n\r\n Written by Th\u00c3\u00a9o Letailleur - 29/01/2024 - in CSIRT - Download On 10th January 2024, Ivanti disclosed two zero-day critical vulnerabilities affecting Connect Secure VPN product: CVE-2024-21887 and CVE-2023-46805 allowing unauthenticated remote code execution. Volexity and Mandiant published articles reporting how these vulnerabilities were actively exploited by a threat actor. On 18th January, Volexity published new observations including hashes of Rust payloads downloaded on compromised Ivanti Connect Secure instances. This article presents a malware analysis of these unidentified Rust payloads that I labelled as KrustyLoader.\r\n\r\n ## Introduction\r\n\r\n On 10th January 2024, Ivanti disclosed two zero-day critical vulnerabilities affecting Connect Secure VPN product: CVE-2024-21887 and CVE-2023-468051 allowing unauthenticated remote code execution. Volexity2 and Mandiant3 published several articles showing how these vulnerabilities were actively exploited by a threat actor, tracked by Volexity as UTA0178 and by Mandiant as UNC5221.\r\n\r\n On 18th January, Volexity published new indicators of compromise4 including Rust payloads downloaded on compromised Ivanti Connect Secure appliances. Then on 21st and 24th of January, I published two posts on X5\u00c2 6 summarizing the behaviour of those 12 Rust payloads. They share almost 100% code similarity and their main purpose is to download and execute a Sliver backdoor. I personally labelled this piece of malware as *KrustyLoader*.\r\n\r\n Therefore, the purpose of this article is to provide more insights on this malware, reversing tips, as well as a script that automatically extracts the encrypted URL from any similar sample.\r\n\r\n ## Basic information\r\n\r\n KrustyLoader basic information SHA256 47ff0ae9220a09bfad2a2fb1e2fa2c8ffe5e9cb0466646e2a940ac2e0cf55d04\r\n\r\n 816754f6eaf72d2e9c69fe09dcbe50576f7a052a1a450c2a19f01f57a6e13c17\r\n\r\n c26da19e17423ce4cb4c8c47ebc61d009e77fc1ac4e87ce548cf25b8e4f4dc28\r\n\r\n c7ddd58dcb7d9e752157302d516de5492a70be30099c2f806cb15db49d466026\r\n\r\n d14122fa7883b89747f273c44b1f71b81669a088764e97256f97b4b20d945ed0\r\n\r\n 6f684f3a8841d5665d083dcf62e67b19e141d845f6c13ee8ba0b6ccdec591a01\r\n\r\n a4e1b07bb8d6685755feca89899d9ead490efa9a6b6ccc00af6aaea071549960\r\n\r\n ef792687b8bcd3c03bed4b09c4722bba921536802afe01f7cdb01cc7c3c60815\r\n\r\n 76902d101997df43cd6d3ac10470314a82cb73fa91d212b97c8f210d1fa8271f\r\n\r\n e47b86b8df43c8c1898abef15b8b7feffe533ae4e1a09e7294dd95f752b0fbb2\r\n\r\n 73657c062a7cc50a3d51853ec4df904bcb291fdc9cdd08eecaecb78826eb49b6\r\n\r\n 030eb56e155fb01d7b190866aaa8b3128f935afd0b7a7b2178dc8e2eb84228b0\r\n\r\n File type ELF 64-bit LSB pie executable x86\\_64 stripped, static-pie linked File size 878824 bytes Threat Linux Rust downloader \u00c2 \r\n\r\n Screenshots and extracts on this article are based on sample *030eb56e1[...]84228b0* (the highlighted hash above), but \u00e2\u0080\u0093 as they are similar \u00e2\u0080\u0093 the logic is the same for the other payloads.\r\n\r\n ## Code analysis approach\r\n\r\n *You will not find a deep analysis into assembly code with tons of IDA screenshots, because it does not bring much value in this context. However, I find more interesting to explain what is my approach to quickly spot the useful parts of the code and get a general idea of its behaviour.*\r\n\r\n Usually we would start from the entry point and determine the flow of execution, symbols, and API functions. However, there are several difficulties to consider when reversing a Rust-based executable:\r\n\r\n \r\n * The executable is statically linked, meaning that libraries are embedded into the executable, including Rust crates and the libc: it adds lots of functions that are not important to spend time during malware analysis.\r\n * Since Rust is a high-level programming language, its abstractions tend to bring a \u00e2\u0080\u009cnatural\u00e2\u0080\u009d obfuscation to the program code with lots of additional checks, temporary variables and built-in structures.\r\n * Moreover, this sample is stripped, meaning that symbols and debug information are removed from the executable. In practice, it means that the disassembler will not be able to retrieve functions names of the program \u00e2\u0080\u0093 and of the libraries \u00e2\u0080\u0093 as well as structures, variable and constant names, etc.\r\n \r\n As a result, with more than 2000 unnamed functions, it becomes quite tedious to determine what is the actual code of the developer, and what is not.\r\n\r\n Therefore, I first executed the sample in a controlled environment (a Linux Debian-based virtual machine), to monitor any system and network activity.\r\n\r\n $ strace ./030eb56e155fb01.\\_bad\\_elf execve(\"./030eb56e155fb01.\\_bad\\_elf\", [\"./030eb56e155fb01.\\_bad\\_elf\"], 0x7ffc20b137a0 /* 50 vars */) = 0 [...] readlink(\"/proc/self/exe\", \"/home/user/iv/030eb56/030eb56e\"..., 256) = 48 open(\"/home/user/iv/030eb56/030eb56e155fb01.\\_bad\\_elf\", O\\_RDONLY|O\\_NONBLOCK|O\\_CLOEXEC|O\\_PATH) = 6 readlink(\"/proc/self/fd/6\", \"/home/user/iv/030eb56/030eb56e\"..., 4095) = 48 fstat(6, {st\\_mode=S\\_IFREG|0755, st\\_size=878824, ...}) = 0 stat(\"/home/user/iv/030eb56/030eb56e155fb01.\\_bad\\_elf\", {st\\_mode=S\\_IFREG|0755, st\\_size=878824, ...}) = 0 close(6) = 0 unlink(\"/home/user/iv/030eb56/030eb56e155fb01.\\_bad\\_elf\") = 0 getppid() = 3033 readlink(\"/proc/self/exe\", \"/home/user/iv/030eb56/030eb56e\"..., 256) = 58 readlink(\"/proc/self/exe\", \"/home/user/iv/030eb56/030eb56e\"..., 256) = 58 stat(\"/tmp/0\", 0x7fffe54a8700) = -1 ENOENT (No such file or directory) [...] exit\\_group(0) = ? I was first disappointed because the process exited instantaneously with no network activity and no impact on the filesystem. But there was a few interesting system calls executed:\r\n\r\n \r\n * readlink(\"/proc/self/exe\"...): reads the value (the path) pointed by the symbolic link /proc/self/exe, meaning its executable (here /home/user/iv/030eb56/030eb56e155fb01.\\_bad\\_elf);\r\n * Then it opens its executable with open syscall, checks its file status with fstats (not sure why) and closes it;\r\n * unlink(\"/home/user/iv/030eb56/030eb56e155fb01.\\_bad\\_elf\"): deletes itself;\r\n * stat(\"/tmp/0\", ...): tests the existence of /tmp/0 file, in this running context you can see the error explaining that it does not exist;\r\n * Exits.\r\n \r\n We can use this information to find the beginning of the main *useful* function by searching any references to readlink and unlink system calls, as well as /proc/self/exe and /tmp/0 strings. However, those two strings did not bring interesting results (as I discovered later, they are stack strings so no reference!). But /tmp/ and the two mentioned system calls were directly referenced from a big function that I determined as the main routine.\r\n\r\n The main routine is called by another big function that I identified as a *Tokio* worker thread, responsible for running asynchronous tasks. *Tokio*7 is a famous Rust crate, very handy when building asynchronous network applications. I quickly identified the purpose of this function thanks to a reference to TOKIO\\_WORKER\\_THREADS string, which allowed me to completely skip its code flow and go straight to the main routine.\r\n\r\n KrustyLoader main routine Once we identify the exception/error handling code inside the function, the execution flow becomes more obvious. To help with the reverse engineering, I debugged the program alongside with GDB. Since it is a stripped PIE (Position Independent Executable) binary \u00e2\u0080\u0093 simply put, code segment base address is randomized \u00e2\u0080\u0093 we can neither break on function names nor predictable addresses. The start GDB command is not able to break on the main function in this configuration. Thankfully, GDB has another command called starti8 that sets a temporary breakpoint at the very first instruction of a program\u00e2\u0080\u0099s execution and then invokes the \u00e2\u0080\u0098run\u00e2\u0080\u0099 command. This command allows us to start the process, break instantaneously, and get the base address of the code segment loaded in memory.\r\n\r\n $ gdb 030eb56e155fb01.\\_bad\\_elf [...] Reading symbols from 030eb56e155fb01.\\_bad\\_elf... (No debugging symbols found in 030eb56e155fb01.\\_bad\\_elf) gef\u00e2\u009e\u00a4 starti Starting program: /home/user/iv/030eb56/030eb56e155fb01.\\_bad\\_elf [*] Failed to find objfile or not a valid file format: [Errno 2] No such file or directory: 'system-supplied DSO at 0x7ffff7fde000' Program stopped. 0x00007ffff7d364db in ?? () [...] \u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080 code:x86:64 \u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080 0x7ffff7d364cd call 0x7ffff7dc9bc4 0x7ffff7d364d2 mov edi, DWORD PTR [rsp+0xc] 0x7ffff7d364d6 call 0x7ffff7dc742e \u00e2\u0086\u0092 0x7ffff7d364db xor rbp, rbp 0x7ffff7d364de mov rdi, rsp 0x7ffff7d364e1 lea rsi, [rip+0x2c6570] # 0x7ffff7ffca58 0x7ffff7d364e8 and rsp, 0xfffffffffffffff0 0x7ffff7d364ec call 0x7ffff7d364f1 0x7ffff7d364f1 sub rsp, 0x190 \u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080 threads \u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080 [#0] Id 1, Name: \"030eb56e155fb01\", stopped 0x7ffff7d364db in ?? (), reason: STOPPED \u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080 trace \u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080 [#0] 0x7ffff7d364db \u00e2\u0086\u0092 xor rbp, rbp \u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080\u00e2\u0094\u0080 gef\u00e2\u009e\u00a4 IDA disassembly view - KrustytLoader's first instruction GDB breaks at the first instruction at address 0x7ffff7d364db in our example. IDA disassembly view shows that the first instruction of the program (pointed by start symbol) is at 0xF4DB. Then, using a subtle mathematical operation, we can retrieve the base address and determine the address of the main routine: 0x7ffff7d364db - 0xF4DB + 2E70B (offset of the main routine) = 0x7ffff7d5570b. We can now break at\u00c2 0x7ffff7d5570b and finally start debugging the main routine normally.\r\n\r\n The next section describes the results of my analysis based on this approach. I also used Sysdig9 to monitor the system calls and general activity on the virtual machine. This is a great system monitoring tool that would deserve its own article!\r\n\r\n ## KrustyLoader Behaviour\r\n\r\n Based on reverse engineering and dynamic analysis, the behaviour of KrustyLoader can be summarized in the following main points:\r\n\r\n \r\n * The malware reads /proc/self/exe to gets its path (*readlink*) and deletes itself (*unlink*)\r\n * Then the following checks must be validated else the program exits: \r\n\t + It gets the process parent ID (PPID) using *getppid* syscall and exits if PPID is 1.\r\n\t + Anti-debug checks: it reads /proc/self/exe again (now the value suffixed with \" (deleted)\") and exits if it contains **gdb** or **lldb** (both debuggers) strings.\r\n\t + It checks the existence of /tmp/0 and exits if it does not.\r\n\t + It checks if its executable (pointed by /proc/self/exe) is located in /tmp/ directory. If it's not in /tmp/ directory, it exits. \r\n * Once all the checks successfully passed, the malware starts doing interesting stuff: \r\n\t + It creates in /tmp directory a new file with a filename made of 10 random alphanumeric characters.\r\n\t + It decrypts a hardcoded URL, and sends a GET HTTP request to that URL.\r\n\t + In result, it receives an encrypted response from the remote server.\r\n\t + The content is decrypted and written to the random file.\r\n\t + It makes the random file executable using system command chmod +x /tmp/randomfile.\r\n\t + Finally, it tries to execute the newly created executable and exits. \r\n \r\n As a general point, there is a bit of obfuscation: most symbols are XOR-encrypted stack strings.\r\n\r\n The process of decryption used by the malware to retrieve the URL has three steps:\r\n\r\n \r\n 2. It hex-decodes (the equivalent of bytes.fromhex() in Python) the encrypted URL;\r\n 4. XOR each byte with a 1-byte key;\r\n 6. And uses **AES-128 CFB-1 mode**10 with hardcoded key and initialization vector to decrypt and get the URL.\r\n \r\n AES-128 CFB is also used to decrypt the payload sent by the remote HTTP server.\r\n\r\n What about the executed payloads? Based on my observations, all the samples download a Sliver (Golang) backdoor, though from different URLs. The Sliver backdoors contact their C2 server using HTTP/HTTPS communication. Sliver11 is an open-source adversary simulation tool that is gaining popularity amongst threat actors, since it provides a practical command and control framework.\r\n\r\n The list of domains and URLs can be found in\u00c2 this GitHub repository: https://github.com/synacktiv/krustyloader-analysis.\r\n\r\n ## Extraction and detection\r\n\r\n ### Extraction of the URL\r\n\r\n I developed a simple script to statically retrieve and decrypt the URL used by *KrustyLoader* to get the *Sliver* backdoor. It allows extracting the pieces of information we only need without executing the malware. The script is available here: https://github.com/synacktiv/krustyloader-analysis/blob/main/krusty\\_extractor.py. It requires pycryptodome Python package and a decent Python version to run. It automatically extracts the XOR key, the AES key, the AES initialization vector and the encrypted URL.\r\n\r\n $ python krusty\\_extractor.py 030eb56/030eb56e155fb01.\\_bad\\_elf Sample SHA256sum: 030eb56e155fb01d7b190866aaa8b3128f935afd0b7a7b2178dc8e2eb84228b0 XOR KEY: 0x81 AES-128 CFB KEY: b1e228b4b5723d41a575d993b70c906b AES-128 CFB IV: 27bb7db8021cd9ade3520a6e67f43ac5 Decrypted Stage Hoster URL: http://bringthenoiseappnew.s3.amazonaws.com/iEgJ4J7Uc9YgC $ python krusty\\_extractor.py a4e1b07/a4e1b0.\\_bad\\_elf Sample SHA256sum: a4e1b07bb8d6685755feca89899d9ead490efa9a6b6ccc00af6aaea071549960 XOR KEY: 0x81 AES-128 CFB KEY: b1e228b4b5723d41a575d993b70c906b AES-128 CFB IV: 27bb7db8021cd9ade3520a6e67f43ac5 Decrypted Stage Hoster URL: http://bbr-promo.s3.amazonaws.com/NWEUW983Ve4g1 As you can observe in the extract above, it successfully decrypts the URL of both samples (and it works for all 12 samples). When I first ran the script on all samples, I was quite disappointed to notice that they also share the exact same cryptographic parameters.\u00c2 \u00f0\u009f\u0098\u0084 At least it sped up my analysis, and it could still be handy in case there are new variants with different XOR key or AES parameters.\r\n\r\n ### Detection\r\n\r\n You can find a Yara rule here to detect similar KrustyLoader samples: https://github.com/synacktiv/krustyloader-analysis/blob/main/KrustyLoader.yar. It searches specific strings I mentioned and some AES routines.\r\n\r\n ## Conclusion\r\n\r\n Rust payloads detected by Volexity team turn out to be pretty interesting Sliver downloaders as they were executed on Ivanti Connect Secure VPN after the exploitation of CVE-2024-21887 and CVE-2023-46805. KrustyLoader\u00c2 \u00e2\u0080\u0093 as I dubbed it \u00e2\u0080\u0093 performs specific checks in order to run only if conditions are met. The fact that KrustyLoader was developed in Rust brings additional difficulties to obtain a good overview of its behaviour. A script as well as a Yara rule are publicly available to help detection and extraction of indicators.\r\n\r\n \u00c2 \r\n\r\n If any organization needs assistance in doubt removal or responding to a compromise, please feel free to contact Synacktiv.\r\n\r\n \r\n* 1. https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-By\u00e2\u0080\u00a6\r\n * 2. https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zer\u00e2\u0080\u00a6\r\n * 3. https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-ze\u00e2\u0080\u00a6\r\n * 4. https://www.volexity.com/blog/2024/01/18/ivanti-connect-secure-vpn-expl\u00e2\u0080\u00a6\r\n * 5. https://x.com/ektoplasma\\_/status/1749407566335983616?s=20\r\n * 6. https://x.com/ektoplasma\\_/status/1750217403147989383?s=20\r\n * 7. https://docs.rs/tokio/latest/tokio/index.html\r\n * 8. https://sourceware.org/gdb/current/onlinedocs/gdb.html/Starting.html\r\n * 9. https://github.com/draios/sysdig/\r\n * 10. https://en.wikipedia.org/wiki/Block\\_cipher\\_mode\\_of\\_operation#Cipher\\_fee\u00e2\u0080\u00a6\r\n * 11. https://github.com/BishopFox/sliver\r\n \r\n Share this article ## Other publications\r\n\r\n ### KrustyLoader - Rust malware linked to Ivanti ConnectSecure compromises\r\n\r\n On 10th January 2024, Ivanti disclosed two zero-day critical vulnerabilities affecting Connect Secure VPN product: CVE-2024-21887 and CVE-2023-46805 allowing unauthenticated remote code execution. Vol ... Th\u00c3\u00a9o Letailleur - 29/01/2024 - CSIRT ### Exploring Counter-Strike: Global Offensive Attack Surface\r\n\r\n Back in 2021, we studied the attack surface of Counter-Strike: Global Offensive as a side research project. We found and reported a relative heap out-of-bounds write vulnerability triggerable remotely ... Victor Cutillas , Louis Jacotot - 08/01/2024 - Exploit , Reverse-engineering ### Leveraging Binary Ninja IL to Reverse a Custom ISA: Cracking the \u00e2\u0080\u009cPot of Gold\u00e2\u0080\u009d 37C3\r\n\r\n This article explores the process of reversing a custom instruction set architecture (ISA) of the Pot of Gold CTF challenge (37C3 CTF) using Binary Ninja Intermediate Language (IL) to decompile the ch ... Thomas Imbert - 05/01/2024 - Challenges , Exploit , Reverse-engineering \r\n * Who are we? \r\n * Our values \r\n * Agreements \r\n * Our clients \r\n * Our team \r\n \r\n \r\n * Back office \r\n * Pentest \r\n * Reverse \r\n * Development \r\n * Incident response (CSIRT) \r\n \r\n \r\n * Philosophy \r\n * Recruitment process \r\n * Job offers/internships \r\n \r\n \r\n * Kraqozorus \r\n * Houdini \r\n * Disconet \r\n * Oursin \r\n * Leakozorus \r\n \r\n \r\n * Penetration test / red team \r\n * Security audit \r\n * Reverse-engineering \r\n * Development \r\n * Incident response \r\n \r\n \r\n * CSIRT Synacktiv \r\n \r\n ## Contact us\r\n\r\n +33 1 45 79 74 75 contact@synacktiv.com GPG key ## PARIS\r\n\r\n 5 boulevard Montmartre \r\n 75002 Paris ## TOULOUSE\r\n\r\n 4 Rue du Pont Guilhemery \r\n 31000 Toulouse ## LYON\r\n\r\n 56 rue Smith \r\n 69002 Lyon ## RENNES\r\n\r\n 7D Rue de Ch\u00c3\u00a2tillon \r\n 35000 Rennes ## LILLE\r\n\r\n 7 Boulevard Louis XIV \r\n 59000 Lille Copyright \u00c2\u00a9 Synacktiv 2024 \r\n * Legal notice \r\n * Contact Us",
"id": "358",
"event_id": "206742",
"timestamp": "1706629055",
"uuid": "7b9a9467-7bd1-4364-a4c2-c6c50edbf0f3",
"deleted": false
}
]
}
}