Cybersecurity researchers with cybersecurity firm QuoIntelligence have spotted a new version of one of the web shells known as Wirefire (aka Giftedvisitor) leveraged by a Chinese threat actor in attacks targeting Ivanti Connect Secure zero-days.
The flaws (CVE-2023-46805, CVE-2024-21887) were discovered by Volexity in December last year during an investigation into a security incident at one of its customers. Researchers found that an attacker was placing web shells on multiple internal and external-facing web servers using the exploit chain involving two above-mentioned zero-day flaws.
The threat actor, tracked as UTA0178UNC5221, used the exploits to steal configuration data, modify existing files, download remote files, and reverse tunnel from the ICS VPN appliance.
The attackers also altered legitimate ICS components and made changes to the system to evade the ICS Integrity Checker Tool and backdoored a legitimate CGI file on the ICS VPN appliance to allow command execution. The threat actor then exfiltrated credentials and used them to pivot to other internal systems.
According to Mandiant researchers who have also analyzed this campaign, the threat actor deployed five custom malware tools called ThinSpool, LightWire, WireFire, WarpWire and ZipLine.
The threat actors backdoored compromised devices using a slightly modified Giftedvisitor web shell variant, according to Volexity. The company said that the number of infected systems exceeded 2,100.
Volexity said multiple threat actors have been exploiting the Ivanti flaws since mid-January. The researchers believe that attackers likely obtained the exploits through public proof-of-concept code. Volexity observed that following exploitation, vulnerable Ivanti Connect Secure VPN appliances would download malicious code from a variety of different attacker-controlled URLs, including the XMRig cryptocurrency miner and an identified Rust-based payload.
Now, a new variation of the Wirefire web shell has been discovered that comes with similar capabilities and is hidden in a different file. QuoIntelligence believes that the threat actor modified the malware to bypass detection mechanisms and to avoid detections by public YARA rules.
The researchers said they identified a suspicious .EGG Python archive containing small variations between the original sample reported by Mandiant and Volexity.
“In the original sample, Wirefire was located in the usual location /api/resources/visits.py and with the post function overwritten by the threat actor. However, our new finding was located inside of /api/resources/category.py, with the same post function overwritten,” the researchers explained.
“The two code snippets highlighted minor differences in the methodology of data transmission and subsequent execution. POST requests with specific indicators remain the way to convey the encrypted data payload, which is then decrypted and directly executed within the memory space of the process, leaving no traces on the compromised file system.”
QuoIntelligence provided “a less restrictive and temporary” YARA rule to help identify the altered Wirefire variants.