Recently, QuoIntelligence’s research team unearthed a previously undetected variant of the notorious WIREFIRE web shell, a Python-based implant targeting compromised Ivanti Connect Secure (ICS) VPN appliances.
This discovery unveils a cunning tactic employed by threat actors to evade detection and extend their malicious reach.
The story unfolds in December 2023, when security researchers identified a global attack campaign exploiting zero-day vulnerabilities in Ivanti Connect Secure VPN appliances.
This campaign, attributed to the UNC5221 threat actor group, involved the deployment of web shells on both internal and external-facing web applications, granting the attackers unauthorized access and control.
Open Suspicious Files & Links in the ANY RUN Sandbox Safely; Try All Features for Free. Understand malware behavior, collect IOCs, and easily map malicious actions to TTPs — all in our interactive sandbox.
The Familiar Foe with a New Disguise: The WIREFIRE Variant
While investigating this incident, QuoIntelligence researchers stumbled upon a crucial piece of the puzzle: a previously unreported variant of the WIREFIRE web shell.
Unlike its known counterpart residing in the “/api/resources/visits.py” file, this variant resided in the “/api/resources/category.py” file, showcasing a strategic shift in location to bypass existing detection mechanisms.
Under the Hood: Dissecting the Variant’s Capabilities
This variant, though subtly different, retained the core functionality of its predecessor.
It intercepted POST requests containing encrypted data payloads, decrypted them, and executed them directly in memory, leaving no incriminating traces on the file system.
However, it introduced two noteworthy modifications:
- Cookie-Based Payload Delivery: The variant adopted a cookie-based approach to transmit encrypted payloads, moving away from the GIF file method used in the original version.
- Persistent Execution Through exec(): A novel code addition leveraging the “exec()” function enabled the execution of malicious code across successive POST requests, potentially facilitating data persistence.
The discovery of this variant exposed a critical limitation in existing detection methods.
The YARA rule provided by Mandiant, designed to identify the WIREFIRE web shell, was rendered ineffective due to the variant’s different location.
This highlights the threat actors’ cunning strategy of deploying modified versions in various locations to evade detection based on specific file paths.
David Miller, Security Advocate: “This incident underscores the importance of patching vulnerabilities promptly.
The exploited zero-day vulnerabilities were patched in February 2024, but attackers are still exploiting unpatched systems. Organizations need to prioritize vulnerability management.”
Responding to the Threat: A New YARA Rule Emerges
To address this gap in detection, QuoIntelligence researchers promptly developed a temporary YARA rule with broader scope.
This rule focuses on commonalities across different web shell locations within the “/api/resources/” directory, effectively identifying both the original and the variant.
The emergence of this WIREFIRE variant underscores the dynamic nature of cyber threats and the importance of continuous vigilance.
Organizations utilizing Ivanti Connect Secure VPN appliances are urged to:
- Implement the new YARA rule to enhance detection capabilities.
- Regularly update systems and patch vulnerabilities.
- Employ robust security solutions and threat intelligence feeds.
- Maintain heightened awareness of evolving cyber threats.