Rust Payloads Exploiting Ivanti 0-Days Linked to Sliver Toolkit
Payloads recently found on compromised Ivanti Connect Secure appliances could be from the same, sophisticated threat actor, according to incident response provider Synacktiv.
A new malware analysis from Synacktiv researcher Théo Letailleur showed that the 12 Rust payloads discovered by Volexity as part of its investigation into two Ivanti Connect Secure VPN remote code execution (RCE) zero-days (CVE-2024-21887 and CVE-2023-468051) share almost 100% code similarity.
KrustyLoader Executes Sliver, A Cobalt Strike Alternative
The primary purpose of this string of payloads, which the researcher named “KrustyLoader,” is to download and execute a Sliver backdoor coded in Golang.
Sliver is a post-exploitation toolkit created by offensive security provider Bishop Fox to allow red teams to maintain access and control over a compromised system after gaining initial entry. It offers various capabilities, such as spying on a network, executing commands, spawning sessions, or loading reflective DLLs.
Sliver emerged as a popular choice for cybercriminals in the latter half of 2023 following a law enforcement operation attempting to shut down ‘cracked’ versions of Cobalt Strike, another offensive toolkit.
ConnectSecure Exploitation Shows APT-Level Sophistication
In his malware analysis, Letailleur found that these 12 payloads are interestingly sophisticated – they perform specific checks in order to run only if conditions are met, for instance.
This finding aligns with previous findings from Volexity and Mandiant, who both reported that an advanced persistent threat (APT) actor was behind some Ivanti zero-day exploitations.
Volexity attributed it to a Chinese-backed group tracked as UTA0178. Mandiant attributed it to an activity cluster it tracks as UNC5221.
US federal officials also said the attacks shared some similarities with the Volt Typhoon attacks linked to China during mid-2023.
Ivanti Patch Delayed
Ivanti has been working with Mandiant to mitigate the threat activity, which has led to the compromise of more than 2100 systems so far.
While a patch was initially scheduled for the week of January 22, Ivanti announced on January 26 that the release would be delayed to the week of January 30 at the earliest.
No patch is available at the time of writing.
Read more: CISA Emergency Directive Demands Action on Ivanti Zero-Days