Scribd
Upload
84 views13 pages

LITTLELAMB

Uploaded by

Елена О
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
84 views13 pages

LITTLELAMB

Uploaded by

Елена О
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 13

LITTLELAMB.

WOOLTEA:
Stealthy Network Edge
Device Backdoor
Date: December 2024
Authors: Michaël Schrijver, Alex Oudenaarden

Currently facing a security incident? Call day and night: 00800 1744 0000 1
Introduction

During a forensic investigation, we observed an active attack on a


Palo Alto network firewall. These firewalls, classified as “network edge
devices,” are high-value targets for advanced threat actors, as detailed
in our Global Threat Landscape report.

Upon closer examination of the compromised device, we identified


a novel, stealthy, and advanced backdoor, which we believe is
associated with the LITTLELAMB.WOOLTEA malware. The delivery
mechanism of this malware has been described by Google Mandiant[1]
and Fortinet[2]. But, with no public technical details of the backdoor
itself, we had to conduct our own research to estimate its impact
and intentions. For future reference and use by other researchers, we
compiled our results into this document.

For other information about the investigation itself, please refer to our
related blog post.

© Northwave Group B.V. - [email protected] - +31 (0) 30 303 1240 - www.northwave-cybersecurity.com 2


Summary

A suspected nation state threat actor gained entry to a Palo Alto network device through CVE-
2024-9474[3], shortly after details of the vulnerability were made public. They subsequently
injected commands using curl to download a file bwmupdate to /tmp, make it executable and
then execute it. The output of the injected commands was redirected to a file in /var/appweb/
htdocs/unauth.

The bwmupdate file installs the backdoor, which disguises itself as the logd service, by copying
the malware to /usr/local/bin/logd. This backdoor is then executed using execve(), which fully
replaces any running legitimate logd process with the malicious one. First, to ensure persistence,
the malware adds its path to the /etc/rc.local file and modifies packages.py, a part of the RedHat
package manager used by PanOS. The modified function runs during system upgrades and
ensures the backdoor remains installed across upgrades.

Next, the malware injects a small dynamic library into the running nginx process. This library
hijacks the accept() function to check for incoming connections that contain a unique 48-byte
pattern, known as a magic knock, used by the threat actor to identify itself to the backdoor.
Once the threat actor is connected, the injected dynamic library creates a file called /tmp/
clientsDownload.sock. This socket file is used to pass file descriptors belonging to the threat
actor’s connections back to the malicious logd process. By doing so, the malware avoids having
to open its own port, instead piggybacking on an existing open port.

The logd process waits for a file descriptor to appear before starting its main backdoor
loop. Once the loop begins, SSL is configured to use a local certificate for encrypting the
backdoor traffic. This certificate, located at /opt/pancfg/etc/appweb/server.crt, belongs to the
management interface of the device. With its SSL instance configured, the backdoor is ready to
start its main functionality.

A full description of the backdoor functionality, together with all the payload formats, can be
found below.

Malware sample details


Hashes and names
8f5956869541804fda72aaeddf7db21586669c22c1b970c5b0d381f9e45c5cf4 injector
83c73a27663954130a605e70bb99d9a0c2ff5d849626b5c6a563207f76e45864 libhttpd.so
5d5945550e6fd54afffa370cadbf92010c9011a49ecd973c3f49e610abc2bffc libhttpd.so.1
9671d82f141950461152b183f02c6d698d16942f7fb10ebb1a02dd90c9e882a6 logd

© Northwave Group B.V. - [email protected] - +31 (0) 30 303 1240 - www.northwave-cybersecurity.com 3


Functionality

The backdoor provides five core functions, consisting of over 30 associated commands. These
commands are received through the hijacked accept() connection following the magic knock, as
previously described. The backdoor’s functionalities include:
Reading and writing files
Providing shell access
Establishing a network tunnel where only a single listening port can be used but multiple
outgoing connections
Establishing network tunnels where multiple listening ports can be used and multiple outgoing
connections
Setting up a SOCKS5 proxy supporting multiple listening ports and multiple outgoing
connections

Command Protocol
Each backdoor node can be administered directly from the operator’s server or through a tunnel.
The protocol used for sending the commands for administering the nodes is the same in either
case. The available command set differs between nodes connected directly to the operator and
ones that act as hops (only connected to other nodes). Operator connections are differentiated
from inter-node links by an identifier field provided in the handshake message. For operator
connections this field is set to zero, for node connections it is set to the initiating node’s id.

This is an example of the protocol (header) that is used for interfacing with a backdoor node:
Basic Frame
BASIC FRAME
06 00 de ad ca fe 00 00 00 08 00 00 00 01 00 00 ................
ca fe ..

Command Outcome Source identifier Payload length Route length Destination identifier 1

The outcome field in the header is set to zero for success or per-message constants for specific
Message 2: Nodenot
errors. For messages added
signaling a result this is always set to zero.

NODE ADDED
The start of the payload portion of the basic frame can be used to carry routing information. The
c2 95 f7 70 de ad ca f1 02 02 00 0a 00 00 e4 fe ...p............
first part of this routing information is a big-endian 32-bit integer specifying the number of hops
Identifier
in Added
the route, node
followed byidentifier Node
a big-endian address
32-bit integerNode
nodeport
id for each hop specifying the node it
should be routed to.
If a node receives a frame with only a single hop it checks the specified node id matches its own
Message 3: Node removed
node id and processes the message if so. Non-matches are silently discarded.
NODE REMOVED
Ifcfthe9eframe
6e 72contains
de ad camultiple
f1 02 02hops the00
00 0a first
00one is stripped,
e5 5e and the message is forwarded to
..nr...........^

that node if the specified node is known by the current node. Non-matches here are also silently
Identifier Added node identifier Node address Node port
discarded.
Message 4: Node list
NODE LIST
00 a5 c6 f6 00 00 00 01 de ad ca f1 02 02 00 0a ................
© Northwave Group B.V. - [email protected]
00 00 d9 f7 - +31 (0) 30 303 1240 ....
- www.northwave-cybersecurity.com 4

Node identifier Number of entries Entry 1 identifier Entry 1 address Entry 1 port
In the sections below only the actual message payload is shown. The message header
and routing block are omitted for brevity. Not all messages carry a payload. The payload
table is omitted for these messages.

For certain types of operations 32-bit integer identifiers are used. These are generated
using a PRNG seeded by time(). Examples of these are connection identifiers used in the
various tunnel implementations.

The backdoor can maintain links to other nodes. In other to know on which connection to
send messages destined for other (not directly connected) nodes each node maintains
a view of the network. For new and lost connections messages are sent to communicate
this to other nodes. The user node is somewhat special in this respect, each node has 1
connection which it uses to send message upstream to the user. If a new user connection
is made to a node, it will completely reset the state of the node. The new user will also
receive a list of known nodes if more than one node is active on the network. The image
below illustrates the concept. Where multiple interior nodes use this functionality to
connect back to the user.

User

TCP Port: 4443

PanOS device

Process: nginx

libhttpd.so

Perimeter

Process: logd
Unix socket:
/tmp/clientDownload.sock

TCP Port: chosen by user

Backdoor on
some internal device

TCP Port: chosen by user

Backdoor: Backdoor:
Turles all the Turles all the
way down way down

© Northwave Group B.V. - [email protected] - +31 (0) 30 303 1240 - www.northwave-cybersecurity.com 5


Connection management
The messages in this section are mostly used to implement the inter-node connectivity behavior
described in the previous section.

These messages are used to configure inter-node connections. While an inter-node connection could be
set up directly to the backdoored port, it is also possible to open new listeners. This would allow the user
to open a listening on the inside interface of a perimeter firewall and connect other nodes from inside the
perimeter making connections look less suspicious.

BASIC FRAME
Message
06 00 de ad1:
ca Handshake
fe 00 00 00 08 00 00 00 01 00 00 ................
ca fe
This is the first message sent on a connection. The ..
payload length must be zero. The identifier is set to
BASIC FRAME
zero fordea user
06 00
Command ad caconnection or 08
fe 00 00 00
Outcome Source toidentifier
the initiating
00 00 node’s
00 01 00 id for Route
an inter-node
00 ................
Payload length connection. identifier 1
length Destination
ca fe ..
BASIC FRAME
Message
06 00 de ad2:
Command ca Node
Outcome added
Source
fe 00 00 00 08identifier
00 00 00 Payload
01 00 00length Route length Destination identifier 1
................
Message
ca fe
Submitted 2: Nodebyadded
upstream a node if it gets a new node..
connection.
Node AddedOutcome Source identifier Payload length Route length Destination identifier 1
Command
NODE ADDED
Message 2: Node added
c2 95 f7 70 de ad ca f1 02 02
c2 95 f7 70 de ad ca f1 02 02 00 0a 00 00 e4 fe ...p............

NODE ADDED
Identifier
Message Added
c2 95 f7 702:
nodef1
deNode
identifier
ad ca added
Node address Node port
02 02 00 0a 00 00 e4 fe ...p............

Identifier
NODE ADDED
Message Added node identifier
3: Node removedNode address Node port
Message 3: Nodebyremoved
c2 95 f7 70 de ad ca f1 02 02 00 0a 00 00 e4 fe ...p............
Submitted upstream a node if it loses a node connection.
Identifier
Node Added node identifier Node address Node port
Removed
NODE REMOVED
Message 3: Node removed
cf 9e 6e 72 de ad ca f1 02 02 00
cf 9e 6e 72 de ad ca f1 02 02 00 0a 00 00 e5 5e ..nr...........^

NODE REMOVED
Identifier
Message Added
cf 9e 6e 723:
nodef1
deNode
identifier
ad ca removed
Node address Node port
02 02 00 0a 00 00 e5 5e ..nr...........^

Message
Identifier 4: Node
Added
NODE REMOVED nodelist
identifier Node address Node port
Message
cf 9e 6e 724:
de Node list
ad ca f1 02 02 00 0a 00 00 e5 5e ..nr...........^
NODE LIST
Message
00 a5 c6 f64:
Submitted 00Node
00 00 list
upstream if a user connection is made.
01 de ad ca f1 02 02 00 0a ................
Identifier
Node
00 00List Added node identifier Node address Node
d9 f7 .... port
NODE LIST
Message
00 a5 c6 f64:
Node 00Node
identifier 00 00 list
Number01 de ad ca f1 02 02 00 0a ................
of entries Entry 1 identifier Entry 1 address Entry 1 port
00 00 d9 f7 ....
NODE LIST
Message
Node 37: 00
00 a5 identifier
Node
c6 f6 00 Number
connect
00 01 of
deentries Entry
ad ca f1 1 identifier
02 02 Entry 1 address
00 0a ................ Entry 1 port
00 00 d9 f7 ....
NODE CONNECT
Message
01 00 00 7f37: Node
10 01 00 00connect
00 00 00 00 00 00 ..............
Node identifier Number of entries Entry 1 identifier Entry 1 address Entry 1 port
Message 37: Node connect
NODE CONNECT
Address Port Unknown/unused
Message
Initiate
01 00 00 7f37:
a node Node
01 00 00connect
10connection to the
00 specified
00 00 00 00 00address and port.
..............

Message
Node
NODE Port38:
Connect
Address Node listen
Unknown/unused
CONNECT
01 00 00 7f 10 01 00 00 00 00 00 00 00 00 ..............
NODE LISTEN
Message 38: Node listen
01 00 00 7f 10 01 ......
Address Port Unknown/unused
NODE LISTEN
Address Port
Message 38: Node listen
01 00 00 7f 10 01 ......

Address Port
NODE LISTEN
01 00 00 7f 10 01 ......

Address Port

© Northwave Group B.V. - [email protected] - +31 (0) 30 303 1240 - www.northwave-cybersecurity.com 6


Message 3: Node removed
NODE REMOVED
cf 9e 6e 72 de ad ca f1 02 02 00 0a 00 00 e5 5e ..nr...........^

Identifier Added node identifier Node address Node port

Message 4: Node list


NODE LIST
00 a5 c6 f6 00 00 00 01 de ad ca f1 02 02 00 0a ................
00 00 d9 f7 ....

Node identifier Number of entries Entry 1 identifier Entry 1 address Entry 1 port

Message 37: Node connect


NODE CONNECT
01 00 00 7f 10 01 00 00 00 00 00 00 00 00 ..............

Message 38:
Address Port Node listen
Unknown/unused
Open a TCP port accepting connections from other nodes (or users). If a listening port was already
Message
configured it 38: Node
will be listen
shut down.
Node Listen
NODE LISTEN
01 00 00 7f 10 01 ......

Address Port

Message 39: Node listen response


Sent in response to a Node listen message.
Outcome Meaning
8 Failed to open port.
9 Listener was already active.

Message 40: Node close listener


Close the listener.

Message 6: Uname Request


Request the hostname and kernel revision from the node.

Message 7: Uname Response


Response to Uname Request containing the hostname and kernel revision. As our test setup ran on
Debian Linux instead of PanOS it shows a Debian kernel revision. The kernel revision wouldn’t show
Message 7:actual
Debian for an Uname Response
PanOS device.
Uname Response (7)
UNAME RESPONSE (7)
02 06 00 4a 00 64 65 62 69 61 6e 36 2e 31 2e 30 ...J.debian6.1.0
2d 32 38 2d 61 6d 64 36 34 20 23 31 20 53 4d 50 -28-amd64.#1.SMP
20 50 52 45 45 4d 50 54 5f 44 59 4e 41 4d 49 43 .PREEMPT_DYNAMIC
20 44 65 62 69 61 6e 20 36 2e 31 2e 31 31 39 2d .Debian.6.1.119-
31 20 28 32 30 32 34 2d 31 31 2d 32 32 29 20 78 1.(2024-11-22).x
38 36 5f 36 34 86_64

Field count Hostname length Version length Hostname Version

Message 9: Echo Request


Message 13: Shell Data
Solicit an echo response from the other. Also keeps the connections alive.
SHELL DATA
65 78 69 74 73 68 65 6c 6c exitshell
Message 10: Echo Response
Data
Response to an Echo Request.

Message 32: Close connection


Message 14: Open for writing
Close the current connection from the node.
OPEN FILE FOR WRITE APPEND
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c ................
2f 74 6d 70 2f 74 65 73 74 /tmp/test

File pointer File size File name

Message 15: Open and read


OPEN AND READ FILE CONTENTS
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
2f 65 74 63 2f 6f 73 2d 72 65 6c 65 61 73 65 /etc/os-release
© Northwave Group B.V. - [email protected] - +31 (0) 30 303 1240 - www.northwave-cybersecurity.com 7
File pointer File size File name
Shell
The backdoor supports running commands in a shell. The shell started is “sh”. Output from stdout or
stderr is forwarded to the user with message 13, the payload of any message 13 received will be written
to the shell stdin.

Message 11: Open Shell


Start a shell process.
Message 7: Uname Response
Message 12: Open
UNAME RESPONSE (7) Shell Response
02 06 whether
Signal 00 4a 00a 64 65 was
shell 62 69 61 6e 36 2eopened.
successfully 31 2e 30 ...J.debian6.1.0
2d 32 38 2d 61 6d 64 36 34 20 23 31 20 53 4d 50 -28-amd64.#1.SMP
Outcome
20 50 52 45 45 4d 50 54 5f 44 59 4e 41 4d 49 43 Meaning
.PREEMPT_DYNAMIC
20 44 65 62 69 61 6e 20 36 2e 31 2e 31 31 39 2d .Debian.6.1.119-
1
31 20 28 32 30 32 34 2d 31 31 2d 32 32 29 20 78 Shell opened succesfully
1.(2024-11-22).x
38 36 5f 36 34 86_64
2 Failed to open shell
Field count Hostname length Version length Hostname Version
Message 13: Shell Data
Message 7: Uname Response
Carries data to or from the shell process. Data sent from the user to the shell process gets “\n” appended.
Message
UNAME
The 13:
RESPONSE
payload Shell(7)
“exitshell” isData
not forwarded, but closes the shell.
Message
Shell
SHELLData 7:
DATA Uname Response
02 06 00 4a 00 64 65 62 69 61 6e 36 2e 31 2e 30 ...J.debian6.1.0
2d 32 38 2d 61 6d 64 36 34 20 23 31 20 53 4d 50 -28-amd64.#1.SMP
65 50
20 78 52
69 45
74 45
73 4d
68 50
65 54
6c 5f
6c 44 59 4e 41 4d 49 43 .PREEMPT_DYNAMIC
exitshell
UNAME RESPONSE (7)
20 44 65 62 69 61 6e 20 36 2e 31 2e 31 31 39 2d .Debian.6.1.119-
02
31 06
20 00
28 4a
32 00
30 64
32 65
34 62
2d 69
31 61
31 6e 36 32
2e 29
31 20
2e 78
30 1.(2024-11-22).x
...J.debian6.1.0
Data 2d 32
2d 32 38 2d 61 6d 64 36 34 20 23 31 20 53 4d 50 -28-amd64.#1.SMP
38 36 5f 36 34 86_64
20 50 52 45 45 4d 50 54 5f 44 59 4e 41 4d 49 43 .PREEMPT_DYNAMIC
20 44 65 62 69 61 6e 20 36 2e 31 2e 31 31 39 2d .Debian.6.1.119-
Field
31 20count
28 32 Hostname
30 32 34 2dlength
31 31 Version
2d 32 32length
29 20 Hostname Version
Message 14: Open for writing
38 36 5f 36 34
78 1.(2024-11-22).x
86_64

File
OPEN FILE FOR WRITE APPEND
Field count Hostname length Version length Hostname Version
Message
00 00 00 0013: Shell
00 00 Data
00 00 00 00 00 00 00 00 00 0c ................
The backdoor
2f 74 supports
6d 70 2f interacting
74 65 73 74 with files on the /tmp/test
system where the backdoor is installed. Write-append
SHELL
and readDATA
modes are supported. Only a single open file can be open at any time in the backdoor. The
File pointer
Message
65 78 69 74 File
13:
backdoor keeps
size
65 File
Shell
73 68
track
name
ofData
6c 6c exitshell
the file size and the file pointer using 64-bit integers. These two values are also
sent
Data in most
Message
SHELL file related
15:
DATA Openmessages.
and read
65 78 69 74 73 68 65 6c 6c exitshell
OPEN AND READ FILE CONTENTS
Message
00 00 00 0014:
Data Open
00 00 00 00 for
00 00writing
00 00 00 00 00 00 ................
Message 14: Open for writing
Open
2f 65a 74
file63
for2f(repeated)
6f 73 2d writing
72 65 6c 65 61 73 65 /etc/os-release

OPEN
Open FILE
File ForFOR WRITE
Write APPEND
Append
File pointer File size File name
Message 14: Open for writing
00 00 00 00 00 00 00 00 00 00 00 00
2f 74 6d 70 2f 74 65 73 74
00 00 00 0c ................
/tmp/test
Message 17: File data
OPEN FILE FOR WRITE APPEND
File
00 pointer
00 00 00 File size
00 00 00 File name
00 00 00 00
00 00 00 00 0c ................
FILE DATA
2f 74 6d 70 2f 74 65 73 74 /tmp/test
68 65 6c 6c 6f 20 77 6f 72 6c 64 21 hello.world!
Message 15: Open and read
File
Data pointer File size File name
OPEN AND15:
Message READ FILE CONTENTS
Open and read
Message 15: Open
read
63 2f 6fits
and read
00 00 00 00 00 00 00 00 00 00 00 00
Open
2f 65file
74and 73contents
2d 72 65back
00 00 00 00 ................
to 61
6c 65 the73c265
server/etc/os-release
Open
OPENAnd
ANDRead FileFILE
READ Contents
CONTENTS
File pointer
00 00 00 00 File size
00 00 00 File name
00 00 00 00
00 00 00 00 00 ................
2f 65 74 63 2f 6f 73 2d 72 65 6c 65 61 73 65 /etc/os-release
Message 17: File data
File pointer File size File name
FILE DATA
Message 17: File data
68 65 6c 6c 6f 20 77 6f 72 6c 64 21 hello.world!

Data
FILE DATA
68 65 6c 6c 6f 20 77 6f 72 6c 64 21 hello.world!

Data © Northwave Group B.V. - [email protected] - +31 (0) 30 303 1240 - www.northwave-cybersecurity.com 8
20 50 52 45 45 4d 50 54 5f 44 59 4e 41 4d 49 43 .PREEMPT_DYNAMIC
20 44 65 62 69 61 6e 20 36 2e 31 2e 31 31 39 2d .Debian.6.1.119-
31 20 28 32 30 32 34 2d 31 31 2d 32 32 29 20 78 1.(2024-11-22).x
38 36 5f 36 34 86_64

Field count Hostname length Version length Hostname Version

Message 13: Shell Data


SHELL DATA
65 78 69 74 73 68 65 6c 6c exitshell

Data

Message 14: Open for writing


OPEN FILE FOR WRITE APPEND
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c ................
2f 74 6d 70 2f 74 65 73 74 /tmp/test

Message
File pointer16: Open
File size Fileresponse
name
Sent in response to message 14 or 15.
Message
Outcome 15: Open and read Meaning
OPEN
3 AND READ FILE CONTENTS Error opening file
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
4 65 74 63 2f 6f 73 2d 72 65 6c 65 61 73 65
2f File pointer beyond
/etc/os-release end of file

File pointer File size File name


Message 17: File data
Message 17: File
Write to file opened data
using message 14 or data read from file opened using message 15.
File Data
FILE DATA
68 65 6c 6c 6f 20 77 6f 72 6c 64 21 hello.world!

Data

Message 18: Close file


Close open file.

Tunnel 1
Set up a node on the current device to act as a single-hop tunnel between multiple target IPs and the c2
server. In our sample this functionality appears intentionally broken. Two functions called in the tunnel 1
configure message path, always return zero. This in turn makes the tunnel1 configure handler always fail.
We believe this could be a compile-time option.

Message 21: Configure tunnel request


Configure and start the tunnel with 1 listener that forwards traffic to the c2. The configuration takes an
Message
internal port21: Configure
to bind tunnel
to and a bool request
indicating a UDP or a TCP socket set-up.
Tunnel1 Configure Request
TUNNEL1 CONFIGURE REQUEST
00 00 ca fe 00 00 00 00 00 01 01 00 00 7f 10 00 ................

Tunnel ID Connection ID Protocol Listener Address Port

Message 22:
Message Tunnel1Close
26: Tunnel1 Configure response
single connection
Sent in response to a Tunnel1 configure request.
TUNNEL1
Outcome CLOSE CONNECTION Meaning
00 00 ca fe 00 00 de ad ........
7 Failure to configure
Tunnel ID Connection ID

Message 23:
Message Tunnel1send
27: Tunnel1 stopdata
Stop all forwarders and then stop the tunnel.
TUNNEL1 DATA
00 00 ca fe 00 00 de ad 44 41 54 41 ........DATA
Message 24: Tunnel1 connect
Tunnel
Add oneID Connection
reverse IDlistener
connect Data that forwards traffic to the c2. This command uses the IP and port from
the configuration set in command 21 to connect to a remote system. By symmetry to the other tunnel
implementations, we expected message 25 to be the response, but were unable to find it.
Message 28: Configure tunnel
TUNNEL2 CONFIGURE REQUEST
00 00 ca fe 00 00 00 00 00 01 01 00 00 7f 10 00 ................

Tunnel ID Connection
© Northwave IDB.V.
Group Protocol Listener Address Port
- [email protected] - +31 (0) 30 303 1240 - www.northwave-cybersecurity.com 9
Message 21: Configure tunnel request
Message 21: Configure tunnel request
TUNNEL1 CONFIGURE REQUEST
TUNNEL1
00 CONFIGURE
00 ca fe 00 00 00 00REQUEST
00 01 01 00 00 7f 10 00 ................
00 00 ca fe 00 00 00 00 00 01 01 00 00 7f 10 00 ................
Tunnel ID Connection ID Protocol Listener Address Port
Tunnel ID Connection ID Protocol Listener Address Port
Message 26: Tunnel1 Close single connection
Message
Terminates a26: Tunnel1
single Close
connection single connection
by connection ID.
Message 26: Tunnel1
Tunnel1 Close Connection Close single connection
TUNNEL1 CLOSE CONNECTION
00 00 ca fe
TUNNEL1 00 00 CONNECTION
CLOSE de ad ........
00 00 ca fe 00 00 de ad ........
Tunnel ID Connection ID
Tunnel ID Connection
Message ID
21: Configure tunnel request
Message
Message 27: Tunnel1
27: Tunnel1
TUNNEL1 CONFIGURE senddata
send
REQUEST data
Message
Sends
00 00 data 27:
ca feto00 Tunnel1
00 00 00 00send
a connection. The data
connection
01 01 00 00 7f is
10identified by the unique connection ID.
00 ................
TUNNEL1 DATA
Tunnel1
Tunnel
00 00 caData
ID Connection
fe ID 44
00 00 de ad Protocol Listener Address
41 54 41 Port
........DATA
TUNNEL1 DATA
00 00 ca fe 00 00 de ad 44 41 54 41 ........DATA
Message 21: Configure
Tunnel ID Connection tunnel request
ID Data
Tunnel
MessageID Connection ID
26: Tunnel1 Data
Close single connection
TUNNEL1 CONFIGURE REQUEST
00 00 ca fe 00 00 00 00 00 01 01 00 00 7f 10 00 ................
Message 28: Configure
TUNNEL1 CLOSE CONNECTIONtunnel
Message
Tunnel ID fe
00 00 ca 28: Configure
Connection
00 00 de ad
TUNNEL2 CONFIGURE REQUEST
tunnel
ID Protocol Listener Address Port
........
Tunnel
00 00 ca fe
TUNNEL2 00 2
00 00 00REQUEST
CONFIGURE 00 01 01 00 00 7f 10 00 ................
Tunnel ID Connection ID
Tunnel 2 isferemarkably
00 00 ca like00tunnel
00 00 00 00 01 011.00
The
00difference is that it supports multiple instances simultaneously
7f 10 00 ................
Message 26: Tunnel1
Tunnel ID Connection Close single
ID Protocol Listenerconnection
Address Port
which allow the user to have multiple listening ports open at the same time. Tunnel2 seems to be a
Tunnel ID Connection ID Protocol Listener Address Port
Message
slightly
TUNNEL1 more 27: Tunnel1
developed
CLOSE send
version
CONNECTION data while keeping all the features of tunnel1. Its commands are
of tunnel1
Message
00 00 ca fe
30: Close
00
also very similar.
TUNNEL1 DATA
00 de ad
However, tunnel
there are still some subtle........
bugs which prevent it from being used fully, it’s not
Message
clear
00 00whether
Tunnel ca
ID fe30:
00 Close
this
00isde
Connection anad
IDtunnel
intentional
44 41 54 build
41 configuration or just bugs.
........DATA
TUNNEL2 CONNECT
Tunnel
00 ID fe
00 ca
TUNNEL2 Connection
00 00 de ad
CONNECT ID Data ........
Message
00 00 ca fe28:
00 00Configure
de ad tunnel ........
Message
Tunnel
Set up aID 27:instance.
Tunnel1
Connection
tunnel IDIf asend
tunneldata
is opened in listening mode it is also actually started by this
Tunnel ID Otherwise,
Message
message. Connection theIDTunnel2
28: Configure tunnel
connect message needs to be sent to initiate a new connection.
TUNNEL1 DATA
Tunnel2
00 00 caConfigure
fe 00 00 Request
de ad 44 41 54 41 ........DATA
TUNNEL2 CONFIGURE
Message 35: Close REQUEST
single connection
00 00 ca fe 00 00 00 00 00 01 01 00 00 7f 10 00 ................
Message
Tunnel 35: CloseIDsingle
ID Connection Data connection
TUNNEL2 CLOSE CONNECTION
Tunnel
00
ID Connection
00 ca fe
ID Protocol Listener Address
00 00 CONNECTION
de ad
Port
........
TUNNEL2 CLOSE
Message
00 00 ca fe28: Configure
00 00 de ad
Tunnel ID Connection ID
tunnel ........

Message
Message
TUNNEL2
Tunnel 30: Close
30: Close
CONFIGURE
ID Connection tunnel
tunnel
IDREQUEST
Close
00 00the
ca tunnel instance
fe 00 00 00 00 specified by instance
00 01 01 00 00 7f 10 and all associated connections.
00 ................
TUNNEL2 CONNECT
Tunnel ID fe
00 00 ca Connection
00 00 de adID Protocol Listener Address Port
........
Message 32: Tunnel2 connect
Tunnel IDtunnel
Connect Connection
specifiedIDby instance and connection id. Message does nothing for listening tunnel
Message
instances. 30: Close tunnel
Tunnel2 Connect
Message 35: Close single connection
TUNNEL2 CONNECT
00 00 ca fe 00 00 de ad ........
TUNNEL2 CLOSE CONNECTION
Tunnel ID fe
00 00 ca Connection ID
00 00 de ad ........

Tunnel ID Connection ID
Message 35: Close single connection
TUNNEL2 CLOSE CONNECTION
00 00 ca fe 00 00 de ad ........

Tunnel ID Connection ID

© Northwave Group B.V. - [email protected] - +31 (0) 30 303 1240 - www.northwave-cybersecurity.com 10


00 00 ca fe 00 00 de ad 44 41 54 41 ........DATA

Tunnel ID Connection ID Data

Message 28: Configure tunnel


TUNNEL2 CONFIGURE REQUEST
00 00 ca fe 00 00 00 00 00 01 01 00 00 7f 10 00 ................

Tunnel ID Connection ID Protocol Listener Address Port

Message 30: Close tunnel


TUNNEL2 CONNECT
00 00 ca fe 00 00 de ad ........

Tunnel ID Connection ID

Message 35: Close single connection


Message 35:
Close a single Close single
connection connection
by specifying tunnel instance id and connection id.
Tunnel2 Close Connection
TUNNEL2 CLOSE CONNECTION
00 00 ca fe 00 00 de ad ........

Tunnel ID Connection ID

Message 36: Send data over tunnel


This message once again is used bi-directionally. The tunnel instance id and connection id are passed to
Message 36: Send data over tunnel
identify the connection.
Tunnel2 Data
TUNNEL2 DATA
00 00 ca fe 00 00 de ad 44 41 54 41 ........DATA

Tunnel ID Connection ID Data

Message 42: SOCKS5 configure


SOCKS5
SOCKS5 CONFIGURE
00 00 ca fe 01 00 00 00 00 05 39 02 06 78 69 73 ..........9..xis
A65basic socks5
6b 72 31 74 implementation. It is not truly a SOCKS5
ekr1tproxy implementation as data is backhauled over
the node network, but it does support listening for SOCKS5 clients.
Tunnel ID Listener Address Port Username length Password length Username Password

Message 44: Send


SOCKS5
Listening instances
Message 36: dataclose
expect SOCKS5 clients to connect. If authentication is configured the client needs to
over tunnel
provide the configured username and password.
SOCKS5 CLOSE
TUNNEL2
00 00 ca feDATA ....
00 00authenticated
Once ca fe 00 00 de
thead 44 41
client 54request
can 41 ........DATA
a connection, this request is forwarded over the C2 channel
Tunnel ID
and must
Tunnel IDbe accepted by
Connection IDthe user. If accepted, further data is forwarded over the C2 channel.
Data
Message 46: SOCKS5 connect
Message
Message 42: 36: Send
SOCKS5data over tunnel
configure
SOCKS5 CONNECT
Message 42: SOCKS5(46) configure
Configure
00 00 ca a
feproxy
00 00instance.
de ad 00Both a listening
01 10 00 00 7f and outgoing
00 00 instances can be configured at the same time.
................
TUNNEL2 DATA
Socks5
01 Configure
00 00 ca fe 00 00 de ad 44 41 54 41
.
........DATA
SOCKS5 CONFIGURE
00 00 ca fe
Tunnel 01 00 00 00 00 05 39 02 06 78 69 73 Port
..........9..xis
Tunnel ID
ID Connection
Connection ID
65 6b 72 31 74 ID Protocol
Data Address type Unknown Address
ekr1t

Message 47: SOCKS5 connect response


Tunnel ID Listener Address Port Username length Password length Username Password
Message 42: SOCKS5 configure
SOCKS5 CONNECT RESPONSE
Message
Message 44:
00 00 ca fe43: SOCKS5
SOCKS5
00 00 de ad close
configure response........
SOCKS5 to
Response
SOCKS5 CONFIGURE
the
CLOSE configure message. It contains the allocated tunnel id which must be used in further
Tunnel ID fe
00 00 ca Connection ID 00 05 39 02 06 78 69 73 ..........9..xis
01 00 00 00
00 00 ca fe
messages. ....
65 6b 72 31 74 ekr1t
Message
Tunnel ID
48: SOCKS5 data
Tunnel ID Listener Address Port Username length Password length Username Password
Message 44: SOCKS5 close
SOCKS5 DATA
Message
Message
Close
00 00an fe46:
44: SOCKS5
SOCKS5
cainstance
00 00and
de all 44 connect
close
ad associated
41 54 41connections. ........DATA

Socks5
SOCKS5Close
CONNECT (46)
Tunnel
SOCKS5 ID CLOSE
Connection ID Data
00 00 ca fe 00 00 de ad 00 01 10 00 00 7f 00 00 ................
Message
00 00 ca fe49: SOCKS5 close connection....
01 .

Tunnel
Tunnel ID
ID CLOSE
Connection ID Protocol Address type Port Unknown Address
SOCKS5 CONNECTION
00 00 ca fe 00 00 de ad ........
Message
Message 46:
47: SOCKS5
SOCKS5 connect
connect response
Tunnel ID Connection ID
SOCKS5
SOCKS5 CONNECT (46)
CONNECT RESPONSE
00 00 ca fe 00 00 de ad 00 01 10 00 00 7f 00 00 ................
00 00 ca fe 00 00 de ad ........
01 .

Tunnel ID Connection
© Northwave IDB.V. - [email protected] - +31 (0) 30 303 1240 - www.northwave-cybersecurity.com
Group 11
Tunnel ID Connection ID Protocol Address type Port Unknown Address
Message
Message 48:
47: SOCKS5
SOCKS5 data
connect response
Message 36: Send data over tunnel
Message 36: Send data over tunnel
TUNNEL2 DATA
00 00 ca fe 00 00 de ad 44 41 54 41 ........DATA
TUNNEL2 DATA
Message 36: Send data over tunnel
Tunnel ID fe
00 00 ca Connection ID 44
00 00 de ad Data
41 54 41 ........DATA

TUNNEL2 DATA
Tunnel ID Connection ID Data
Message
00 00 ca fe36: Send
00 00 de addata
44 41over
54 41tunnel ........DATA
Message 42: SOCKS5 configure
Tunnel
TUNNEL2ID Connection
DATA ID Data
Message
00 00 ca fe42: SOCKS5
00 00
SOCKS5 CONFIGURE de ad 44 configure
41 54 41 ........DATA
00 00 ca fe 01 00 00 00 00 05 39 02 06 78 69 73 ..........9..xis
Tunnel
SOCKS5 ID 31
Connection
CONFIGURE ID Data
Message 42: SOCKS5 configure
65 6b 72 74 ekr1t
00 00 ca fe 01 00 00 00 00 05 39 02 06 78 69 73 ..........9..xis
Tunnel ID 31
65 6b 72 Listener
74 Address Port Username length Password length
ekr1t Username Password
SOCKS5 CONFIGURE
Message
00 00 ca
Tunnel ID fe42: SOCKS5
01 00
Listener 00 00 00 configure
Address 05 39 Username
Port 02 06 78 69length
73 ..........9..xis
Password length Username Password
Message 44: SOCKS5
65 6b 72 31 74 close ekr1t
SOCKS5
SOCKS5 CONFIGURE
Message 44: SOCKS5 close
CLOSE
Tunnel ID Listener Address Port Username length Password length
00 00 ca fe 01 00 00 00 00 05 39 02 06 78 69 73 ..........9..xis Username Password
00 00 ca fe ....
65 6b 72 31
SOCKS5 74
CLOSE ekr1t
Message
Tunnel ID fe44: SOCKS5 close
00 00 ca ....
Message 46: SOCKS5
Tunnel ID Listener Addressconnect
Port Username length Password length Username Password
SOCKS5
Tunnel ID CLOSE
Create an outgoing connection on a non-listening instance. Can be used bi-directionally.
Message
Message 46: SOCKS5 connect
00 00 ca fe44: SOCKS5 close ....
Socks5 Connect (46)
Message
SOCKS5
Tunnel
SOCKS5
46: SOCKS5
ID CONNECT
CLOSE
(46) connect
00 00 ca fe 00 00 de ad 00 01 10 00 00 7f 00 00 ................
00 00 ca fe
SOCKS5 CONNECT (46) ....
01 .
Message 46: SOCKS5 connect
00 00 ca fe 00 00 de ad 00 01 10 00 00 7f 00 00 ................
Tunnel
Tunnel
01 ID
ID Connection ID Protocol Address type Port
. Unknown Address
SOCKS5 CONNECT (46)
Message
00 00 ca
Tunnel
Message ID fe46:
47: SOCKS5
00 00 de ad
Connection
SOCKS5ID 00 connect
01 10 00
Protocol
connect
00 7f 00
Address 00 Port
type
response
................
Unknown Address
Message
01 47: SOCKS5 connect response.
SOCKS5
Message
Response
SOCKS5 CONNECT
to47: (46)
SOCKS5
a connect connect
message. Can beresponse
used bi-directionally.
Tunnel ID CONNECT
ConnectionRESPONSE
ID Protocol Address type Port Unknown Address
00 00 ca fe 00 00 de ad 00 01 10 00 00 7f 00 00 ................
Socks5
01 Connect
00 00 ca Response
fe 00 00 de ad ........
.
SOCKS5 CONNECT RESPONSE
Message
Tunnel ID fe
00 00 ca 47: SOCKS5
Connection
00 00 ID connect response........
de ad
Tunnel ID Connection ID Protocol Address type Port Unknown Address
SOCKS5 CONNECT RESPONSE
Tunnel ID Connection ID data
Message
00 00 ca fe48:
Message 47: SOCKS5
SOCKS5
00 00 de ad connect response........
Message
SOCKS5
Tunnel
SOCKS5
48:
ID DATA
SOCKS5 data
ConnectionRESPONSE
CONNECT ID
Message
00 00 ca fe48:
00 00 ca fe
00 00
00 00SOCKS5
de ad 44 data
de ad
41 54 41 ........DATA
........
SOCKS5 DATA
Message
Carries
Tunnel
data
ID fe
00 00 ca 48:
for SOCKS5
the
Connection
00 00 specified
ID 44
de ad data
tunnel
Data
41 54 41and connection id. It can be used bi-directionally.
........DATA
Tunnel ID
Socks5 DataConnection ID
Message
SOCKS5
Tunnel 49: SOCKS5
ID DATA
Connection close connection
ID Data
Message
00 00 ca fe48:
Message 49: SOCKS5
00 00 de ad 44 data
SOCKS5
41 54 41
close connection
........DATA
SOCKS5 CLOSE CONNECTION
Tunnel
SOCKS5 ID fe
00 00 ca Connection
DATA ID Data
00 00 de ad ........
SOCKS5
Message
00 CLOSE
00 ca fe 00 00CONNECTION
49: SOCKS5 close connection........DATA
de ad 44 41 54 41
Tunnel ID Connection ID
00 00 ca fe 00 00 de ad ........
Tunnel ID Connection
Message 49: SOCKS5ID Data
close connection
SOCKS5
Tunnel ID CLOSE CONNECTION
Connection ID
Message
Close
00 00aca fe49: SOCKS5
connection
00 00 by close
de specifying
ad connection
tunnel and connection id.
........

Socks5 Close Connection


Tunnel
SOCKS5ID CLOSE
Connection ID
CONNECTION
00 00 ca fe 00 00 de ad ........

Tunnel ID Connection ID

References
1. https://cloud.google.com/blog/topics/threat-intelligence/investigating-ivanti-exploitation-persistence/

2. https://www.fortinet.com/blog/psirt-blogs/importance-of-patching-an-analysis-of-the-exploitation-of-n-day-vulnerabilities

3. https://unit42.paloaltonetworks.com/cve-2024-0012-cve-2024-9474/

© Northwave Group B.V. - [email protected] - +31 (0) 30 303 1240 - www.northwave-cybersecurity.com 12


About Northwave
Cyber Security
Founded in 2006, Northwave Cyber Security is the leading Dutch interdisciplinary
specialist in cyber security, with offices in Utrecht, Leipzig, and Brussels. With their
managed cyber security services, they enable European clients to remain in control
while placed under the permanent protection of their confident cyber crew. Their
integrated approach towards cyber risk mitigation delivers solid security and aims
for cyber awareness and resilience.

Get in contact with us


Currently facing a security incident?
Call day and night: 00800 1744 000

Contact
E: [email protected]
T: +31 (0) 30 303 1240
W: northwave-cybersecurity.com

© Northwave Group B.V. - [email protected] - +31 (0) 30 303 1240 - www.northwave-cybersecurity.com 13

You might also like