ZIPLINE

ZIPLINE is a passive backdoor that was used during Cutting Edge on compromised Secure Connect VPNs for reverse shell and proxy functionality.^[1]

ID: S1114

ⓘ

Type: MALWARE

ⓘ

Platforms: Network

Version: 1.0

Created: 01 March 2024

Last Modified: 01 March 2024

Techniques Used

Domain	ID		Name	Use
Enterprise	T1090		代理	ZIPLINE can create a proxy server on compromised hosts.^[1]^[2]
Enterprise	T1573	.001	加密通道: Symmetric Cryptography	ZIPLINE can use AES-128-CBC to encrypt data for both upload and download.^[2]
Enterprise	T1059	.004	命令与脚本解释器: Unix Shell	ZIPLINE can use `/bin/sh` to create a reverse shell and execute commands.^[1]
Enterprise	T1562	.001	妨碍防御: Disable or Modify Tools	ZIPLINE can add itself to the exclusion list for the Ivanti Connect Secure Integrity Checker Tool if the `--exclude` parameter is passed by the `tar` process.^[1]
Enterprise	T1083		文件和目录发现	ZIPLINE can find and append specific files on Ivanti Connect Secure VPNs based upon received commands.^[1]
Enterprise	T1205		流量激活	ZIPLINE can identify a specific string in intercepted network traffic, `SSH-2.0-OpenSSH_0.3xx.`, to trigger its command functionality.^[1]
Enterprise	T1105		输入工具传输	ZIPLINE can download files to be saved on the compromised system.^[1]^[2]
Enterprise	T1057		进程发现	ZIPLINE can identify running processes and their names.^[1]
Enterprise	T1095		非应用层协议	ZIPLINE can communicate with C2 using a custom binary protocol.^[2]

Campaigns

ID	Name	Description
C0029	Cutting Edge	^[1]

References

McLellan, T. et al. (2024, January 12). Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation. Retrieved February 27, 2024.

Lin, M. et al. (2024, January 31). Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation. Retrieved February 27, 2024.