Chinese Hackers Exploiting VPN Flaws to Deploy KrustyLoader Malware

neub9
By neub9
2 Min Read



Jan 31, 2024

Newsroom

Cyber Attack / Network Security

A pair of recently disclosed zero-day flaws in Ivanti Connect Secure (ICS) virtual private network (VPN) devices have been exploited to deliver a Rust-based payload called
KrustyLoader that’s used to drop the open-source Sliver adversary simulation tool.

The security vulnerabilities, tracked as CVE-2023-46805 (CVSS score: 8.2) and CVE-2024-21887 (CVSS score: 9.1), could be abused in tandem to achieve unauthenticated remote code execution on susceptible appliances.

As of January 26,
patches for the two flaws have been delayed, although the software company has released a temporary mitigation through an XML file.

Volexity, which first shed light on the shortcomings, said they have been weaponized as zero-days since December 3, 2023, by a Chinese nation-state threat actor it tracks under the name UTA0178. Google-owned Mandiant has assigned the moniker UNC5221 to the group.

Following public disclosure earlier this month, the vulnerabilities have
come under broad exploitation by other adversaries to drop XMRig cryptocurrency miners as well as Rust-based malware.

Synacktiv’s
analysis of the Rust malware, codenamed KrustyLoader, has revealed that it functions as a loader to download Sliver from a remote server and execute it on the compromised host.


Recorded Future
Image Credit: Recorded Future

Sliver, developed by cybersecurity company BishopFox, is a Golang-based cross-platform post-exploitation framework that has emerged as a lucrative option for threat actors in comparison to other well-known alternatives like Cobalt Strike.

That said, Cobalt Strike continues to be the top offensive security tool observed among attacker-controlled infrastructure in 2023, followed by Viper, and Meterpreter, according to a report published by Recorded Future earlier this month.

“Both Havoc and Mythic have also become relatively popular but are still observed in far lower numbers than Cobalt Strike, Meterpreter, or Viper,” the company
said. “Four other well-known frameworks are Sliver, Havoc, Brute Ratel (BRc4), and Mythic.”

Found this article interesting? Follow us on
Twitter and
LinkedIn to read more exclusive content we post.

Share This Article
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *