PITSTOP

PITSTOP is a backdoor that was deployed on compromised Ivanti Connect Secure VPNs during Cutting Edge to enable command execution and file read/write.^[1]

ID: S1123

ⓘ

Type: MALWARE

ⓘ

Platforms: Network

Version: 1.0

Created: 13 March 2024

Last Modified: 17 April 2024

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Enterprise	T1059	.004	Command and Scripting Interpreter: Unix Shell	PITSTOP has the ability to receive shell commands over a Unix domain socket.^[1]
Enterprise	T1140		Deobfuscate/Decode Files or Information	PITSTOP can deobfuscate base64 encoded and AES encrypted commands.^[1]
Enterprise	T1573	.002	Encrypted Channel: Asymmetric Cryptography	PITSTOP has the ability to communicate over TLS.^[1]
Enterprise	T1559		Inter-Process Communication	PITSTOP can listen over the Unix domain socket located at `/data/runtime/cockpit/wd.fd`.^[1]
Enterprise	T1205	.002	Traffic Signaling: Socket Filters	PITSTOP can listen and evaluate incoming commands on the domain socket, created by PITHOOK malware, located at `/data/runtime/cockpit/wd.fd` for a predefined magic byte sequence. PITSTOP can then duplicate the socket for further communication over TLS.^[1]

Campaigns

ID	Name	Description
C0029	Cutting Edge	^[1]

References

Lin, M. et al. (2024, February 27). Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts. Retrieved March 1, 2024.

PITSTOP

Enterprise Layer

Techniques Used

Campaigns

References