1. Home
  2. Software
  3. WIREFIRE

WIREFIRE

WIREFIRE is a web shell written in Python that exists as trojanized logic to the visits.py component of Ivanti Connect Secure VPN appliances. WIREFIRE was used during Cutting Edge for downloading files and command execution.[1]

ID: S1115
Associated Software: GIFTEDVISITOR
Type: MALWARE
Platforms: Network
Version: 1.0
Created: 04 March 2024
Last Modified: 05 March 2024
Version Permalink

Associated Software Descriptions

Name Description
GIFTEDVISITOR

[2]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

WIREFIRE can respond to specific HTTP POST requests to /api/v1/cav/client/visits.[1][2]
Enterprise T1554 Compromise Host Software Binary

WIREFIRE can modify the visits.py component of Ivanti Connect Secure VPNs for file download and arbitrary command execution.[1][2]
Enterprise T1132 .001 Data Encoding: Standard Encoding

WIREFIRE can Base64 encode process output sent to C2.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

WIREFIRE can decode, decrypt, and decompress data received in C2 HTTP POST requests.[1]
Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

WIREFIRE can AES encrypt process output sent from compromised devices to C2.[1]
Enterprise T1105 Ingress Tool Transfer

WIREFIRE has the ability to download files to compromised devices.[1]
Enterprise T1505 .003 Server Software Component: Web Shell

WIREFIRE is a web shell that can download files to and execute arbitrary commands from compromised Ivanti Connect Secure VPNs.[1]

Campaigns

ID Name Description
C0029 Cutting Edge

[1]

References

  1. McLellan, T. et al. (2024, January 12). Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation. Retrieved February 27, 2024.
  1. Meltzer, M. et al. (2024, January 10). Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN. Retrieved February 27, 2024.