BUSHWALK

BUSHWALK is a web shell written in Perl that was inserted into the legitimate querymanifest.cgi file on compromised Ivanti Connect Secure VPNs during Cutting Edge.^[1]^[2]

ID: S1118

ⓘ

Type: MALWARE

ⓘ

Platforms: Network

Version: 1.0

Created: 07 March 2024

Last Modified: 28 March 2024

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Enterprise	T1554		Compromise Host Software Binary	BUSHWALK can embed into the legitimate `querymanifest.cgi` file on compromised Ivanti Connect Secure VPNs.^[1]^[2]
Enterprise	T1140		Deobfuscate/Decode Files or Information	BUSHWALK can Base64 decode and RC4 decrypt malicious payloads sent through a web request’s command parameter.^[1]^[2]
Enterprise	T1105		Ingress Tool Transfer	BUSHWALK can write malicious payloads sent through a web request’s command parameter.^[1]^[2]
Enterprise	T1027		Obfuscated Files or Information	BUSHWALK can encrypt the resulting data generated from C2 commands with RC4.^[1]
Enterprise	T1505	.003	Server Software Component: Web Shell	BUSHWALK is a web shell that has the ability to execute arbitrary commands or write files.^[1]
Enterprise	T1205		Traffic Signaling	BUSHWALK can modify the `DSUserAgentCap.pm` Perl module on Ivanti Connect Secure VPNs and either activate or deactivate depending on the value of the user agent in incoming HTTP requests.^[2]

Campaigns

ID	Name	Description
C0029	Cutting Edge	^[1]^[2]

References

Lin, M. et al. (2024, January 31). Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation. Retrieved February 27, 2024.

Lin, M. et al. (2024, February 27). Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts. Retrieved March 1, 2024.

BUSHWALK

Enterprise Layer

Techniques Used

Campaigns

References