LIGHTWIRE

LIGHTWIRE is a web shell written in Perl that was used during Cutting Edge to maintain access and enable command execution by imbedding into the legitimate compcheckresult.cgi component of Ivanti Secure Connect VPNs.^[1]^[2]

ID: S1119

ⓘ

Type: MALWARE

ⓘ

Platforms: Network

Version: 1.0

Created: 07 March 2024

Last Modified: 28 March 2024

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	LIGHTWIRE can use HTTP for C2 communications.^[1]
Enterprise	T1554		Compromise Host Software Binary	LIGHTWIRE can imbed itself into the legitimate `compcheckresult.cgi` component of Ivanti Connect Secure VPNs to enable command execution.^[2]^[1]
Enterprise	T1140		Deobfuscate/Decode Files or Information	LIGHTWIRE can RC4 decrypt and Base64 decode C2 commands.^[1]
Enterprise	T1573	.001	Encrypted Channel: Symmetric Cryptography	LIGHTWIRE can RC4 encrypt C2 commands.^[1]
Enterprise	T1505	.003	Server Software Component: Web Shell	LIGHTWIRE is a web shell capable of command execution and establishing persistence on compromised Ivanti Secure Connect VPNs.^[1]

Campaigns

ID	Name	Description
C0029	Cutting Edge	^[1]

References

Lin, M. et al. (2024, January 31). Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation. Retrieved February 27, 2024.

McLellan, T. et al. (2024, January 12). Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation. Retrieved February 27, 2024.

LIGHTWIRE

Enterprise Layer

Techniques Used

Campaigns

References