FRAMESTING

FRAMESTING is a Python web shell that was used during Cutting Edge to embed into an Ivanti Connect Secure Python package for command execution.^[1]

ID: S1120

ⓘ

Type: MALWARE

ⓘ

Platforms: Network

Version: 1.0

Created: 08 March 2024

Last Modified: 08 March 2024

Live Version

Techniques Used

Domain	ID		Name	Use
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	FRAMESTING can retrieve C2 commands from values stored in the `DSID` cookie from the current HTTP request or from decompressed zlib data within the request's `POST` data.^[1]
Enterprise	T1059	.006	Command and Scripting Interpreter: Python	FRAMESTING is a Python web shell that can embed in the Ivanti Connect Secure CAV Python package.^[1]
Enterprise	T1554		Compromise Host Software Binary	FRAMESTING can embed itself in the CAV Python package of an Ivanti Connect Secure VPN located in `/home/venv3/lib/python3.6/site-packages/cav-0.1-py3.6.egg/cav/api/resources/category.py.`^[1]
Enterprise	T1001		Data Obfuscation	FRAMESTING can send and receive zlib compressed data within `POST` requests.^[1]
		.003	Protocol or Service Impersonation	FRAMESTING uses a cookie named `DSID` to mimic the name of a cookie used by Ivanti Connect Secure appliances for maintaining VPN sessions.^[1]
Enterprise	T1140		Deobfuscate/Decode Files or Information	FRAMESTING can decompress data received within `POST` requests.^[1]
Enterprise	T1505	.003	Server Software Component: Web Shell	FRAMESTING is a web shell capable of enabling arbitrary command execution on compromised Ivanti Connect Secure VPNs.^[1]

ID	Name	Description
C0029	Cutting Edge	^[1]