LITTLELAMB.WOOLTEA

LITTLELAMB.WOOLTEA is a backdoor that was used by UNC5325 during Cutting Edge to deploy malware on targeted Ivanti Connect Secure VPNs and to establish persistence across system upgrades and patches.^[1]

ID: S1121

ⓘ

Type: MALWARE

ⓘ

Platforms: Network

Version: 1.0

Created: 13 March 2024

Last Modified: 17 April 2024

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Enterprise	T1554		Compromise Host Software Binary	LITTLELAMB.WOOLTEA can append malicious components to the `tmp/tmpmnt/bin/samba_upgrade.tar` archive inside the factory reset partition in attempt to persist post reset.^[1]
Enterprise	T1543		Create or Modify System Process	LITTLELAMB.WOOLTEA can initialize itself as a daemon to run persistently in the background.^[1]
Enterprise	T1573	.002	Encrypted Channel: Asymmetric Cryptography	LITTLELAMB.WOOLTEA can communicate over SSL using the private key from the Ivanti Connect Secure web server.^[1]
Enterprise	T1083		File and Directory Discovery	LITTLELAMB.WOOLTEA can monitor for system upgrade events by checking for the presence of `/tmp/data/root/dev`.^[1]
Enterprise	T1095		Non-Application Layer Protocol	LITTLELAMB.WOOLTEA can function as a stand-alone backdoor communicating over the `/tmp/clientsDownload.sock` socket.^[1]
Enterprise	T1090		Proxy	LITTLELAMB.WOOLTEA has the ability to function as a SOCKS proxy.^[1]
Enterprise	T1082		System Information Discovery	LITTLELAMB.WOOLTEA can check the type of Ivanti VPN device it is running on by executing `first_run()` to identify the first four bytes of the motherboard serial number.^[1]

Campaigns

ID	Name	Description
C0029	Cutting Edge	^[1]

References

Lin, M. et al. (2024, February 27). Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts. Retrieved March 1, 2024.

LITTLELAMB.WOOLTEA

Enterprise Layer

Techniques Used

Campaigns

References