Line Runner
Line Runner is a persistent backdoor and web shell allowing threat actors to upload and execute arbitrary Lua scripts. Line Runner is associated with the ArcaneDoor campaign.[1][2]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1557 | Adversary-in-the-Middle |
Line Runner intercepts HTTP requests to the victim Cisco ASA, looking for a request with a 32-character, victim dependent parameter. If that parameter matches a value in the malware, a contained payload is then written to a Lua script and executed.[2] |
|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Line Runner utilizes an HTTP-based Lua backdoor on victim machines.[2][1] |
| Enterprise | T1059 | .011 | Command and Scripting Interpreter: Lua |
Line Runner utilizes Lua scripts for command execution.[2][1] |
| Enterprise | T1041 | Exfiltration Over C2 Channel |
Line Runner utilizes HTTP to retrieve and exfiltrate information staged using Line Dancer.[2] |
|
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
Line Runner removes its initial ZIP delivery archive after processing the enclosed LUA script.[2] |
| Enterprise | T1027 | .015 | Obfuscated Files or Information: Compression |
Line Runner uses a ZIP payload that is automatically extracted with its contents, a LUA script, executed for initial execution via CVE-2024-20359.[2] |
| Enterprise | T1653 | Power Settings |
Line Runner used CVE-2024-20353 to trigger victim devices to reboot, in the process unzipping and installing the Line Dancer payload.[2] |
|
| Enterprise | T1505 | .003 | Server Software Component: Web Shell |
Line Runner is a persistent Lua-based web shell.[1] |
Campaigns
| ID | Name | Description |
|---|---|---|
| C0046 | ArcaneDoor |
Line Runner was used during the ArcaneDoor campaign.[1][2] |