Keypoints
- ArcaneDoor is an espionage-focused campaign targeting perimeter devices (Cisco ASA) using bespoke implants named Line Dancer (memory-only) and Line Runner (persistent).
- Line Dancer is a memory-resident shellcode interpreter hooked via the host-scan-reply handler to run base64-encoded payloads and interact over POST without normal authentication.
- Line Runner achieves persistence by leveraging a legacy client_bundle*.zip pre-load behavior executed at boot (CVE-2024-20359); in at least one case an ASA reboot (CVE-2024-20353) was abused to trigger installation.
- Observed malicious actions include disabling syslog, exfiltrating show configuration outputs and packet captures, executing CLI configuration commands, hooking crash dump to force reboot, and bypassing AAA to create VPN access and export certs.
- Detection/remediation: apply Cisco patches for CVE-2024-20353 and CVE-2024-20359, inspect disk0: for unexpected .zip files, run “show memory region | include lina”, avoid creating core dumps or rebooting if compromise is suspected, and use Snort SIDs 45575, 62949, 63139 for network detection.
MITRE Techniques
- [T1037] Boot or Logon Autostart Execution – Line Runner leverages the ASA boot behavior that unzips and executes a client_bundle*.zip at boot to persist: [‘If the file exists, it will unzip it and execute the script csco_config.lua.’]
- [T1653] Abuse Elevation/Resource Reboot (reboot to trigger payload) – Actor abused a vulnerability to reboot devices to trigger ZIP unpack/install (CVE-2024-20353): [‘attackers were able to leverage this vulnerability to cause the target ASA device to reboot, triggering the unzipping and installing the second component’]
- [T1140] Deobfuscation/Decoding – The host-scan-reply hook decodes base64 payloads before executing them: [‘it base64-decodes the payload, copies it into the attacker’s writable and executable memory region, and then calls the newly decoded function.’]
- [T0874] Hooking/Function Hooking – The attacker replaces the processHostScanReply() pointer to run their decoder/runner: [‘the entry that should point to processHostScanReply() now instead points to the attacker’s function that decodes and runs its payload.’]
- [T1562/001] Impair Defenses: Disable or Modify System Logging – The implant disables syslog and tampers with AAA to hide activity: [‘Disable syslog.’]
- [T1055] Process Injection – Line Dancer injects and executes shellcode in memory to run commands and hook system functions: [‘memory-resident shellcode interpreter that enables adversaries to upload and execute arbitrary shellcode payloads.’]
- [T1059] Command and Scripting Interpreter – The actor executes CLI commands and configuration mode commands via shellcode (including write mem): [‘Execute CLI commands present in shellcode; this includes configuration mode commands and the ability to save them to memory (write mem).’]
- [T1556] Modify Authentication Process – Hooking AAA and implementing a “magic number” or exporting P12 blobs to bypass AAA and create VPN tunnels: [‘Hook the AAA function to allow for a magic number authentication capability… a P12 blob is generated along with an associated certificate and exfiltrated.’]
- [T1070/004] Indicator Removal on Host: File Deletion – The persistence scripts remove traces and the ZIP file after processing to evade detection: [‘Once processed, the ZIP file is deleted.’]
- [T1557] Man-in-the-Middle / HTTP Interception – Line Runner intercepts HTTP requests and executes payloads from 32-character parameters as its C2 mechanism: [‘Intercepts HTTP requests to the ASA… payload contained within one of these parameters is written to a Lua script and executed.’]
- [T1071/001] Application Layer Protocol: Web Protocols (HTTP) – Command-and-control and backdoor communication occur over HTTP(S) parameters: [‘This is the backdoor’s command and control mechanism.’]
- [T1102/003] One-way Communication (HTTP long-poll/backdoor) – The backdoor implements a one-way HTTP-based Lua backdoor that listens for victim-specific parameters to execute payloads: [‘looks for an HTTP request with a set of 32-character parameters that are victim-dependent.’]
- [T1041] Exfiltration Over C2 Channel – Actors staged and retrieved configuration and packet captures for exfiltration via the implants’ C2: [‘Run and exfiltrate the command show configuration… Create and exfiltrate packet captures.’]
- [T1040] Network Sniffing – The implants create packet captures on the ASA for traffic monitoring/exfiltration: [‘Create and exfiltrate packet captures.’]
Indicators of Compromise
- [IP addresses] Actor-controlled and multi-tenant infrastructure used for C2/management – examples: 192.36.57[.]181, 185.167.60[.]85, and many others listed in the IOCs (see linked IOC file).
- [File names / ZIP] Persistence and payload artifacts placed on disk0: – examples: client_bundle.zip (installer), client_bundle_install.zip (indicator of Line Runner), and csco_config.lua (boot-executed script).
- [Lua/script files] Backdoor and installer scripts observed in ZIP contents – examples: csco_config2.lua, laecsnw.txt (temporary replacement script), and stgvdr.txt (runs as /asa/scripts/lina_cs).
- [SSL certificate pattern] Actor infrastructure used self-signed OpenConnect certificates – example pattern: issuer/subject O=ocserv,CN=ocserv VPN, serial 0000000000000000000000000000000000000002.
- [Detection signatures] Network detection SIDs for Snort/IDS – examples: 45575 (Line Dancer interaction), 62949 (Line Runner persistence interaction), 63139 (CVE-2024-20353 DOS/Reboot).
The technical chain comprises two distinct implants: Line Dancer is a memory-resident shellcode interpreter that the attacker installs by overwriting the function pointer for the host-scan-reply handler. The implant inspects a 32-byte token, base64-decodes a payload, copies it into an executable memory region and runs it, enabling unauthenticated POST-based interaction with SSL VPN/IPsec/HTTPS-enabled ASAs. Using this mechanism the actor executed configuration commands (including write mem), disabled syslog, captured and exfiltrated show configuration output and packet captures, hooked the crash-dump routine to force a reboot (to destroy forensic artifacts), and hijacked AAA to enable a “magic number” authentication or to generate and exfiltrate P12 certificates for certificate-based VPN access.
Line Runner provides persistence by abusing a legacy ASA behavior that unzips and runs a client_bundle*.zip at boot (CVE-2024-20359). The ZIP contains csco_config.lua and supporting files that create disk0:/csco_config webcontent, prepend/replace init scripts, move the original bundle to /run/lock/subsys/krbkdc6, and install an HTTP-intercepting Lua backdoor that executes payloads presented as victim-specific 32-character HTTP parameters. In observed cases the actor leveraged CVE-2024-20353 to force reboots that trigger the ZIP installation, and the persistence chain removes artifacts after execution to hinder detection.
Detection and response steps: apply Cisco fixes for CVE-2024-20353 and CVE-2024-20359 immediately; inspect disk0: after updating for unexpected .zip files (e.g., client_bundle_install.zip) and extract/copy any found ZIPs for analysis; use “show memory region | include lina” to detect extra executable regions (look for r-xp regions, especially 0x1000-size sections); do not collect a core dump or reboot if lina indicators suggest compromise; follow Cisco ASA forensic guidance and open a case with TAC if you find actor IP connections or modified crash-dump behavior. Network detection is available via Snort SIDs 45575, 62949, 63139 and additional IDS/telemetry that can detect the implants’ POST/HTTP activity when TLS is decrypted for inspection.