Threat Research

KrustyLoader – Rust malware linked to Ivanti ConnectSecure compromises

Securonix

Rust-based KrustyLoader is linked to Ivanti Connect Secure compromises, delivering Sliver backdoors after exploiting two zero-days. The malware performs environment checks, decrypts a host URL, downloads a random-named ELF in /tmp, makes it executable, and executes the payload.
#KrustyLoader #IvantiConnectSecure

Keypoints

  • The KrustyLoader campaign targets Ivanti Connect Secure VPN appliances exploiting CVE-2024-21887 and CVE-2023-46805.
  • 12 Rust payloads share almost 100% code similarity and download a Sliver backdoor from a remote URL.
  • The malware performs environment checks (PPID, anti-debug, /tmp checks) and only proceeds if conditions are met.
  • It self-deletes its initial ELF image via unlink during the initial steps.
  • It decrypts a hardcoded URL using a three-step process (hex-decode, XOR, AES-128 CFb) to obtain the host URL.
  • The final payload is a Sliver backdoor that communicates with its C2 over HTTP/HTTPS.

MITRE Techniques

  • [T1057] Process Discovery – “It gets the process parent ID (PPID) using getppid syscall and exits if PPID is 1.”
  • [T1497] Virtualization/Sandbox Evading – “Anti-debug checks: it reads /proc/self/exe again (now the value suffixed with ‘ (deleted)’) and exits if it contains gdb or lldb (both debuggers) strings.”
  • [T1070] Indicator Removal on Host – “unlinks itself” (deletes its own file while executing).
  • [T1105] Ingress Tool Transfer – “decrypts a hardcoded URL, and sends a GET HTTP request to that URL.”
  • [T1071.001] Web Protocols – “The Sliver backdoors contact their C2 server using HTTP/HTTPS communication.”
  • [T1140] Deobfuscation/Decode Files or Information – “The process of decryption used by the malware to retrieve the URL has three steps: … hex-decodes, XOR, AES-128 CFB to decrypt the URL.”
  • [T1036] Masquerading – “It creates in /tmp directory a new file with a filename made of 10 random alphanumeric characters.”
  • [T1059] Execution – “Finally, it tries to execute the newly created executable and exits.”

Indicators of Compromise

  • [SHA-256] KrustyLoader sample hashes – 47ff0ae9220a09bfad2a2fb1e2fa2c8ffe5e9cb0466646e2a940ac2e0cf55d04, 816754f6eaf72d2e9c69fe09dcbe50576f7a052a1a450c2a19f01f57a6e13c17, and other 10 hashes
  • [URL] Decrypted host URLs – http://bringthenoiseappnew.s3.amazonaws.com/iEgJ4J7Uc9YgC, http://bbr-promo.s3.amazonaws.com/NWEUW983Ve4g1, and 0 more URLs
  • [Domain] C2/hosting domains – bringthenoiseappnew.s3.amazonaws.com, bbr-promo.s3.amazonaws.com, and 0 more domains
  • [URL] Public IOC resource – https://github.com/synacktiv/krustyloader-analysis, and 0 more URLs

Read more: https://www.synacktiv.com/publications/krustyloader-rust-malware-linked-to-ivanti-connectsecure-compromises

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint