A recent investigation by QuoIntelligence has led to the discovery of a sophisticated new variant of the WIREFIRE web shell, specifically targeting Ivanti Connect Secure VPN appliances. This development reveals the lengths to which cyber adversaries will go to avoid detection and maintain their foothold within compromised systems.
Uncovering a Stealthy Cyber Threat
In December 2023, the cybersecurity community became aware of a widespread campaign exploiting vulnerabilities in Ivanti VPN appliances. The attackers, identified as the UNC5221 group, utilized web shells to gain unauthorized access to both internal and external web applications.
QuoIntelligence’s team found a new version of the WIREFIRE web shell that had gone unreported. This variant was cleverly hidden within a different file, allowing it to escape existing security measures designed to detect the original version.
Analyzing the Enhanced Web Shell
The new variant shared the primary features of its predecessor, intercepting and executing encrypted data payloads in memory to avoid leaving traces. However, it introduced two significant changes: the use of cookies for payload delivery and the persistent execution of malicious code through the “exec()” function.
These alterations rendered Mandiant’s YARA rule, which was meant to detect the WIREFIRE web shell, ineffective. This exemplifies the attackers’ strategy of deploying modified versions to circumvent detection based on specific file paths.
Proactive Measures and New Detection Tools
In response to this challenge, QuoIntelligence developed a new YARA rule with a broader scope, capable of detecting both the original web shell and its variant. Organizations are advised to implement this rule, keep systems updated, and maintain awareness of evolving threats.
