C0046 ArcaneDoor
ArcaneDoor is a campaign targeting networking devices from Cisco and other vendors between July 2023 and April 2024, primarily focused on government and critical infrastructure networks. ArcaneDoor is associated with the deployment of the custom backdoors Line Runner and Line Dancer. ArcaneDoor is attributed to a group referred to as UAT4356 or STORM-1849, and is assessed to be a state-sponsored campaign.21
| Item | Value |
|---|---|
| ID | C0046 |
| Associated Names | |
| First Seen | July 2023 |
| Last Seen | April 2024 |
| Version | 1.0 |
| Created | 06 January 2025 |
| Last Modified | 10 March 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1583 | Acquire Infrastructure | - |
| enterprise | T1583.003 | Virtual Private Server | ArcaneDoor included the use of dedicated, adversary-controlled virtual private servers for command and control.2 |
| enterprise | T1583.006 | Web Services | ArcaneDoor included the use of OpenConnect VPN Server instances for conducting actions on victim devices.2 |
| enterprise | T1557 | Adversary-in-the-Middle | ArcaneDoor included interception of HTTP traffic to victim devices to identify and parse command and control information sent to the device.2 |
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | ArcaneDoor command and control activity was conducted through HTTP.2 |
| enterprise | T1119 | Automated Collection | ArcaneDoor included collection of packet capture and system configuration information.1 |
| enterprise | T1020 | Automated Exfiltration | ArcaneDoor included scripted exfiltration of collected data.1 |
| enterprise | T1037 | Boot or Logon Initialization Scripts | ArcaneDoor used malicious boot scripts to install the Line Runner backdoor on victim devices.2 |
| enterprise | T1059 | Command and Scripting Interpreter | ArcaneDoor included the adversary executing command line interface (CLI) commands.2 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | ArcaneDoor involved the use of Base64 obfuscated scripts and commands.2 |
| enterprise | T1587 | Develop Capabilities | - |
| enterprise | T1587.001 | Malware | ArcaneDoor featured the development and deployment of two unique malware types, Line Dancer and Line Runner.12 |
| enterprise | T1587.003 | Digital Certificates | ArcaneDoor included acquiring digital certificates mimicking patterns associated with Cisco ASA appliances for command and control infrastructure.2 |
| enterprise | T1041 | Exfiltration Over C2 Channel | ArcaneDoor included use of existing command and control channels for data exfiltration.21 |
| enterprise | T1190 | Exploit Public-Facing Application | ArcaneDoor abused WebVPN traffic to targeted devices to achieve unauthorized remote code execution.1 |
| enterprise | T1133 | External Remote Services | ArcaneDoor used WebVPN sessions commonly associated with Clientless SSLVPN services to communicate to compromised devices.1 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | ArcaneDoor modified the Authentication, Authorization, and Accounting (AAA) function of targeted Cisco ASA appliances to allow the threat actor to bypass normal AAA operations.21 |
| enterprise | T1562.003 | Impair Command History Logging | ArcaneDoor included disabling logging on targeted Cisco ASA appliances.21 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | ArcaneDoor included multiple instances of file deletion or removal during execution and other adversary actions.21 |
| enterprise | T1036 | Masquerading | ArcaneDoor involved the use of digital certificates on adversary-controlled network infrastructure that mimicked the formatting used by legitimate Cisco ASA appliances.2 |
| enterprise | T1556 | Modify Authentication Process | ArcaneDoor included modification of the AAA process to bypass authentication mechanisms.2 |
| enterprise | T1040 | Network Sniffing | ArcaneDoor included network packet capture and sniffing for data collection in victim environments.21 |
| enterprise | T1653 | Power Settings | ArcaneDoor involved exploitation of CVE-2024-20353 to force a victim Cisco ASA to reboot, triggering the automated unzipping and execution of the Line Runner implant.2 |
| enterprise | T1055 | Process Injection | ArcaneDoor included injecting code into the AAA and Crash Dump processes on infected Cisco ASA devices.2 |
| enterprise | T1014 | Rootkit | ArcaneDoor included hooking the processHostScanReply() function on victim Cisco ASA devices.2 |
| enterprise | T1082 | System Information Discovery | ArcaneDoor included collection of victim device configuration information.1 |
| enterprise | T1102 | Web Service | - |
| enterprise | T1102.003 | One-Way Communication | ArcaneDoor utilized HTTP command and control traffic where commands are intercepted from HTTP traffic to the device, parsed for appropriate identifiers and commands, and then executed.2 |
Software
| ID | Name | Description |
|---|---|---|
| S1186 | Line Dancer | Line Dancer is uniquely associated with the ArcaneDoor campaign.12 |
References
-
Canadian Centre for Cyber Security. (2024, April 24). Cyber Activity Impacting CISCO ASA VPNs. Retrieved January 6, 2025. ↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Cisco Talos. (2024, April 24). ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices. Retrieved January 6, 2025. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩