Skip to content

S1114 ZIPLINE

ZIPLINE is a passive backdoor that was used during Cutting Edge on compromised Secure Connect VPNs for reverse shell and proxy functionality.1

Item Value
ID S1114
Associated Names
Type MALWARE
Version 1.1
Created 01 March 2024
Last Modified 15 April 2025
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.004 Unix Shell ZIPLINE can use /bin/sh to create a reverse shell and execute commands.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography ZIPLINE can use AES-128-CBC to encrypt data for both upload and download.2
enterprise T1083 File and Directory Discovery ZIPLINE can find and append specific files on Ivanti Connect Secure VPNs based upon received commands.1
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools ZIPLINE can add itself to the exclusion list for the Ivanti Connect Secure Integrity Checker Tool if the --exclude parameter is passed by the tar process.1
enterprise T1105 Ingress Tool Transfer ZIPLINE can download files to be saved on the compromised system.12
enterprise T1095 Non-Application Layer Protocol ZIPLINE can communicate with C2 using a custom binary protocol.2
enterprise T1057 Process Discovery ZIPLINE can identify running processes and their names.1
enterprise T1090 Proxy ZIPLINE can create a proxy server on compromised hosts.12
enterprise T1205 Traffic Signaling ZIPLINE can identify a specific string in intercepted network traffic, SSH-2.0-OpenSSH_0.3xx., to trigger its command functionality.1

References

  1. McLellan, T. et al. (2024, January 12). Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation. Retrieved February 27, 2024. 

  2. Lin, M. et al. (2024, January 31). Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation. Retrieved February 27, 2024.