Skip to content

S1115 WIREFIRE

WIREFIRE is a web shell written in Python that exists as trojanized logic to the visits.py component of Ivanti Connect Secure VPN appliances. WIREFIRE was used during Cutting Edge for downloading files and command execution.1

Item Value
ID S1115
Associated Names GIFTEDVISITOR
Type MALWARE
Version 1.1
Created 04 March 2024
Last Modified 15 April 2025
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
GIFTEDVISITOR 2

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols WIREFIRE can respond to specific HTTP POST requests to /api/v1/cav/client/visits.12
enterprise T1554 Compromise Host Software Binary WIREFIRE can modify the visits.py component of Ivanti Connect Secure VPNs for file download and arbitrary command execution.12
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding WIREFIRE can Base64 encode process output sent to C2.1
enterprise T1140 Deobfuscate/Decode Files or Information WIREFIRE can decode, decrypt, and decompress data received in C2 HTTP POST requests.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography WIREFIRE can AES encrypt process output sent from compromised devices to C2.1
enterprise T1105 Ingress Tool Transfer WIREFIRE has the ability to download files to compromised devices.1
enterprise T1505 Server Software Component -
enterprise T1505.003 Web Shell WIREFIRE is a web shell that can download files to and execute arbitrary commands from compromised Ivanti Connect Secure VPNs.1

References

  1. McLellan, T. et al. (2024, January 12). Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation. Retrieved February 27, 2024. 

  2. Meltzer, M. et al. (2024, January 10). Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN. Retrieved February 27, 2024.