S1118 BUSHWALK
BUSHWALK is a web shell written in Perl that was inserted into the legitimate querymanifest.cgi file on compromised Ivanti Connect Secure VPNs during Cutting Edge.21
| Item | Value |
|---|---|
| ID | S1118 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 07 March 2024 |
| Last Modified | 15 April 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1554 | Compromise Host Software Binary | BUSHWALK can embed into the legitimate querymanifest.cgi file on compromised Ivanti Connect Secure VPNs.21 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | BUSHWALK can Base64 decode and RC4 decrypt malicious payloads sent through a web request’s command parameter.21 |
| enterprise | T1105 | Ingress Tool Transfer | BUSHWALK can write malicious payloads sent through a web request’s command parameter.21 |
| enterprise | T1027 | Obfuscated Files or Information | BUSHWALK can encrypt the resulting data generated from C2 commands with RC4.2 |
| enterprise | T1505 | Server Software Component | - |
| enterprise | T1505.003 | Web Shell | BUSHWALK is a web shell that has the ability to execute arbitrary commands or write files.2 |
| enterprise | T1205 | Traffic Signaling | BUSHWALK can modify the DSUserAgentCap.pm Perl module on Ivanti Connect Secure VPNs and either activate or deactivate depending on the value of the user agent in incoming HTTP requests.1 |
References
-
Lin, M. et al. (2024, February 27). Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts. Retrieved March 1, 2024. ↩↩↩↩↩
-
Lin, M. et al. (2024, January 31). Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation. Retrieved February 27, 2024. ↩↩↩↩↩↩