S1123 PITSTOP
PITSTOP is a backdoor that was deployed on compromised Ivanti Connect Secure VPNs during Cutting Edge to enable command execution and file read/write.1
| Item | Value |
|---|---|
| ID | S1123 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 13 March 2024 |
| Last Modified | 15 April 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.004 | Unix Shell | PITSTOP has the ability to receive shell commands over a Unix domain socket.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | PITSTOP can deobfuscate base64 encoded and AES encrypted commands.1 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.002 | Asymmetric Cryptography | PITSTOP has the ability to communicate over TLS.1 |
| enterprise | T1559 | Inter-Process Communication | PITSTOP can listen over the Unix domain socket located at /data/runtime/cockpit/wd.fd.1 |
| enterprise | T1205 | Traffic Signaling | - |
| enterprise | T1205.002 | Socket Filters | PITSTOP can listen and evaluate incoming commands on the domain socket, created by PITHOOK malware, located at /data/runtime/cockpit/wd.fd for a predefined magic byte sequence. PITSTOP can then duplicate the socket for further communication over TLS.1 |