S1164 UPSTYLE
UPSTYLE is a Python-based backdoor associated with exploitation of Palo Alto firewalls using CVE-2024-3400 in early 2024. UPSTYLE has only been observed in relation to this exploitation activity, which involved attempted install on compromised devices by the threat actor UTA0218.21
| Item | Value |
|---|---|
| ID | S1164 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 20 November 2024 |
| Last Modified | 15 April 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.006 | Python | UPSTYLE is a Python-based application.21 |
| enterprise | T1001 | Data Obfuscation | - |
| enterprise | T1001.001 | Junk Data | UPSTYLE retrieves a non-existent webpage from the command and control server then parses commands from the resulting error logs to decode commands to the web shell.2 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | UPSTYLE encodes its main content prior to loading via Python as base64-encoded blobs.21 |
| enterprise | T1546 | Event Triggered Execution | UPSTYLE creates a .pth file beginning with the text import so that any time another process or script attempts to reference the modified item the malicious code will also run.2 |
| enterprise | T1665 | Hide Infrastructure | UPSTYLE attempts to retrieve a non-existent webpage from the command and control server resulting in hidden commands sent via resulting error messages.2 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.002 | Clear Linux or Mac System Logs | UPSTYLE clears error logs after reading embedded commands for execution.2 |
| enterprise | T1070.004 | File Deletion | UPSTYLE removes bootstrap.min.css after parsing command and control instructions, restoring the file to its original state.2 |
| enterprise | T1070.006 | Timestomp | UPSTYLE restores timestamps to original values following modification.2 |
| enterprise | T1036 | Masquerading | UPSTYLE has masqueraded filenames using examples such as update.py.2 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.013 | Encrypted/Encoded File | UPSTYLE stores primary content as base64-encoded objects.21 |
| enterprise | T1057 | Process Discovery | UPSTYLE has the ability to read /proc/self/cmdline to see if it is running as a monitored process.1 |
| enterprise | T1102 | Web Service | - |
| enterprise | T1102.003 | One-Way Communication | UPSTYLE parses encoded commands from error logs after attempting to resolve a non-existing webpage from the command and control server.2 |
References
-
Unit 42. (2024, April 12). Threat Brief: Operation MidnightEclipse, Post-Exploitation Activity Related to CVE-2024-3400 . Retrieved January 15, 2025. ↩↩↩↩↩
-
Volexity Threat Research. (2024, April 12). Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400). Retrieved November 20, 2024. ↩↩↩↩↩↩↩↩↩↩↩↩