S1188 Line Runner
Line Runner is a persistent backdoor and web shell allowing threat actors to upload and execute arbitrary Lua scripts. Line Runner is associated with the ArcaneDoor campaign.12
| Item | Value |
|---|---|
| ID | S1188 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 06 January 2025 |
| Last Modified | 15 April 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1557 | Adversary-in-the-Middle | Line Runner intercepts HTTP requests to the victim Cisco ASA, looking for a request with a 32-character, victim dependent parameter. If that parameter matches a value in the malware, a contained payload is then written to a Lua script and executed.2 |
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Line Runner utilizes an HTTP-based Lua backdoor on victim machines.21 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.011 | Lua | Line Runner utilizes Lua scripts for command execution.21 |
| enterprise | T1041 | Exfiltration Over C2 Channel | Line Runner utilizes HTTP to retrieve and exfiltrate information staged using Line Dancer.2 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | Line Runner removes its initial ZIP delivery archive after processing the enclosed LUA script.2 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.015 | Compression | Line Runner uses a ZIP payload that is automatically extracted with its contents, a LUA script, executed for initial execution via CVE-2024-20359.2 |
| enterprise | T1653 | Power Settings | Line Runner used CVE-2024-20353 to trigger victim devices to reboot, in the process unzipping and installing the Line Dancer payload.2 |
| enterprise | T1505 | Server Software Component | - |
| enterprise | T1505.003 | Web Shell | Line Runner is a persistent Lua-based web shell.1 |