1. Home
  2. Software
  3. PITSTOP

PITSTOP

PITSTOP is a backdoor that was deployed on compromised Ivanti Connect Secure VPNs during Cutting Edge to enable command execution and file read/write.[1]

ID: S1123
Type: MALWARE
Platforms: Network
Version: 1.0
Created: 13 March 2024
Last Modified: 17 April 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1573 .002 加密通道: Asymmetric Cryptography

PITSTOP has the ability to communicate over TLS.[1]
Enterprise T1140 反混淆/解码文件或信息

PITSTOP can deobfuscate base64 encoded and AES encrypted commands.[1]
Enterprise T1059 .004 命令与脚本解释器: Unix Shell

PITSTOP has the ability to receive shell commands over a Unix domain socket.[1]
Enterprise T1205 .002 流量激活: Socket Filters

PITSTOP can listen and evaluate incoming commands on the domain socket, created by PITHOOK malware, located at /data/runtime/cockpit/wd.fd for a predefined magic byte sequence. PITSTOP can then duplicate the socket for further communication over TLS.[1]
Enterprise T1559 进程间通信

PITSTOP can listen over the Unix domain socket located at /data/runtime/cockpit/wd.fd.[1]

Campaigns

ID Name Description
C0029 Cutting Edge

[1]

References

  1. Lin, M. et al. (2024, February 27). Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts. Retrieved March 1, 2024.