ROOTROT Malware

Cyber attackers have recently targeted MITRE's Networked Experimentation, Research, and Virtualization Environment (NERVE) networks. The attackers believed to be a nation-state group, exploited two zero-day vulnerabilities in Ivanti Connect Secure appliances starting in January 2024. Through extensive investigation, experts have confirmed that the attackers deployed a Perl-based web shell named ROOTROT to gain initial access.

ROOTROT was concealed within a legitimate Connect Secure .ttc file located at '/data/runtime/tmp/tt/setcookie.thtml.ttc' and is attributed to a cyber espionage cluster with ties to China known as UNC5221. This same group of hackers has been associated with other Web shells, including BUSHWALK, CHAINLINE, FRAMESTING and LIGHTWIRE.

The Infection Followed the Exploitation of Two Vulnerabilities

The attack involved exploiting CVE-2023-46805 and CVE-2024-21887, enabling threat actors to circumvent authentication and execute arbitrary commands on the compromised system.

Once initial access was obtained, the threat actors proceeded to move laterally and infiltrate the VMware infrastructure using a compromised administrator account. This breach facilitated the deployment of backdoors and web shells for persistence and credential harvesting. 

NERVE is an unclassified collaborative network that offers storage, computing, and networking resources. The attackers are suspected to have conducted reconnaissance on breached networks, exploited one of the Virtual Private Networks (VPNs) using the Ivanti Connect Secure zero-day vulnerabilities and circumvented multi-factor authentication through session hijacking.

After deploying the ROOTROT Web shell, the threat actor analyzed the NERVE environment and initiated communication with several ESXi hosts, gaining control over MITRE's VMware infrastructure. They then introduced a Golang backdoor named BRICKSTORM and an undisclosed Web shell named BEEFLUSH.  BRICKSTORM is a Go-based backdoor designed to target VMware vCenter servers. It is capable of configuring itself as a web server, manipulating file systems and directories, conducting file operations like uploading and downloading, executing shell commands, and facilitating SOCKS relaying.

These steps ensured continuous access, enabling the adversary to execute arbitrary commands and communicate with command-and-control servers. The adversary employed SSH manipulation and ran suspicious scripts to retain control over the compromised systems.

Additional Threatening Tools Used Alongside ROOTROT

Further analysis has revealed that the threat actor deployed another Web shell called WIREFIRE (also known as GIFTEDVISITOR) a day after the public disclosure of the dual vulnerabilities on January 11, 2024. This deployment was aimed at enabling covert communication and data exfiltration.

In addition to using the BUSHWALK web shell to transmit data from the NERVE network to their Command-and-Control infrastructure, the adversary reportedly made attempts to move laterally and maintain persistence within NERVE from February to mid-March 2024.

During their activities, the attackers executed a ping command targeting one of MITRE's corporate domain controllers and tried to move laterally into MITRE systems, though these attempts were ultimately unsuccessful.