ROOTROT Malware Used by Chinese Threat Actor
The MITRE Corporation has provided additional information about a recent cyber attack, revealing that the earliest signs of intrusion date back to December 31, 2023. This attack, disclosed last month, targeted MITRE's NERVE (Networked Experimentation, Research, and Virtualization Environment) by exploiting two zero-day vulnerabilities in Ivanti Connect Secure (CVE-2023–46805 and CVE-2024–21887).
According to MITRE, the attackers accessed the research network through compromised VMware infrastructure using an administrator account. They then used backdoors and web shells to maintain access and collect credentials.
New Details Emerge in Further Analysis
Although MITRE had previously reported reconnaissance activities starting in January 2024, a detailed analysis now reveals that compromise began in late December 2023 with the deployment of a Perl-based web shell named ROOTROT.
This web shell was embedded in a legitimate Connect Secure .ttc file and was associated with a Chinese cyber espionage group named UNC5221, which is known for other web shells like BUSHWALK, CHAINLINE, FRAMESTING, and LIGHTWIRE.
After deploying ROOTROT, the attackers profiled the NERVE environment, communicated with ESXi hosts, took control of MITRE's VMware infrastructure, and deployed a Golang backdoor called BRICKSTORM and an undisclosed web shell named BEEFLUSH for persistent access and command execution.
MITRE's Lex Crumpton explained that the attackers used techniques like SSH manipulation and running suspicious scripts to maintain control. Additionally, another web shell called WIREFIRE (or GIFTEDVISITOR) was deployed for covert communication and data theft shortly after the public disclosure of the vulnerabilities on January 11, 2024.