ZIPLINE

Description

(Mandiant) ZIPLINE is a passive backdoor that hijacks an exported function, accept(), from the file libsecure.so. When ZIPLINE invokes the hijacked accept() function, it first resolves the benign accept() from libc, to intercept network traffic. Once an incoming connection is registered, it is first processed by the benign libc_accept, and ZIPLINE then checks if the process name is “web”. The malware retrieves up to 21 bytes from the connected host, verifying if the received buffer corresponds to the string “SSH-2.0-OpenSSH_0.3xx.” If so, the malicious functionality of ZIPLINE is triggered. ZIPLINE will then receive an encrypted header which specifies the command to be executed. Further details about this hijacking technique for the accept() function can be found in this SecureIdeas post.

Names

Name
ZIPLINE

Type

Backdoor

Information

https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day

Mitre Attack

https://attack.mitre.org/software/S1114

Other Information

Uuid

0d86ae8d-ba7a-4d4e-b182-08cd539bf78a

Last Card Change

2024-06-19

Threat Intelligence Garden

Explorer

ZIPLINE

ZIPLINE

Description

Names

Category

Type

Information

Mitre Attack

Other Information

Uuid

Last Card Change

Graph View

Table of Contents

Backlinks