KrustyLoader Backdoor

Verticals Targeted: Government, Defense, Finance, Technology, Telecommunications, Aerospace, Pharmaceuticals

Executive Summary

Multiple industry sources recently reported on KrustyLoader, a Rust-based backdoor with both Windows and Linux variants.

Key Takeaways

Multiple industry sources recently reported on KrustyLoader, a Rust-based backdoor.
Both Linux and Windows variants of KrustyLoader have been observed.
In late 2023 and early 2024, a Linux variant of KrustyLoader was used to target Avanti devices.
China nexus threat actor group UNC5221 is thought to be responsible for the attacks.
Threat actors were also observed exploiting ScreenConnect and deploying a Windows variant of KrustyLoader.

What is KrustyLoader?

Multiple industry sources recently reported on KrustyLoader, a Rust-based backdoor. Both Linux and Windows variants of KrustyLoader have been observed.

Linux Variant

In late 2023 and early 2024, a Linux variant of KrustyLoader was used to target Avanti devices. China nexus threat actor group UNC5221 is thought to be responsible for the attacks. The threat actors were observed using two critical vulnerabilities, CVE-2024-21887 and CVE-2023-46805, for unauthenticated RCE or authentication bypass. The vulnerabilities affect Ivanti Connect Secure (ICS) and Ivanti Policy Secure Gateway devices.

The threat actors leveraged Rust payloads, which downloaded and executed KrustyLoader. KrustyLoader, in turn, downloaded the post-exploitation toolkit Sliver. While the named vulnerabilities have since been patched, unpatched systems are still susceptible to the vulnerabilities.

Windows Variant

WithSecure reported on additional activity leveraging KrustyLoader. WithSecure analysts observed threat actors exploiting ScreenConnect and deploying a Windows variant of KrustyLoader. They stated the Windows version of KrustyLoader operates similarly to the previously discovered Linux variant. It is a Rust-based initial-stage malware used to download and launch a second-stage payload. As noted above, the second-stage payload is often Sliver.

WithSecure described the Windows variant infection chain, noting the threat actor drops a batch file called r.bat on the victim machine in two different directories and then launches the script. The script removes previous copies of dropped artifacts and randomly selects a predefined AWS S3 URL, which hosts the KrustyLoader payload. It then creates a file named C:\Windows\temp\0 and attempts to download the payload as C:\Windows\Temp\1.exe. Finally, the KrustyLoader payload is launched.

Who is UNC5221?

UNC5221, also known as UTA0178, is a threat actor group thought to be of China nexus. The group appears to be focused on espionage and tends to target strategically instead of opportunistically. Little is known about UNC5221 at this time. However, the group has been observed using other distinct malware including CHAINLINE backdoor, FRAMESTING webshell, WIREFIRE webshell, LIGHTWIRE webshell, BUSHWALK webshell, WARPWIRE stealer, and ZIPLINE backdoor.

IOCs

PolySwarm has multiple samples associated with KrustyLoader.

e1c31f503da20c8326b566ec042db1f0d3b56fe3579ae37398ff3f6fa5bc54d2

415a70897761c65c3ff59b686d2b1c69a56df06cbf9fbff5dec03751b51d53db

c26da19e17423ce4cb4c8c47ebc61d009e77fc1ac4e87ce548cf25b8e4f4dc28

47ff0ae9220a09bfad2a2fb1e2fa2c8ffe5e9cb0466646e2a940ac2e0cf55d04

95ffea9b7c5c2e18f7fc801290d4bb2777c05e468e5b3e513a597c41ec9b36fc

c7ddd58dcb7d9e752157302d516de5492a70be30099c2f806cb15db49d466026

41aa6b45277445d34060d8cd00a528b08636b86605bbafe643357f2614b66887

e47b86b8df43c8c1898abef15b8b7feffe533ae4e1a09e7294dd95f752b0fbb2

ef792687b8bcd3c03bed4b09c4722bba921536802afe01f7cdb01cc7c3c60815

030eb56e155fb01d7b190866aaa8b3128f935afd0b7a7b2178dc8e2eb84228b0