The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

KrustyLoader Backdoor

Mar 11, 2024 3:09:11 PM / by The Hivemind

KRUSTYLOADERVerticals Targeted: Government, Defense, Finance, Technology, Telecommunications, Aerospace, Pharmaceuticals  

Executive Summary

Multiple industry sources recently reported on KrustyLoader, a Rust-based backdoor with both Windows and Linux variants.

Key Takeaways

  • Multiple industry sources recently reported on KrustyLoader, a Rust-based backdoor. 
  • Both Linux and Windows variants of KrustyLoader have been observed. 
  • In late 2023 and early 2024, a Linux variant of KrustyLoader was used to target Avanti devices. 
  • China nexus threat actor group UNC5221 is thought to be responsible for the attacks.
  • Threat actors were also observed exploiting ScreenConnect and deploying a Windows variant of KrustyLoader. 

What is KrustyLoader?

Multiple industry sources recently reported on KrustyLoader, a Rust-based backdoor. Both Linux and Windows variants of KrustyLoader have been observed.

Linux Variant

In late 2023 and early 2024, a Linux variant of KrustyLoader was used to target Avanti devices. China nexus threat actor group UNC5221 is thought to be responsible for the attacks. The threat actors were observed using two critical vulnerabilities, CVE-2024-21887 and CVE-2023-46805, for unauthenticated RCE or authentication bypass. The vulnerabilities affect Ivanti Connect Secure (ICS) and Ivanti Policy Secure Gateway devices.

The threat actors leveraged Rust payloads, which downloaded and executed KrustyLoader. KrustyLoader, in turn, downloaded the post-exploitation toolkit Sliver. While the named vulnerabilities have since been patched, unpatched systems are still susceptible to the vulnerabilities.

Windows Variant

WithSecure reported on additional activity leveraging KrustyLoader. WithSecure analysts observed threat actors exploiting ScreenConnect and deploying a Windows variant of KrustyLoader. They stated the Windows version of KrustyLoader operates similarly to the previously discovered Linux variant. It is a Rust-based initial-stage malware used to download and launch a second-stage payload. As noted above, the second-stage payload is often Sliver.

WithSecure described the Windows variant infection chain, noting the threat actor drops a batch file called r.bat on the victim machine in two different directories and then launches the script. The script removes previous copies of dropped artifacts and randomly selects a predefined AWS S3 URL, which hosts the KrustyLoader payload. It then creates a file named C:\Windows\temp\0 and attempts to download the payload as C:\Windows\Temp\1.exe. Finally, the KrustyLoader payload is launched.

Who is UNC5221?

UNC5221, also known as UTA0178,  is a threat actor group thought to be of China nexus. The group appears to be focused on espionage and tends to target strategically instead of opportunistically. Little is known about UNC5221 at this time. However, the group has been observed using other distinct malware including CHAINLINE backdoor, FRAMESTING webshell, WIREFIRE webshell, LIGHTWIRE webshell, BUSHWALK webshell, WARPWIRE stealer, and ZIPLINE backdoor.

IOCs

PolySwarm has multiple samples associated with KrustyLoader.

 

e1c31f503da20c8326b566ec042db1f0d3b56fe3579ae37398ff3f6fa5bc54d2

415a70897761c65c3ff59b686d2b1c69a56df06cbf9fbff5dec03751b51d53db

c26da19e17423ce4cb4c8c47ebc61d009e77fc1ac4e87ce548cf25b8e4f4dc28

47ff0ae9220a09bfad2a2fb1e2fa2c8ffe5e9cb0466646e2a940ac2e0cf55d04

95ffea9b7c5c2e18f7fc801290d4bb2777c05e468e5b3e513a597c41ec9b36fc

c7ddd58dcb7d9e752157302d516de5492a70be30099c2f806cb15db49d466026

41aa6b45277445d34060d8cd00a528b08636b86605bbafe643357f2614b66887

e47b86b8df43c8c1898abef15b8b7feffe533ae4e1a09e7294dd95f752b0fbb2

ef792687b8bcd3c03bed4b09c4722bba921536802afe01f7cdb01cc7c3c60815

030eb56e155fb01d7b190866aaa8b3128f935afd0b7a7b2178dc8e2eb84228b0

f93e9bc9583058d82d2d3fe35117cbb9a553d54e7149846b2dc94446f0836201

49062378ab3e4a0d78c6db662efb4dbc680808fb75834b4674809bc8903adaea

816754f6eaf72d2e9c69fe09dcbe50576f7a052a1a450c2a19f01f57a6e13c17

bc7c7280855c384e5a970a2895363bd5c8db9088977d129b180d3acb1ec9148a

 

You can use the following CLI command to search for all KrustyLoader samples in our portal:

$ polyswarm link list -f KrustyLoader

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, Windows, Linux, Backdoor, KrustyLoader, Avanti, UNC5221

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts