LITTLELAMB.WOOLTEA - S1121 (19256855-65e9-48f2-8b74-9f3d0a994428)

LITTLELAMB.WOOLTEA is a backdoor that was used by UNC5325 during Cutting Edge to deploy malware on targeted Ivanti Connect Secure VPNs and to establish persistence across system upgrades and patches.(Citation: Mandiant Cutting Edge Part 3 February 2024)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	LITTLELAMB.WOOLTEA - S1121 (19256855-65e9-48f2-8b74-9f3d0a994428)	Malware	1
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	LITTLELAMB.WOOLTEA - S1121 (19256855-65e9-48f2-8b74-9f3d0a994428)	Malware	1
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	LITTLELAMB.WOOLTEA - S1121 (19256855-65e9-48f2-8b74-9f3d0a994428)	Malware	1
LITTLELAMB.WOOLTEA - S1121 (19256855-65e9-48f2-8b74-9f3d0a994428)	Malware	Compromise Host Software Binary - T1554 (960c3c86-1480-4d72-b4e0-8c242e84a5c5)	Attack Pattern	1
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	LITTLELAMB.WOOLTEA - S1121 (19256855-65e9-48f2-8b74-9f3d0a994428)	Malware	1
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	LITTLELAMB.WOOLTEA - S1121 (19256855-65e9-48f2-8b74-9f3d0a994428)	Malware	1
LITTLELAMB.WOOLTEA - S1121 (19256855-65e9-48f2-8b74-9f3d0a994428)	Malware	Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	1
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	2