Skip to content

Hide Navigation Hide TOC

WIREFIRE - S1115 (c93e3079-43fb-4d8d-9e99-db63d07eadc9)

WIREFIRE is a web shell written in Python that exists as trojanized logic to the visits.py component of Ivanti Connect Secure VPN appliances. WIREFIRE was used during Cutting Edge for downloading files and command execution.(Citation: Mandiant Cutting Edge January 2024)

Cluster A Galaxy A Cluster B Galaxy B Level
Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb) Attack Pattern WIREFIRE - S1115 (c93e3079-43fb-4d8d-9e99-db63d07eadc9) Malware 1
WIREFIRE - S1115 (c93e3079-43fb-4d8d-9e99-db63d07eadc9) Malware Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 1
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern WIREFIRE - S1115 (c93e3079-43fb-4d8d-9e99-db63d07eadc9) Malware 1
WIREFIRE - S1115 (c93e3079-43fb-4d8d-9e99-db63d07eadc9) Malware Compromise Host Software Binary - T1554 (960c3c86-1480-4d72-b4e0-8c242e84a5c5) Attack Pattern 1
WIREFIRE - S1115 (c93e3079-43fb-4d8d-9e99-db63d07eadc9) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 1
WIREFIRE - S1115 (c93e3079-43fb-4d8d-9e99-db63d07eadc9) Malware Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern 1
WIREFIRE - S1115 (c93e3079-43fb-4d8d-9e99-db63d07eadc9) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 1
Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb) Attack Pattern Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern 2
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern 2
Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f) Attack Pattern Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern 2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 2