ArcaneDoor
ArcaneDoor is a campaign targeting networking devices from Cisco and other vendors between July 2023 and April 2024, primarily focused on government and critical infrastructure networks. ArcaneDoor is associated with the deployment of the custom backdoors Line Runner and Line Dancer. ArcaneDoor is attributed to a group referred to as UAT4356 or STORM-1849, and is assessed to be a state-sponsored campaign.[1][2]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1583 | .003 | Acquire Infrastructure: Virtual Private Server |
ArcaneDoor included the use of dedicated, adversary-controlled virtual private servers for command and control.[1] |
| .006 | Acquire Infrastructure: Web Services |
ArcaneDoor included the use of OpenConnect VPN Server instances for conducting actions on victim devices.[1] |
||
| Enterprise | T1557 | Adversary-in-the-Middle |
ArcaneDoor included interception of HTTP traffic to victim devices to identify and parse command and control information sent to the device.[1] |
|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
ArcaneDoor command and control activity was conducted through HTTP.[1] |
| Enterprise | T1119 | Automated Collection |
ArcaneDoor included collection of packet capture and system configuration information.[2] |
|
| Enterprise | T1020 | Automated Exfiltration |
ArcaneDoor included scripted exfiltration of collected data.[2] |
|
| Enterprise | T1037 | Boot or Logon Initialization Scripts |
ArcaneDoor used malicious boot scripts to install the Line Runner backdoor on victim devices.[1] |
|
| Enterprise | T1059 | Command and Scripting Interpreter |
ArcaneDoor included the adversary executing command line interface (CLI) commands.[1] |
|
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
ArcaneDoor involved the use of Base64 obfuscated scripts and commands.[1] |
|
| Enterprise | T1587 | .001 | Develop Capabilities: Malware |
ArcaneDoor featured the development and deployment of two unique malware types, Line Dancer and Line Runner.[2][1] |
| .003 | Develop Capabilities: Digital Certificates |
ArcaneDoor included acquiring digital certificates mimicking patterns associated with Cisco ASA appliances for command and control infrastructure.[1] |
||
| Enterprise | T1041 | Exfiltration Over C2 Channel |
ArcaneDoor included use of existing command and control channels for data exfiltration.[1][2] |
|
| Enterprise | T1190 | Exploit Public-Facing Application |
ArcaneDoor abused WebVPN traffic to targeted devices to achieve unauthorized remote code execution.[2] |
|
| Enterprise | T1133 | External Remote Services |
ArcaneDoor used WebVPN sessions commonly associated with Clientless SSLVPN services to communicate to compromised devices.[2] |
|
| Enterprise | T1562 | .001 | Impair Defenses: | |