Cyberattackers Exploit Ivanti Connect Secure Vulnerabilities to Deploy MetaRAT Malware
In April 2025, cybersecurity researchers uncovered a sophisticated cyberattack campaign targeting Japanese shipping and transportation companies. The attackers, identified as a China-based group, exploited critical vulnerabilities in Ivanti Connect Secure (ICS) systems to infiltrate networks and deploy advanced malware variants, including the newly identified MetaRAT and Talisman PlugX.
Exploitation of Ivanti Connect Secure Vulnerabilities
The attackers leveraged two severe vulnerabilities in ICS to gain initial access:
– CVE-2024-21893: An authentication bypass flaw in the SAML component of ICS, allowing unauthenticated attackers to access restricted resources.
– CVE-2024-21887: A command injection vulnerability enabling authenticated administrators to execute arbitrary commands on the appliance.
By exploiting these vulnerabilities, the attackers established a foothold within the target networks, setting the stage for further malicious activities.
Attack Chain and Malware Deployment
Once inside the network, the attackers executed a multi-stage attack:
1. Initial Compromise: Exploited ICS vulnerabilities to gain unauthorized access.
2. Persistence Establishment: Installed malware on compromised devices to maintain access.
3. Reconnaissance: Conducted detailed mapping of the network environment and gathered system credentials.
4. Lateral Movement: Used stolen credentials, particularly Active Directory privileged accounts, to move across the network.
5. Malware Deployment: Systematically deployed PlugX variants, including MetaRAT and Talisman PlugX, on multiple internal servers.
This methodical approach underscores the attackers’ deep understanding of enterprise network structures and their ability to exploit them effectively.
Discovery and Analysis of MetaRAT
Security analysts from LAC Watch identified the presence of MetaRAT during forensic examinations of compromised ICS systems. They observed critical error logs (ERR31093) associated with invalid SAML payloads, indicative of CVE-2024-21893 exploitation. Further analysis revealed suspicious files corresponding to known malware signatures, such as LITTLELAMB, WOOLTEA, PITSOCK, and PITFUEL.
Technical Details of MetaRAT
MetaRAT represents an evolution in the PlugX remote access trojan family. Key characteristics include:
– Execution Method: Utilizes DLL side-loading, where a legitimate Windows process loads a malicious DLL (mytilus3.dll), which then decrypts and executes the MetaRAT payload.
– Encryption and Compression: Employs multiple layers of encryption (XOR with key 0xA6, followed by AES-256-ECB) and compression (LZNT1) to obfuscate the payload and evade detection.
– Anti-Analysis Techniques: Implements API hashing to dynamically resolve Windows API functions and includes anti-debugging mechanisms that destroy decryption keys if a debugger is detected.
These sophisticated techniques make MetaRAT particularly challenging for security tools to detect and analyze.
Vulnerability Details
The following table summarizes the exploited vulnerabilities:
| CVE ID | Description | Severity | Impact | Detection Method |
|——————|——————————————————-|———-|————————————————————————|———————————————————————————-|
| CVE-2024-21893 | Authentication bypass in Ivanti Connect Secure | Critical | Allows unauthenticated access to restricted resources | ERR31093 critical error logs in system logs |
| CVE-2024-21887 | Remote code execution in Ivanti Connect Secure | Critical | Enables initial intrusion and malware deployment | Presence of suspicious files (e.g., LITTLELAMB, WOOLTEA, PITSOCK, PITFUEL) |
Recommendations for Organizations
Organizations utilizing Ivanti Connect Secure should take the following actions:
1. Apply Security Patches: Ensure all ICS systems are updated to the latest versions to mitigate known vulnerabilities.
2. Monitor System Logs: Regularly review logs for indicators of compromise, such as ERR31093 error codes.
3. Conduct Forensic Analysis: Utilize tools like the Integrity Checker Tool to detect unauthorized files or modifications.
4. Enhance Network Security: Implement robust access controls and network segmentation to limit lateral movement opportunities for attackers.
5. Educate Staff: Provide training on recognizing phishing attempts and other common attack vectors to reduce the risk of credential theft.
By proactively addressing these vulnerabilities and strengthening overall security postures, organizations can better defend against sophisticated cyber threats like those posed by MetaRAT.
