SYMBOLCOMMON_NAMEaka. SYNONYMS
elf.pitsock (Back to overview)

PITSOCK

According to Mandiant, this is backdoor which hooks the accept and setsockopt of the web process by modifying its procedure linkage table (PLT). This enables backdoor communication via the Unix socket /tmp/clientsDownload.sock when it receives a specific 48-byte magic byte sequence in the incoming buffer.

References
2024-02-27MandiantAshley Frazer, Ashley Pearson, Austin Larsen, Jacob Thompson, Matt Lin, Robert Wallace, Ryan Gandrud
Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts
BUSHWALK Kubo Injector PITFUEL PITHOOK PITSOCK

There is no Yara-Signature yet.