Krustyloader

Malware updated 2 months ago (2024-08-14T10:04:03.209Z)

Download STIX

Preview STIX

KrustyLoader is a malicious software (malware) that has emerged as a significant threat to both Windows and Linux systems. This backdoor malware, known for its disruptive capabilities, can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom. The first notable instance of KrustyLoader being deployed occurred on March 12, 2024. Cybersecurity experts noted that threat actors exploited vulnerabilities in Ivanti's Virtual Private Network (VPN) software to deliver the malware. The exploitation of these bugs allowed the attackers to bypass security measures and install the KrustyLoader malware onto unsuspecting systems. The situation was further exacerbated by the involvement of the hacker group known as Magnet Goblin. This group capitalized on one-day flaws in both Windows and Linux systems to deploy a custom version of the KrustyLoader malware. The combination of the Ivanti VPN bugs and the one-day flaws provided an effective delivery mechanism for this harmful software, highlighting the importance of timely system updates and robust cybersecurity measures.

Description last updated: 2024-08-14T08:49:05.914Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Sliver is a possible alias for Krustyloader. Sliver is an open-source, cross-platform tool created by Senior Security Associate Joe DeMesy and Security Associate Ronan Kervella. It was introduced at SummerCon in June 2019 and is currently in beta. Sliver supports command and control (C2) over Mutual-TLS, HTTP(S), and DNS and can be used as par	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Backdoor

Ivanti

Zero Day

Exploit

Sliver

Malware

Vpn

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The CVE-2024-21887 Vulnerability is associated with Krustyloader. CVE-2024-21887 is a command injection vulnerability found in the web components of Ivanti Connect Secure and Ivanti Policy Secure, specifically in versions 9.x and 22.x. The Cyber Centre was made aware of this flaw, along with an authentication bypass vulnerability (CVE-2023-46805), on January 10, 2	Unspecified	2
The CVE-2023-46805 Vulnerability is associated with Krustyloader. CVE-2023-46805 is an authentication bypass vulnerability that affects all supported versions of Ivanti Connect Secure and Ivanti Policy Secure (versions 9.x and 22.x). The Cyber Centre first became aware of this flaw, along with a command injection vulnerability (CVE-2024-21887), on January 10, 2024	Unspecified	2

Source Document References

Information about the Krustyloader Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	2 months ago	SECURITY AFFAIRS MALWARE NEWSLETTER – ROUND 6
Securityaffairs	2 months ago	security-affairs-malware-newsletter-round-5
CERT-EU	7 months ago	SUSE: 2024:0862-1 moderate: zabbix
Securityaffairs	3 months ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	3 months ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	3 months ago	Security Affairs Malware Newsletter - Round 2
Securityaffairs	3 months ago	Security Affairs Malware Newsletter - Round 1
Securityaffairs	4 months ago	Security Affairs newsletter Round 478 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	4 months ago	Security Affairs newsletter Round 477 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	4 months ago	Security Affairs newsletter Round 476 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	5 months ago	Security Affairs newsletter Round 473 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	5 months ago	Security Affairs newsletter Round 470 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	6 months ago	Security Affairs newsletter Round 469 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	6 months ago	Security Affairs newsletter Round 467 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	6 months ago	Security Affairs newsletter Round 466 by Pierluigi Paganini
Securityaffairs	7 months ago	Security Affairs newsletter Round 465 by Pierluigi Paganini
Securityaffairs	7 months ago	Security Affairs newsletter Round 464 by Pierluigi Paganini
CERT-EU	7 months ago	SUSE: 2024:0912-1 important: openvswitch \| LinuxSecurity.com
Securityaffairs	7 months ago	Security Affairs newsletter Round 463 by Pierluigi Paganini
CERT-EU	7 months ago	Mageia 2024-0069: jackson-databind security update \| LinuxSecurity.com