1. Home
  2. Software
  3. GLASSTOKEN

GLASSTOKEN

GLASSTOKEN is a custom web shell used by threat actors during Cutting Edge to execute commands on compromised Ivanti Secure Connect VPNs.[1]

ID: S1117
Type: MALWARE
Platforms: Network
Version: 1.0
Created: 06 March 2024
Last Modified: 06 March 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

GLASSTOKEN can use PowerShell for command execution.[1]
Enterprise T1132 .001 Data Encoding: Standard Encoding

GLASSTOKEN has hexadecimal and Base64 encoded C2 content.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

GLASSTOKEN has the ability to decode hexadecimal and Base64 C2 requests.[1]
Enterprise T1505 .003 Server Software Component: Web Shell

GLASSTOKEN is a web shell capable of tunneling C2 connections and code execution on compromised Ivanti Secure Connect VPNs.[1]

Campaigns

ID Name Description
C0029 Cutting Edge

[1]

References

  1. Meltzer, M. et al. (2024, January 10). Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN. Retrieved February 27, 2024.