A sophisticated cyberattack campaign targeting Japanese shipping and transportation companies has been uncovered, with threat actors exploiting critical vulnerabilities in Ivanti Connect Secure (ICS) devices to deploy new PlugX malware variants, including MetaRAT. The campaign, identified in April 2025, highlights the persistent threat posed by advanced persistent threats (APTs) to critical infrastructure and supply chain operations.
The attackers leveraged two severe vulnerabilities, identified as CVE-2024-21893 and CVE-2024-21887, to gain initial unauthorized access to the networks of these Japanese firms. Once inside, the threat actors established a persistent foothold, deploying various PlugX malware strains to facilitate further reconnaissance and lateral movement within the compromised environments. This incident underscores the importance of promptly patching network security appliances like Ivanti Connect Secure against known exploits.
Attackers Exploit Ivanti Vulnerabilities for MetaRAT Deployment
The attack chain meticulously crafted by the China-based threat group demonstrates a calculated approach to network infiltration. Following the initial compromise of Ivanti Connect Secure systems through the aforementioned vulnerabilities, the attackers focused on establishing a beachhead. This involved deploying malware onto targeted devices, which then served as a pivot point for more extensive malicious activities. The use of PlugX variants, a well-known family of Remote Access Trojans (RATs), indicates a focus on espionage and long-term network access.
Following the initial intrusion, a crucial phase of the attack involved extensive reconnaissance activities. The threat actors diligently mapped the internal network topography, identifying key systems and potential targets. This process included actively gathering system credentials, a common tactic to escalate privileges and facilitate movement across the network. The detailed understanding of the target’s network structure enabled them to proceed with their objectives efficiently.
A significant aspect of this campaign involved the exploitation of stolen credentials, particularly those associated with Active Directory privileged accounts. These credentials granted the attackers elevated access, allowing them to move laterally across the target organization’s infrastructure with greater ease and stealth. By compromising high-privilege accounts, the threat actors could bypass many standard access controls, significantly increasing their reach and potential impact.
The systematic deployment of PlugX variants, including the newly identified MetaRAT and Talisman PlugX, onto multiple internal servers was a key objective. This ensured persistence within the compromised environment and allowed the attackers to maintain and expand their control over the victim’s network undetected for potentially extended periods. This multi-stage attack highlights a sophisticated operational methodology and a deep understanding of typical enterprise network architectures.
Introduction of the MetaRAT Malware
LAC Watch security analysts were instrumental in uncovering the details of this attack campaign through diligent forensic analysis of compromised Ivanti systems. Their investigation revealed critical error logs containing the code ERR31093, a clear indicator of invalid SAML payload processing, directly correlating with the exploitation of CVE-2024-21893. This specific error signature provided a crucial clue in tracing the initial access vector, setting the stage for the identification of the deployed malware.
Further analysis, including the use of the Integrity Checker Tool, uncovered suspicious files bearing signatures associated with known malware. These included LITTLELAMB, WOOLTEA, PITSOCK, and PITFUEL – files previously documented in similar campaigns. The presence of these known indicators, alongside the newly identified MetaRAT, suggests a blend of established and evolving tools within the attacker’s arsenal.
MetaRAT represents a significant evolution within the PlugX RAT family. While this particular variant has reportedly been active since at least 2022, it remained unnamed and uncharacterized by researchers until this recent discovery. Its emergence highlights the continuous development and adaptation of malware by sophisticated threat actors, requiring ongoing vigilance from cybersecurity professionals.
Security researchers have detailed the execution flow of MetaRAT, noting its reliance on DLL side-loading. This technique abuses legitimate Windows processes to secretly load and execute malicious code, making it harder for security solutions to detect. The loader component, identified as mytilus3.dll, plays a critical role in this process. It loads an encrypted shellcode file named materoll, which it then decrypts using XOR operations with a specific key (0xA6).
Once the shellcode is decrypted, it proceeds to perform further decryption operations on the core MetaRAT payload. This payload is also compressed using LZNT1. This multi-layered approach of encryption and compression serves to obfuscate the malware and significantly hinder detection by traditional security tools. The combination of these techniques makes the malware highly evasive.
After being decompressed in memory, the actual MetaRAT malware initiates its execution through exported functions. To aid in its evasiveness, MetaRAT implements API hashing, a method that dynamically resolves Windows API functions rather than relying on hardcoded addresses. Additionally, the malware incorporates anti-debugging mechanisms. These features are designed to detect the presence of a debugger and, if detected, can lead to the destruction of decryption keys or the malware self-terminating to prevent analysis.
Vulnerability Details and Mitigation
The vulnerabilities exploited in this attack are of critical severity, posing significant risks to organizations relying on Ivanti Connect Secure for secure remote access. CVE-2024-21893, an authentication bypass vulnerability, allowed attackers to craft invalid SAML payloads that bypassed security controls and facilitated the installation of malware. The direct detection method for this is the appearance of ERR31093 critical error logs within the Ivanti system logs.
CVE-2024-21887, a remote code execution vulnerability, was instrumental in enabling the initial intrusion and the subsequent deployment of malware. The presence of specific suspicious files, such as LITTLELAMB, WOOLTEA, PITSOCK, and PITFUEL, on the system is a key indicator of exploitation associated with this vulnerability. Organizations are advised to immediately apply security patches released by Ivanti for affected Connect Secure versions.
Beyond patching, ongoing monitoring for signs of compromise is essential. Suspicious service registrations named “sihosts” and registry keys named “matesile” may indicate active MetaRAT infections. Furthermore, the presence of specific keylog files, such as those named “VniFile.hlp” located within the %ALLUSERSPROFILE%mates directory, can serve as a definitive indicator of an affected system.
The immediate next step for organizations using Ivanti Connect Secure is to verify that all relevant security patches have been applied and to initiate a thorough investigation of their network for any signs of the indicators of compromise detailed by security researchers. The evolving nature of these threats suggests that continuous monitoring and adaptive security strategies are paramount for protecting against sophisticated state-sponsored cyberespionage campaigns.