1. Home
  2. Software
  3. UPSTYLE

UPSTYLE

UPSTYLE is a Python-based backdoor associated with exploitation of Palo Alto firewalls using CVE-2024-3400 in early 2024. UPSTYLE has only been observed in relation to this exploitation activity, which involved attempted install on compromised devices by the threat actor UTA0218.[1][2]

ID: S1164
Type: MALWARE
Platforms: Network Devices, Linux
Version: 1.0
Created: 20 November 2024
Last Modified: 15 April 2025
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1059 .006 Command and Scripting Interpreter: Python

UPSTYLE is a Python-based application.[1][2]
Enterprise T1001 .001 Data Obfuscation: Junk Data

UPSTYLE retrieves a non-existent webpage from the command and control server then parses commands from the resulting error logs to decode commands to the web shell.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

UPSTYLE encodes its main content prior to loading via Python as base64-encoded blobs.[1][2]
Enterprise T1546 Event Triggered Execution

UPSTYLE creates a .pth file beginning with the text import so that any time another process or script attempts to reference the modified item the malicious code will also run.[1]
Enterprise T1665 Hide Infrastructure

UPSTYLE attempts to retrieve a non-existent webpage from the command and control server resulting in hidden commands sent via resulting error messages.[1]
Enterprise T1070 .002 Indicator Removal: Clear Linux or Mac System Logs

UPSTYLE clears error logs after reading embedded commands for execution.[1]
.004 Indicator Removal: File Deletion

UPSTYLE removes bootstrap.min.css after parsing command and control instructions, restoring the file to its original state.[1]

.006 Indicator Removal: Timestomp

UPSTYLE restores timestamps to original values following modification.[1]
Enterprise T1036 Masquerading

UPSTYLE has masqueraded filenames using examples such as update.py.[1]
Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

UPSTYLE stores primary content as base64-encoded objects.[1][2]
Enterprise T1057 Process Discovery

UPSTYLE has the ability to read /proc/self/cmdline to see if it is running as a monitored process.[2]
Enterprise T1102 .003 Web Service: One-Way Communication

UPSTYLE parses encoded commands from error logs after attempting to resolve a non-existing webpage from the command and control server.[1]

Campaigns

ID Name Description
C0048 Operation MidnightEclipse

During Operation MidnightEclipse, threat actors made multiple attempts to install UPSTYLE[1][2]

References

  1. Volexity Threat Research. (2024, April 12). Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400). Retrieved November 20, 2024.
  1. Unit 42. (2024, April 12). Threat Brief: Operation MidnightEclipse, Post-Exploitation Activity Related to CVE-2024-3400 . Retrieved January 15, 2025.
OSZAR »