Introduction Line Dancer is a sophisticated shellcode loader that specifically targets Cisco Adaptive Security Appliance (ASA) devices. Recently analyzed by the National Cyber Security Centre (NCSC), this malware plays a critical role in the ArcaneDoor campaign, operating in conjunction with another threat, Line Runner, to compromise Cisco devices.

Malware Characteristics Line Dancer operates directly in memory, making it volatile and elusive. It injects shellcode into a 20KB memory region marked as executable, outside the protected text section of the ASA’s ‘lina’ process. The malware listens for specific XML data in WebVPN traffic and activates if a hardcoded token within the data matches its expectations. This activation triggers the execution of malicious shellcode, which is prepended with a unique token and base64-encoded.

Detection and Analysis Detection is challenging due to the malware’s in-memory nature and lack of persistence. However, anomalies in memory regions, such as unexpected executable regions within the lina process, can indicate compromise. The NCSC provides YARA rules to help identify characteristics of Line Dancer within compromised systems.

Operational Impact The primary concern with Line Dancer is its ability to execute arbitrary shellcode on targeted devices, potentially leading to further exploitation, data exfiltration, or disruption of critical network services.

Mitigation and Response Organizations are advised to monitor their Cisco ASA devices for signs of compromise closely, specifically looking for alterations in memory configurations or unexpected inbound XML data. Cisco’s cooperation in the analysis underscores the importance of vendor involvement in responding to such threats.