Critical Analysis: Ivanti Connect Secure (RESURGE) Vulnerability Exploited by Threat Actors

TL;DR

This article examines how threat actors exploited Ivanti Connect Secure using the CVE-2025-0282 vulnerability, leading to the deployment of RESURGE malware. The analysis delves into the malware’s functionalities and provides recommendations for strengthening cybersecurity postures.

Notification

This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:CLEAR—Recipients may share this information without restriction. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction. For more information on the Traffic Light Protocol (TLP), see Traffic Light Protocol (TLP) Definitions and Usage.

Summary

Description

The Cybersecurity and Infrastructure Security Agency (CISA) analyzed three files obtained from a critical infrastructure’s Ivanti Connect Secure device after threat actors exploited the Ivanti CVE-2025-0282 vulnerability for initial access. One file, named RESURGE, creates a Secure Shell (SSH) tunnel for command and control (C2). RESURGE also contains commands that modify files, manipulate integrity checks, and create a web shell copied to the running Ivanti boot disk.

The second file is a variant of SPAWNSLOTH, contained within the RESURGE sample, which tampers with Ivanti device logs. The third file is a custom embedded binary containing an open-source shell script and a subset of applets from the open-source tool BusyBox. This script allows for the extraction of an uncompressed kernel image (vmlinux) from a compromised kernel image. BusyBox enables threat actors to perform various functions, such as downloading and executing payloads on compromised devices.

For more information on CVE-2025-0282, see the CISA Alert.

Download the PDF version of this report:

AR25-087A MAR-25993211-r1.v1 Ivanti Connect Secure (RESURGE)

For a downloadable copy of IOCs associated with this MAR, see:

AR25-087A STIX JSON

Submitted Files

• libdsupgrade.so: 52bbc44eb451cb5e16bf98bc5b1823d2f47a18d71f14543b460395a1c1b1aeda
• dsmain: b1221000f43734436ec8022caaa34b133f4581ca3ae8eccd8d57ea62573f301d

Additional Files

• liblogblock.so: 3526af9189533470bc0e90d54bafb0db7bda784be82a372ce112e361f7c7b104

Findings

File: 52bbc44eb451cb5e16bf98bc5b1823d2f47a18d71f14543b460395a1c1b1aeda

Tags

• backdoor
• dropper
• rootkit

Details

| Name | libdsupgrade.so | |———————|—————————————————| | Size | 1414480 bytes | | Type | ELF 32-bit LSB pie executable, Intel 80386 | | MD5 | cfb263a731d51ff489168bbca0d3bd2f | | SHA1 | 87bcbbcb878aeee6ad4463464745770e95c6a937 | | SHA256 | 52bbc44eb451cb5e16bf98bc5b1823d2f47a18d71f14543b460395a1c1b1aeda | | SHA512 | 3d12fdb707c188eb2e94cbf2dd42a50cfe343128652bab9245a54b887e35bc32c6a88c8faa5001a045df3991b387fcd6a27719ecbf84f6ce893163b040c2e0dd | | ssdeep | 24576:h6j7Ed+iowSCstJtmOKSbqUmtzYxs7X0ToN8fp/AQClBka:h4wSC0JtmpntzYMU2 | | Entropy | 6.171523 |

Antivirus Detection

• ESET: a variant of Linux/SpawnSnail.A trojan

YARA Rules

rule CISA_25993211_01 : RESURGE backdoor dropper rootkit bootkit
{
  meta:
    author = "CISA Code & Media Analysis"
    incident = "25993211"
    date = "2025-03-03"
    last_modified = "20250303_1446"
    actor = "n/a"
    family = "SPAWN"
    capabilities = "n/a"
    malware_type = "backdoor dropper rootkit bootkit"
    tool_type = "unknown"
    description = "Detects RESURGE malware samples"
    sha256_1 = "52bbc44eb451cb5e16bf98bc5b1823d2f47a18d71f14543b460395a1c1b1aeda"
  strings:
    $s1 = "snprintf"
    $s2 = "CGI::param"
    $s3 = "coreboot.img"
    $s4 = "scanner.py"
    $s5 = { 6C 6F 67 73 }
    $s6 = "accept"
    $s7 = "strncpy"
    $s8 = "dsmdm"
    $s9 = "funchook_create"
    $s10 = { 20 83 B8 ED }
  condition:
    all of them
}

ssdeep Matches

No matches found.

Relationships

| File Hash | Relationship | Related File Hash | |———————————————|—————|———————————————————| | 52bbc44eb4… | Contains | 3526af9189533470bc0e90d54bafb0db7bda784be82a372ce112e361f7c7b104 |

Description

The file ‘libdsupgrade.so’ is a malicious 32-bit Linux Shared Object file extracted from an Ivanti Connect Secure device version 22.7.4.30859. It functions as a rootkit, dropper, backdoor, bootkit, proxy, and tunneler. RESURGE shares similarities with SPAWNCHIMERA malware but includes additional commands to modify files, manipulate integrity checks, and create a web shell copied to the running Ivanti boot disk.

Key similarities to SPAWNCHIMERA include:

• Initialization Check: RESURGE checks if the file is loaded by programs called ‘web’ or ‘dsmdm’.
• Proxy Setup: If the ‘web’ program is called, it hooks accept and strncpy, contains an embedded private key for threat actor connection, and sets up a proxy for tunneling data.
• SSH Tunnel: If the ‘dsmdm’ program is called, it creates an SSH tunnel for command and control, binds to a file, and listens for connections.

Command Breakdown:

1. Commands 1: Insert itself into ld.so.preload, set up a web shell, fake integrity checks, and sign the manifest file.
2. Commands 2: Decrypt, modify, and re-encrypt coreboot RAM disk.
3. Commands 3: Modify Python scanning scripts to stop tracking mismatches or new files.

Screenshots

Figure 1: Checks if the file is loaded by a program called ‘web’ or ‘dsmdm’.

Figure 2: The decoding function for the proxy.

Figure 3: The modification to the hooked ‘strncpy’ function.

Figure 4: Setting up the SSH shell.

Figure 5: Loading a shared object ‘/tmp/.liblogblock.so’.

Figure 6: Commands 1.

Figure 7: Commands 2.

Figure 8: Commands 3.

File: 3526af9189533470bc0e90d54bafb0db7bda784be82a372ce112e361f7c7b104

Tags

• trojan

Details

| Name | liblogblock.so | |———————|—————————————————| | Size | 95092 bytes | | Type | ELF 32-bit LSB shared object, Intel 80386 | | MD5 | 44d09ca5b989e24ff5276d5b5ee1d394 | | SHA1 | 5309f9082da0fc24ebf03cb1741fa71335224e5a | | SHA256 | 3526af9189533470bc0e90d54bafb0db7bda784be82a372ce112e361f7c7b104 | | SHA512 | 63ded8e7294ee9a0d4181310d25c348d0d657d35e57740234cb98c9abfd8eb18bb3cd35a28bca3013f3e141b41131b923b39717c7ae864019287c2d85a36ae63 | | ssdeep | 1536:AxlL0im3r1G1+5uIEcfPTLuYzgrbwhpMTQe5pylmpsk76BAwu:Kt1+5unc3TLRujpyRzaw | | Entropy | 5.376198 |

Antivirus Detection

No matches found.

YARA Rules

rule CISA_25993211_02 : SPAWNSLOTH trojan compromises_data_integrity
{
  meta:
    author = "CISA Code & Media Analysis"
    incident = "25993211"
    date = "2025-03-04"
    last_modified = "20250304_0906"
    actor = "n/a"
    family = "SPAWN"
    capabilities = "compromises-data-integrity"
    malware_type = "trojan"
    tool_type = "unknown"
    description = "Detects SPAWNSLOTH malware samples"
    sha256_1 = "3526af9189533470bc0e90d54bafb0db7bda784be82a372ce112e361f7c7b104"
  strings:
    $s1 = "dslogserver"
    $s2 = "g_do_syslog_servers_exist"
    $s3 = "_ZN5DSLog4File3addEPKci"
    $s4 = "dlsym"
  condition:
    all of them
}

ssdeep Matches

No matches found.

Relationships

| File Hash | Relationship | Related File Hash | |———————————————|——————–|———————————————————| | 3526af9189… | Contained_Within | 52bbc44eb451cb5e16bf98bc5b1823d2f47a18d71f14543b460395a1c1b1aeda |

Description

The file ‘liblogblock.so’ is a 32-bit Linux ELF binary identified as a variant of SPAWNSLOTH malware, a log tampering utility. If the program name is dslogserver, it detaches the shared memory containing the “g_do_syslog_servers_exist” IPC key, obtains the handle to the symbol “_ZN5DSLog4File3addEPKci,” and calls ‘funchook_create’. Funchook is an open-source tool that allows intercepting and modifying function calls at runtime.

Figure 9: The hooking functions used against ‘dslogserver’.

File: b1221000f43734436ec8022caaa34b133f4581ca3ae8eccd8d57ea62573f301d

Tags

• trojan

Details

| Name | dsmain | |———————|—————————————————| | Size | 5102976 bytes | | Type | ELF 64-bit LSB executable, x86-64 | | MD5 | 6e01ef1367ea81994578526b3bd331d6 | | SHA1 | 09eb513f284771461bcdc16ee28d31ce8bbe74e0 | | SHA256 | b1221000f43734436ec8022caaa34b133f4581ca3ae8eccd8d57ea62573f301d | | SHA512 | ecbda91571b0429be42017dddd2cb687ce696dd601cd02f2502119b8b732376cee2097069ca35ba0089387d58213c6140c2caf8e6c2e05733d21c309b51e2b9b | | ssdeep | 49152:4ZLtRJ8ryYwd5OP5nz1kHKf26xZVKtom+YvFM4tAcRrhOBDKx76a:4ptVbQ5nz2SZstogttAcRrhOBu6a | | Entropy | 6.020899 |

Antivirus Detection

• ESET: Linux/Agent.AHD trojan

Description

The file ‘dsmain’ is a 64-bit Linux ELF containing the open-source script ‘extract_vmlinux.sh’ and the open-source tool BusyBox. The file takes three arguments (-e, -d, -g):

• -e: Encrypts a file with an AES key.
• -d: Decrypts a file using an AES key.
• -g: Invokes the script ‘extract_vmlinux.sh’ to extract the uncompressed vmlinux from a kernel image.

BusyBox is an open-source project tool from a collection of Unix utilities widely used by embedded devices and industrial control systems (ICS). When a threat actor accesses a device running BusyBox, they can execute a series of BusyBox commands to perform various functions, such as downloading and executing malicious payloads on the compromised device.

Applets Used From BusyBox:

• bzcat
• bzip2
• cat
• cpio
• find
• gunzip
• gzip
• lzop
• sed
• sh
• strings
• tail
• tar
• touch
• tr
• unlzma
• unlzop
• unxz
• xxd
• xz

Relationship Summary

| File Hash | Relationship | Related File Hash | |———————————————|—————|———————————————————| | 52bbc44eb4… | Contains | 3526af9189533470bc0e90d54bafb0db7bda784be82a372ce112e361f7c7b104 | | 3526af9189… | Contained_Within | 52bbc44eb451cb5e16bf98bc5b1823d2f47a18d71f14543b460395a1c1b1aeda |

Recommendations

CISA recommends the following best practices to strengthen the security posture of your organization’s systems:

• Maintain up-to-date antivirus signatures and engines.
• Keep operating system patches up-to-date.
• Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
• Restrict users’ ability to install and run unwanted software applications. Do not add users to the local administrators group unless required.
• Enforce a strong password policy and implement regular password changes.
• Exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known.
• Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
• Disable unnecessary services on agency workstations and servers.
• Scan for and remove suspicious email attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
• Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
• Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
• Scan all software downloaded from the Internet prior to executing.
• Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

For additional information on malware incident prevention and handling, refer to the National Institute of Standards and Technology (NIST) Special Publication 800-83, Guide to Malware Incident Prevention & Handling for Desktops and Laptops.

Contact Information

• Phone: 1-888-282-0870
• Email: CISA Service Desk (UNCLASS)
• SIPRNET: CISA SIPR
• JWICS: CISA IC

CISA continuously strives to improve its products and services. Provide feedback at CISA Feedback.

Document FAQ

What is a MIFR?

A Malware Initial Findings Report (MIFR) provides organizations with malware analysis in a timely manner. It offers initial indicators for computer and network defense. For additional analysis, contact CISA and provide information regarding the level of desired analysis.

What is a MAR?

A Malware Analysis Report (MAR) provides organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, contact CISA and provide information regarding the level of desired analysis.

Can I edit this document?

This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to CISA at 1-888-282-0870 or CISA Service Desk.

Can I submit malware to CISA?

Malware samples can be submitted via the following methods:

• Web: CISA Malware Next Generation Analysis
• For larger files (over 100MB), please reach out to CISA for instructions.

CISA encourages reporting any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on the CISA homepage at CISA Report.

Conclusion

The analysis of the Ivanti Connect Secure vulnerability exploited by threat actors highlights the critical need for robust cybersecurity measures. By understanding the functionalities of RESURGE and related malware, organizations can better protect their systems from similar threats. Implementing the recommended best practices will significantly enhance the security posture and resilience against cyber threats.

Additional Resources

For further insights, check:

• CISA Alert on RESURGE Malware
• NIST Guide to Malware Incident Prevention & Handling