CISA has reported on three malicious files acquired from an Ivanti Connect Secure device compromised through CVE-2025-0282. The files exhibit functionalities similar to known malware, including command and control capabilities and log tampering. RESURGE, the primary file, can modify files and create a web shell. Another file, a variant of SPAWNSLOTH, tampered with logs, while the third one included a shell script that extracts kernel images. Affected: critical infrastructure, cybersecurity
Keypoints :
- CISA analyzed malware from an Ivanti Connect Secure device exploited via CVE-2025-0282.
- RESURGE file creates SSH tunnels and can manipulate files and integrity checks.
- Another file, a variant of SPAWNSLOTH, is designed to tamper with device logs.
- A custom shell script was found that extracts an uncompressed kernel image from the compromised system.
- BusyBox is utilized within the malware for executing various commands on the compromised device.
MITRE Techniques :
- Initial Access (T1078) – Exploiting Ivanti CVE-2025-0282 to gain access.
- Command and Control (T1071) – Establishing SSH tunnels for remote access.
- Modification of Files (T1547) – Scripts insert malicious code to modify existing files and web applications.
- Credential Dumping (T1003) – Manipulating integrity checks to evade detection.
- Exploitation for Client Execution (T1203) – Using the extracted kernel image for further exploitation.
Indicator of Compromise :
- File SHA256 52bbc44eb451cb5e16bf98bc5b1823d2f47a18d71f14543b460395a1c1b1aeda (libdsupgrade.so)
- File SHA256 3526af9189533470bc0e90d54bafb0db7bda784be82a372ce112e361f7c7b104 (liblogblock.so)
- File SHA256 b1221000f43734436ec8022caaa34b133f4581ca3ae8eccd8d57ea62573f301d (dsmain)
- File MD5 cfb263a731d51ff489168bbca0d3bd2f (libdsupgrade.so)
- File MD5 44d09ca5b989e24ff5276d5b5ee1d394 (liblogblock.so)
Full Story: https://www.cisa.gov/news-events/analysis-reports/ar25-087a