CISA Dissects Malware Trifecta Dropped in Exploitation of Ivanti Vulnerability

The exploitation of Ivanti vulnerability CVE-2025-0282, a critical buffer overflow vulnerability impacting Ivanti Connect Secure, has been warned by CISA, with the agency providing a detailed analysis of malicious activity following the exploitation. This flaw allows a remote, unauthenticated attacker to achieve remote code execution on vulnerable appliances. Through analysis of compromised infrastructure, CISA identified three distinct payloads dropped following successful exploitation: a malware variant named RESURGE, a log-manipulating component linked to SPAWNSLOTH, and a binary embedding an open-source script and BusyBox applets. RESURGE exhibits functionality similar to SPAWNCHIMERA, including establishing SSH tunnels for C2. It also contains capabilities to modify files, alter integrity checks, and deploy a web shell on the device's running boot disk, elevating its operational impact.

Analysis began with the file 'libdsupgrade.so', a 32-bit Linux shared object recognized as the core component of RESURGE. This payload acts as a dropper, rootkit, and C2 tunnel. It first checks whether it is being executed by the 'web' or 'dsmdm' process. In the 'web' path, it hooks the 'accept' and 'strncpy' system calls, decrypts an embedded key for attacker access, and establishes a proxy tunnel to a local socket. The 'dsmdm' path launches a secure shell bound to '/me/runtime/tmp/.logsrv'. From there, the malware begins its system modifications: inserting itself into 'ld.so.preload', copying itself and supporting components to '/tmp', adjusting Python integrity scripts, and manipulating system manifests to disguise these changes. RSA keys are generated, used to sign the modified manifest, then deleted. A shell script, 'extract_vmlinux.sh', is executed and removed afterward. CISA confirms that RESURGE copies a file named '/bin/dsmain' to '/tmp/coreboot_fs/bin', which contains both BusyBox applets and the extraction script.

The malicious modifications performed by RESURGE are broken into three command sets. The first modifies system integrity mechanisms and drops a web shell by injecting malicious Perl into 'compcheckresult.cgi', enabling remote command execution. The second decrypts, manipulates, and re-encrypts the coreboot image, repackaging it with injected binaries and configuration changes to persist across reboots. Commands include generating new directories, using 'dsmain' to manipulate compressed kernel images, and modifying startup scripts to include the malware. The third set disables scanning scripts by replacing specific variables in 'scanner.py' and 'scanner_legacy.py' with no-op logic. Combined, these commands enable stealth, persistence, and shell access via modified system components.

The second identified payload, 'liblogblock.so', is a 32-bit ELF file assessed as a SPAWNSLOTH variant. Its primary function, according to CISA, is log manipulation. When executed under the 'dslogserver' process, it detaches specific shared memory used for logging and hooks logging-related functions via the open-source 'funchook' utility. The malware masks these operations by stripping recognizable strings from the compiled binary. CISA notes the objective of this component is to interfere with monitoring and forensic capabilities by modifying or suppressing log output.

The third payload, embedded within the 'dsmain' binary, includes the 'extract_vmlinux.sh' script and components from BusyBox. This utility offers decryption (-d), encryption (-e), and extraction (-g) operations. The extraction function writes the script to disk and retrieves an uncompressed 'vmlinux' image from a kernel binary. The script is likely used by the attacker to inspect kernel contents for further vulnerabilities or to prepare future exploitation. BusyBox allows adversaries to run commands on compromised devices with minimal footprint. The specific BusyBox applets included enable execution of core utilities necessary for payload deployment and system interaction. According to CISA, 'dsmain' plays a central role in the malware's ability to modify, persist, and operationalize system-level compromise on Ivanti devices.