The US Cybersecurity and Infrastructure Security Agency (CISA) is shedding light on a new malware called the Resurrection, which has been deployed as part of an exploitation activity targeting the now patched security flaws of Ivanti Connect Secure (ICS) appliances.
“Resurge includes features of the Spawnchimera malware variant, including a surviving reboot. However, the resurrection includes distinctive commands that change its behavior,” the agency said. “The file contains the features of rootkit, dropper, backdoor, bootkit, proxy, and tunneler.”
The security vulnerability related to malware deployment is CVE-2025-0282, a stack-based buffer overflow vulnerability affecting Ivanti Connect Secure, Policy Secure, and ZTA Gateways.
It affects the next version –
IVANTI CONNECT SECURE BEASION Version 22.7R2.5 IVANTI policy is protected before version 22.7R1.2 and Ivanti neurons for ZTA gateways before version 22.7R2.3
According to Mandiant, owned by Google, CVE-2025-0282 has been weaponized to provide what is called the spawn ecosystem of malware, consisting of several components such as spawns, spawn malls, and spawns nails. The use of spawns is attributed to a Chinese and Nexus spy group called UNC5337.
Last month, JPCERT/CC revealed that it was used to provide an updated version of Spawn, known as SpawnChimera, which combines all the aforementioned different modules into one monolithic malware, and incorporates changes to facilitate inter-process communications through UNIX Domain sockets.
Most notably, the revised variant had the capability of the CVE-2025-0282 patch to prevent other malicious actors from exploiting it for their campaign.
Resurge (“libdsupgrade.so”), an improvement over Spawnchimera, which supports three new commands per CISA.
Insert yourself into “LD.SO.PRELOAD”, set up a web shell, operate integrity checks, modify files, copy the web shell using the web shell for credential harvesting, account creation, password reset, privilege escalation, and manipulate running core boat images.
CISA said it unearthed two other artifacts from ICS devices in unspecified critical infrastructure entities. It is included in the SPAWNSLOTH (“liblogblock.so”) variant and revived and custom-made 64-bit Linux elf binary (“dsmain”).
” [SPAWNSLOTH variant] Tampers with Ivanti devices log. “The third file is a custom built-in binary that contains a subset of applets from the open source shell script and the open source tool Busybox. The open source shell script allows the ability to extract uncompressed kernel images (VMlinux) from compromised kernel images.”
It is worth noting that CVE-2025-0282 is also being used as a zero day by another China-related threat group tracked as a silk type (formerly Hafnium), revealed by Microsoft, revealed earlier this month.
The latest findings show that the threat actors behind the malware are actively refined and recreated, and it is essential for organizations to patch their Ivanti instances to the latest version.
As a further mitigation, we recommend resetting credentials for privileged and undeserved accounts, rotating passwords for all domain users and all local accounts, checking access policies to temporarily revoke privileges on affected devices, resetting relevant account entitlements or access keys, and monitoring your account for signs of anonymous activity.
Source link
