Full Report
The U.S. Cybersecurity and Information Security Agency (CISA) has issued an advisory detailing a new malware variant detected in attacks on an Ivanti vulnerability. The CISA advisory says the agency recovered three files from a critical infrastructure environment’s Ivanti Connect Secure device after threat actors exploited Ivanti vulnerability CVE-2025-0282 for initial access. One of the files contained a new malware variant that CISA is calling RESURGE, which is similar to SPAWNCHIMERA in that it creates a Secure Shell (SSH) tunnel for command and control activities. The new variant adds important new capabilities, however. RESURGE Malware Adds New Capabilities RESURGE malware goes well beyond SPAWNCHIMERA with its ability to modify files, manipulate integrity checks, and create a web shell that is copied to the running Ivanti boot disk. The RESURGE file, 'libdsupgrade.so,' is a malicious 32-bit Linux Shared Object file, CISA said. The file contains a rootkit, dropper, backdoor, bootkit, proxy, and tunneler. A second file (‘liblogblock.so’) is a variant of the SPAWNSLOTH log tampering utility that was contained within the RESURGE sample. The third file (‘dsmain’) is a custom embedded binary containing an open-source shell script and applets from the open-source tool BusyBox, CISA said. The shell script can extract an uncompressed kernel image (vmlinux) from a compromised kernel image, while BusyBox lets threat actors “perform various functions such as download and execute payloads on compromised devices,” the agency said. CISA included file hashes and YARA detection rules based on the SHA-256 hashes. For RESURGE, the SHA-256 hash is 52bbc44eb451cb5e16bf98bc5b1823d2f47a18d71f14543b460395a1c1b1aeda. The SPAWNSLOTH hash is 3526af9189533470bc0e90d54bafb0db7bda784be82a372ce112e361f7c7b104, and the dsmain hash is b1221000f43734436ec8022caaa34b133f4581ca3ae8eccd8d57ea62573f301d. CISA Recommendations CISA recommended a number of controls in the advisory, such as: Disabling file and printer sharing services if possible, or at least using strong passwords or Active Directory authentication. Restricting users' ability to install and run unwanted software applications. Exercising caution when opening e-mail attachments “even if the attachment is expected and the sender appears to be known.” Enabling a personal firewall on workstations and configuring it to deny unsolicited connection requests. Disabling unnecessary services on workstations and servers. Scanning for and removing suspicious e-mail attachments, and ensuring that the attachment extension matches the file header. Maintaining awareness of the latest threats and implementing appropriate Access Control Lists (ACLs).
Analysis Summary
# Tool/Technique: RESURGE Malware
## Overview
RESURGE is a newly detailed malware by CISA, utilized in attacks targeting Ivanti products. It appears to be a modular implant or backdoor featuring several nested components designed for post-exploitation activities, including lateral movement and system manipulation.
## Technical Details
- Type: Malware Family
- Platform: Implied Linux/Unix-like systems (due to kernel image extraction and BusyBox use)
- Capabilities: Post-exploitation, command execution, file extraction, system manipulation, lateral movement assistance.
- First Seen: Details tied to recent Ivanti exploitation campaigns (circa March 2025 based on article date).
## MITRE ATT&CK Mapping
*Based on reported functionality (Post-Exploitation, Lateral Movement, Command and Control):*
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter
- **TA0008 - Lateral Movement**
- T1021 - Remote Services (Implied)
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol (Implied C2 communications)
## Functionality
### Core Capabilities
- **System Manipulation:** Contains a utility named SPAWNSLOTH, identified as a log tampering utility, likely used to cover tracks (log wiping/modification).
- **Payload Delivery/Execution:** Utilizes a component named 'dsmain' which contains an open-source shell script.
- **System Interaction:** Incorporates applets from the open-source tool **BusyBox** to "perform various functions such as download and execute payloads on compromised devices."
### Advanced Features
- **Kernel Image Extraction:** The embedded shell script within 'dsmain' can extract an uncompressed kernel image (`vmlinux`) from a compromised kernel image, suggesting deep system access or specific threat modeling against kernel components.
- **Tool Nesting:** Contains the SPAWNSLOTH utility and leverages BusyBox components, indicating a modular approach aimed at maximizing functionality within a single sample set.
## Indicators of Compromise
- File Hashes:
- RESURGE SHA-256: `52bbc44eb451cb5e16bf98bc5b1823d2f47a18d71f14543b460395a1c1b1aeda`
- SPAWNSLOTH SHA-256: `3526af9189533470bc0e90d54bafb0db7bda784be82a372ce112e361f7c7b104`
- dsmain SHA-256: `b1221000f43734436ec8022caaa34b133f4581ca3ae8eccd8d57ea62573f301d`
- File Names: RESURGE, SPAWNSLOTH, dsmain
- Registry Keys: [Not specified in context]
- Network Indicators: [Not specified in context]
- Behavioral Indicators: Log tampering, execution of BusyBox applets, kernel image manipulation.
## Associated Threat Actors
- Attack context strongly ties RESURGE to attacks leveraging **Ivanti** vulnerabilities (likely Zero-Day or N-Day exploitation, given references to post-exploitation activities following Ivanti compromises). Specific threat actor attribution is not provided by the snippet.
## Detection Methods
- Signature-based detection: CISA included YARA detection rules based on the provided SHA-256 hashes.
- Behavioral detection: Monitoring for processes spawning BusyBox, attempts to manipulate kernel images, or execution of log tampering utilities. Detection on file hashes is possible.
- YARA rules: Available based on provided SHA-256 hashes.
## Mitigation Strategies
- Disabling file and printer sharing services if possible, or using strong passwords/Active Directory authentication.
- Restricting user ability to install and run unwanted software applications.
- Exercising caution with email attachments (checking extension/header alignment).
- Enabling personal firewalls and configuring them to deny unsolicited connection requests.
- Disabling unnecessary services on workstations and servers.
- Maintaining awareness of the latest threats and implementing appropriate Access Control Lists (ACLs).
## Related Tools/Techniques
- **SPAWNSLOTH:** A log tampering utility found within the RESURGE sample set.
- **BusyBox:** Open-source tool leveraged by the threat actor for core system and execution functionality.