Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has shed light on a new malware called RESURGE that has been deployed as part of exploitation activity targeting a now-patched security flaw in Ivanti Connect Secure (ICS) appliances. "RESURGE contains capabilities of the SPAWNCHIMERA malware variant, including surviving reboots; however, RESURGE contains distinctive commands that
Analysis Summary
# Tool/Technique: RESURGE Malware
## Overview
RESURGE is a sophisticated malware family observed being deployed following the exploitation of a vulnerability (CVE-2025-0282) in Ivanti Connect Secure (ICS) appliances. It is described as an improvement over the SPAWNCHIMERA variant, containing capabilities typical of rootkits, droppers, backdoors, bootkits, proxies, and tunnelers.
## Technical Details
- Type: Malware family (Rootkit, Backdoor, Web Shell)
- Platform: Linux (Specifically targeting Ivanti ICS operating environment, likely 64-bit ELF)
- Capabilities: Persistence (via `ld.so.preload`), web shell establishment, integrity check manipulation, file modification, credential harvesting, account creation, password resets, privilege escalation, coreboot image manipulation.
- First Seen: March 2025 (Associated with CISA advisories regarding CVE-2025-0282 exploitation)
## MITRE ATT&CK Mapping
Based on described capabilities (Note: Specific TIDs may be speculative without full analysis, but map to core functions):
- **TA0003 - Persistence**
- T1548.002 - Bypass User Account Control (While UAC is Windows-specific, the modification of startup/loader files implies persistence mechanism bypass)
- T1574.001 - Hijack Execution Flow (Via `ld.so.preload`)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (By incorporating rootkit/bootkit functionality)
- T1562.001 - Impair Defenses (Manipulating integrity checks)
- **TA0011 - Command and Control**
- T1090 - Proxy
- T1090.003 - Multi-hop Proxy (Implied by tunneler functionality)
- **TA0004 - Privilege Escalation**
- T1078.003 - Valid Accounts (Creating new accounts/resetting passwords via web shell)
## Functionality
### Core Capabilities
- **Persistence:** Inserts itself into `ld.so.preload` to ensure execution across reboots, similar to SPAWNCHIMERA.
- **Web Shell Deployment:** Sets up a web shell on the Ivanti device.
- **System Modification:** Manipulates file integrity checks and directly modifies files.
- **Log Tampering:** Includes a variant of the **SPAWNSLOTH** malware component ("liblogblock.so") to tamper with device logs.
### Advanced Features
- **Bootkit Functionality:** Copies the web shell to the Ivanti running boot disk and manipulates the running **coreboot image**.
- **Web Shell Functions:** The deployed web shell supports credential harvesting, account creation, password resets, and privilege escalation.
- **Kernel Inspection:** Utilizes a custom binary ("dsmain") containing an open-source shell script to extract an uncompressed kernel image (`vmlinux`) from the compromised kernel image.
## Indicators of Compromise
- File Hashes: [Not provided in context]
- File Names: `libdsupgrade.so` (RESURGE binary), `liblogblock.so` (SPAWNSLOTH variant), `dsmain` (Custom 64-bit Linux ELF binary)
- Registry Keys: [Not applicable/provided for Linux ELF binaries]
- Network Indicators: [Not provided in context]
- Behavioral Indicators: Modification of `/etc/ld.so.preload`, evidence of coreboot image manipulation, invocation of web shell execution logic.
## Associated Threat Actors
- **UNC5337:** The broader SPAWN ecosystem of malware is attributed to this China-nexus espionage group.
## Detection Methods
- Signature-based detection: Signature based on the unique file hashes of RESURGE components.
- Behavioral detection: Monitoring for attempts to modify the `ld.so.preload` file or write to the boot disk/coreboot partition. Monitoring for network activity associated with the custom web shell interface.
- YARA rules: YARA rules targeting strings or structures unique to `libdsupgrade.so`.
## Mitigation Strategies
- **Patching:** Immediately apply patches for **CVE-2025-0282** affecting Ivanti Connect Secure, Policy Secure, and ZTA Gateways.
- **Integrity Monitoring:** Implement real-time file integrity monitoring (FIM) on critical system files, executable paths, and boot configuration areas on Ivanti appliances.
- **Network Hardening:** Restrict external access to Ivanti device management interfaces.
## Related Tools/Techniques
- **SPAWNCHIMERA:** RESURGE appears to be an evolution or specialized variant of this malware.
- **SPAWN Ecosystem:** Includes components like SPAWNANT, SPAWNMOLE, SPAWNSNAIL, and SPAWNSLOTH.
- **BusyBox:** The custom tool `dsmain` incorporates subsets of applets from the open-source tool BusyBox.