CISA warns of "Resurge" malware after Ivanti ICS attacks
Attacks on Ivanti's ICS have been known since the beginning of January. CISA has analyzed the malware that attackers have installed.
(Image: Erstellt mit KI in Bing Creator von heise online / dmk)
A vulnerability in Ivantis Connect Secure (ICS), a VPN access software, was disclosed in January and directly attacked by malicious actors. The US IT security authority has now found malware on compromised devices after apparently still ongoing, successful attacks and investigated them.
CISA discusses the malware findings in an alert. After recently investigating attacks, the authorities have found malware on infected instances, which they call "Resurge". It has the capabilities of the "Spawn-Chimera" malware family, which the Japanese CERT reported in February had been installed by criminals after abuse of the Ivanti ICS vulnerability CVE-2025-0282.
"Resurge": further developed malware
During the investigation, the IT researchers discovered functions that allow the malware to survive reboots. But it also knows other commands that change its behavior. For example, "Resurge" can set up a webshell, manipulate integrity checks and change files. The webshell can be used to spy on access data, for account creation, password resets and privilege escalation. The webshell can also be integrated into the boot disk and the coreboot image of Ivantis ICS.
Videos by heise
CISA also provides further guidance. For example, the more detailed analysis provides information on infections (Indicators of Compromise, IOCs) and YARA detection rules. Interested parties can also find in-depth functional analyses of the analysts' malware files there.
The three files are the main "Resurge" file, which is functionally similar to "Spawnchimera", for example with the function of establishing a tunnel to the command-and-control server (C2) using Secure Shell (SSH). It contains a variant of "Spawnsloth" that manipulates the Ivanti logs as well as an embedded binary file that contains an open source shell script and a collection of applets from the BusyBox open source toolbox. For example, the tools can extract an uncompressed Linux kernel image (vmlinux) from a compromised kernel image. The BusyBox tools also allow other malware to be downloaded and executed on compromised devices.
Ivanti warned about the vulnerability and known attacks at the beginning of the year. Updated software corrects the underlying errors. Google's subsidiary Mandiant had already provided the first malware analyses for the variants of the "Spawn" family. However, the malware that has now been detected is newer and more advanced.
(dmk)
