CISA details RESURGE malware exploiting Ivanti Connect Secure vulnerabilities

According to Bleeping Computer, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released updated details regarding the RESURGE malware, which has been used in zero-day attacks targeting Ivanti Connect Secure devices.

The RESURGE implant, a Linux Shared Object file named libdsupgrade.so, is a sophisticated passive command-and-control tool with rootkit and bootkit capabilities. It evades detection by waiting for specific inbound TLS connections rather than actively beaconing to its command server. The malware hooks the "accept()" function to inspect incoming TLS packets, using a CRC32 TLS fingerprint hashing scheme to identify legitimate connections.

Threat actors use a fake Ivanti certificate for authentication, which, although unencrypted, can serve as a network signature for detection. After successful authentication, a Mutual TLS session encrypted with the Elliptic Curve protocol is established. The implant also utilizes a variant of SpawnSloth malware (liblogblock.so) for log tampering and a kernel extraction script (dsmain) to manipulate coreboot firmware and filesystem contents for persistence. Researchers believe a China-linked threat actor, UNC5221, exploited the CVE-2025-0282 vulnerability as a zero-day since mid-December 2024.

CISA's analysis highlights the persistent and stealthy nature of RESURGE, emphasizing its ability to remain dormant and undetected on compromised Ivanti Connect Secure devices. The agency urges system administrators to utilize the updated indicators of compromise to identify and remove any latent infections.

Source: Bleeping Computer