DslogdRAT Malware Found in Ivanti Connect Secure Following CVE-2025-0282 Exploit

A new Remote Access Trojan (RAT) named DslogdRAT has been observed infecting Ivanti Connect Secure VPN appliances through a now patched zero-day vulnerability. This malware has been used in post-compromise operations allowing for extensive control over the compromised devices. The SPAWNSNARE malware was also identified on the infected systems, which has been previously reported by CISA and Google in April 2025.

Attack Timeline: Attacks occurred around December 2024, with detection reported in April 2025.

Severity Level: Critical

VULNERABILITY OVERVIEW:

1. Vulnerability Details:
   CVE ID: CVE-2025-0282
   CVSS Score: 9.0
   Description: A stack-based buffer overflow vulnerability allowing remote unauthenticated attackers to execute arbitrary code.
   Affected Products:

2. Initial Access Vector:
o Attackers exploited CVE-2025-0282 bug in the web interface of Ivanti Connect Secure.
o A web shell (File Path: /home/webserver/htdocs/dana-na/cc/ccupdate.cgi), written in Perl, was installed via a compromised Ivanti Connect Secure system, allowing the attacker to execute arbitrary commands. This web shell retrieves the DSAUTOKEN value from HTTP requests to trigger the execution of further malicious commands.

3. Execution Flow:
Once executed, the DslogdRAT (File Path: /home/bin/dslogd) malware creates two child processes:
o The first child process decodes configuration data and maintains a loop with sleep intervals, ensuring it remains persistent on the system.
o The second child process performs the core functionalities of DslogdRAT, including communication with the C2 server and execution of commands.

4. Persistence Mechanism:
o DslogdRAT is integrated into the firmware and execution layers of the Ivanti appliance.
o This enables it to survive system reboots, patching attempts, and even some reimaging procedures unless thorough validation is performed.

5. Command & Control (C2):
o The malware communicates with the C2 server via socket connections, using a simple XOR-based encoding method for the exchanged data.
o It is designed to communicate during specific hours, from 8:00 AM to 8:00 PM, likely to avoid detection by security systems.

Recommendations:

1. Clean internal and external ICT scan: upgrade to Ivanti Connect Secure 22.7R2.5 and continue to closely monitor your internal and external ICT in conjunction with other security tools. Factory reset on appliances with a clean ICT scan is recommended before putting 22.7R2.5 in production out of an abundance of caution.
2. ICT result shows signs of compromise: perform a factory reset on the appliance to ensure any malware is removed, put the appliance back into production using version 22.7R2.5. Continue to closely monitor your internal and external ICT in conjunction with other security tools.
3. Regularly scan for unauthorized web shells, particularly in the directory /home/webserver/htdocs/dana-na/cc/ccupdate.cgi, to ensure that no such scripts are running on your servers.
4. Enforce multi-factor authentication for accessing Ivanti Connect Secure and other critical systems to reduce the risk of unauthorized access.
5. Implement file integrity monitoring tools to detect any unauthorized changes to critical files or the appearance of suspicious executables, like dslogd or dsmain.
6. Block the IOCs at their respective controls
   https://www.virustotal.com/gui/collection/d4e994c7ce308f6fec34828b93d8ae8d6004a0cc55650e7c0d56c5e894efb78c/iocs

Source:

• https://blogs.jpcert.or.jp/en/2025/04/dslogdrat.html
• https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-exploiting-critical-ivanti-vulnerability
• https://www.cisa.gov/news-events/analysis-reports/ar25-087a

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.

No related posts found.