Malicious Listener Targeting Ivanti EPMM

CISA’s Malware Analysis Report (MAR) details an active exploitation campaign targeting Ivanti Endpoint Manager Mobile (EPMM) systems through vulnerabilities CVE-2025-4427 and CVE-2025-4428. Threat actors deployed malicious listeners on compromised systems allowing for arbitrary code execution and persistent access, with malware leveraging Java class injection, encryption, and Base64 encoding to evade detection.

Severity: High

Threat Overview

1. Exploited Vulnerabilities

• CVE-2025-4427 and CVE-2025-4428
• These flaws were chained by attackers to gain unauthenticated access to vulnerable Ivanti EPMM servers and execute malicious payloads remotely. Public proof-of-concept (PoC) code accelerated exploitation.

2. Targeted Product Versions
Vulnerable versions include:

• Ivanti EPMM — v11.12.0.4 and earlier; v12.3.0.1 and earlier; v12.4.0.1 and earlier; v12.5.0.0 and earlier (Patched as of May 13, 2025)

3. Malware Sets & Functionality

Set 1 (Loader 1 and Listener)

• Loader: web-install.jar
• Manager: ReflectUtil.class
• Listener: SecurityHandlerWanListener.class

Behavior:

• Injects a malicious listener into Apache Tomcat.
• Intercepts HTTP requests with specific headers and encrypted payloads.
• Decrypts Base64/AES payloads, dynamically loads new Java classes for remote code execution.

Set 2 (Alternate Loader and Listener)

• Loader: web-install.jar
• Listener: WebAndroidAppInstaller.class

Behavior:

• Processes application/x-www-form-urlencoded HTTP requests.
• Decrypts password parameter using AES with hardcoded key.
• Dynamically creates, encrypts, and responds with malicious Java class output.

4. Delivery Mechanism

• The malware was delivered in a segmented, stealthy manner to evade detection:
• Threat actors split the malicious payloads (Loader 1 and Loader 2) into Base64-encoded chunks. Each chunk was delivered using separate HTTP GET requests to the vulnerable Ivanti EPMM API endpoint.
• The requests abused Java Expression Language (EL) injection to: create or append to the file /tmp/web-install.jar, and decode Base64 data & write it to disk using Java reflection APIs.
• This process was repeated for each chunk until the full malware payload was assembled.
• Using this file append + Base64 decoding technique allowed the malware to: bypass size limits of single requests, evade static signature-based detection, and avoid triggering basic file integrity checks.

Recommendations

1. Ensure Ivanti EPMM is running latest security updates.
2. Treat mobile device management (MDM) systems as high-value assets (HVAs) with additional restrictions and monitoring.
3. Restrict external access to Ivanti EPMM servers, especially to /mifs/rs/api/v2/ endpoints.
4. Disable or restrict the use of Java Expression Language (EL) where not strictly needed.
5. If compromise is detected:
   • If compromise is detected:
   • Isolate the affected system.
   • Collect volatile memory and full disk image for analysis.
   • Reimage compromised hosts.
   • Perform credential resets and key rotations across the network.
6. Block the IOCs at their respective controls
   https://www.virustotal.com/gui/collection/c078a96f6fd14bcaa6d92e8539cb5f9cfef3fb7c572704770b6b1345fbb52c03/iocs

Source:

• https://www.cisa.gov/news-events/analysis-reports/ar25-261a

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.