Ivanti Connect Secure VPN Targeted in New Zero-Day Exploitation | Google Cloud Blog
Common Information
Type Value
UUID 9e79ec8c-a373-4185-8d9d-05cea91bd92f
Fingerprint 2d7e88714479d204
Analysis status DONE
Considered CTI value 2
Text language
Published Jan. 9, 2025, midnight
Added to db Jan. 9, 2025, 1:26 a.m.
Last updated Jan. 20, 2025, 12:53 p.m.
Headline Ivanti Connect Secure VPN Targeted in New Zero-Day Exploitation
Title Ivanti Connect Secure VPN Targeted in New Zero-Day Exploitation | Google Cloud Blog
Detected Hints/Tags/Attributes 103/3/31
RSS Feed
Attributes
Details Type #Events CTI Value
Details CVE 67
cve-2025-0282
Details CVE 50
cve-2025-0283
Details CVE 62
cve-2023-46805
Details CVE 80
cve-2024-21887
Details Domain 7
dsupgrade.pm
Details Domain 2
main.cc
Details Domain 4
log.events
Details Domain 1
libupgrade.so
Details Domain 1
libsocks5.so
Details Domain 3
libsshd.so
Details Domain 1
liblogblock.so
Details Domain 14
duosecurity.com
Details Domain 3
dsauth.pm
Details Domain 138
ld.so
Details Domain 9
scanner.py
Details File 1
remotedebug.bak
Details File 1
cgi.bak
Details File 1
pm.bak
Details File 24
audit.log
Details File 9
scanner.py
Details md5 2
e7d24813535f74187db31d4114f607a1
Details md5 1
4f79c70cce4207d0ad57a339a9c7f43c
Details md5 2
d18e5425ecd9608ecb992606b974e15d
Details md5 1
d4e46eed76ad86f08a40993c3e340bab
Details Mandiant Uncategorized Groups 16
UNC5337
Details Mandiant Uncategorized Groups 25
UNC5221
Details Yara rule 1
rule M_APT_Installer_SPAWNSNAIL_1 {
	meta:
		author = "Mandiant"
		description = "Detects SPAWNSNAIL. SPAWNSNAIL is an SSH 
backdoor targeting Ivanti devices. It has an ability to inject a specified 
binary to other process, running local SSH backdoor when injected to 
dsmdm process, as well as injecting additional malware to dslogserver"
		md5 = "e7d24813535f74187db31d4114f607a1"
	strings:
		$priv = "PRIVATE KEY-----" ascii fullword
		$key1 = "%d/id_ed25519" ascii fullword
		$key2 = "%d/id_ecdsa" ascii fullword
		$key3 = "%d/id_rsa" ascii fullword
		$sl1 = "[selinux] enforce" ascii fullword
		$sl2 = "DSVersion::getReleaseStr()" ascii fullword
		$ssh1 = "ssh_set_server_callbacks" ascii fullword
		$ssh2 = "ssh_handle_key_exchange" ascii fullword
		$ssh3 = "ssh_add_set_channel_callbacks" ascii fullword
		$ssh4 = "ssh_channel_close" ascii fullword
	condition:
		uint32(0) == 0x464c457f and $priv and any of ($key*) and any of ($sl*) and any of ($ssh*)
}
Details Yara rule 1
rule M_APT_Installer_SPAWNANT_1 {
	meta:
		author = "Mandiant"
		description = "Detects SPAWNANT. SPAWNANT is an 
Installer targeting Ivanti devices. Its purpose is to persistently 
install other malware from the SPAWN family (SPAWNSNAIL, 
SPAWNMOLE) as well as drop additional webshells on the box."
	strings:
		$s1 = "dspkginstall" ascii fullword
		$s2 = "vsnprintf" ascii fullword
		$s3 = "bom_files" ascii fullword
		$s4 = "do-install"
		$s5 = "ld.so.preload"
		$s6 = "LD_PRELOAD"
		$s7 = "scanner.py"
	condition:
		uint32(0) == 0x464c457f and 5 of ($s*)
}
Details Yara rule 1
rule M_APT_Tunneler_SPAWNMOLE_1 {
	meta:
		author = "Mandiant"
		description = "Detects a specific comparisons in SPAWNMOLE 
tunneler, which allow malware to filter put its own traffic . 
SPAWNMOLE is a tunneler written in C and compiled as an ELF32 
executable. The sample is capable of hijacking a process on the 
compromised system with a specific name and hooking into its 
communication capabilities in order to create a proxy server for 
tunneling traffic."
		md5 = "4f79c70cce4207d0ad57a339a9c7f43c"
	strings:
		$comparison1 = { 3C 16 74 [1] 0F B6 [2] 3C 03 74 [1] 0F B6 [2] 3C 01 0F 85 }
		$comparison2 = { 81 [2] E2 E3 49 FB 0F 85 [4] 81 [2] 61 83 C3 1B 0F 85 }
	condition:
		uint32(0) == 0x464c457f and all of them
}
Details Yara rule 1
rule M_Dropper_PHASEJAM_1 {
	meta:
		author = "Mandiant"
		description = "Hunting rule looking for strings identified in the 
PHASEJAM dropper"
		md5 = "d18e5425ecd9608ecb992606b974e15d"
	strings:
		$str1 = "AccessAllow()"
		$str2 = "/jam/getComponent.cgi"
		$str3 = "jam/getComponent.cgi.bak"
		$str4 = "sh=$(echo CnN1Y"
		$str5 = "up=$(echo CnN1Y"
		$str6 = "grep -q 'sub AccessAllow()'"
		$str7 = "cp -f /home/bin/remotedebug /home/bin/remotedebug.bak"
		$str8 = "chmod 777 /home/bin/remotedebug.bak"
		$str9 = "cp -f /home/perl/DSUpgrade.pm /home/perl/DSUpgrade.pm.bak"
		$str10 = "pkill cgi-server"
	condition:
		8 of them and filesize < 20KB
}
Details Yara rule 1
rule M_Credtheft_DRYHOOK_1 {
	meta:
		author = "Mandiant"
		description = "Hunting rule looking for strings identified in 
the DRYHOOK credential stealer"
		md5 = "d4e46eed76ad86f08a40993c3e340bab"
	strings:
		$str1 = "/home/perl/DSAuth.pm"
		$str2 = "replace_content"
		$str3 = "replace1_content"
		$str4 = "replace2_content"
		$str5 = "pkill cgi-server"
		$str6 = "setPrompt ="
		$str7 = "runSignin = \\*DSAuthc::RealmSignin_runSignin"
		$str8 = "/bin/mount -o remount,rw / > /dev/null 2>&1"
		$str9 = { 64 61 74 61 20 3D 20 72 65 2E 73 75 62 28 62 22 5C 2A 72 75 6E 53 69 67 6E 69 6E 45 42 53 4C 20 3D 2E 2A 3B 22 2C 62 61 73 65 36 34 2E 62 36 34 64 65 63 6F 64 65 28 72 65 70 6C 61 63 65 32 5F 63 6F 6E 74 65 6E 74 2E 65 6E 63 6F 64 65 28 29 29 2E 64 65 63 6F 64 65 28 29 2E 65 6E 63 6F 64 65 28 22 75 6E 69 63 6F 64 65 5F 65 73 63 61 70 65 22 29 2C 64 61 74 61 29 }
	condition:
		8 of them and filesize < 20KB
}