CISA: Ivanti Devices May Harbor Dormant RESURGE Malware

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical update concerning the RESURGE malware, a sophisticated threat targeting Ivanti Connect Secure appliances. This malicious implant, which leverages a critical vulnerability tracked as CVE-2025-0282, is designed for stealth and long-term persistence, often remaining completely dormant and undetected on compromised systems. The agency warns that this poses an ongoing and active risk to organizations using these devices.

CISA’s latest bulletin provides deeper technical insight into the implant’s operation. RESURGE is a 32-bit Linux Shared Object file known as libdsupgrade.so. It functions as a passive command-and-control tool with a wide array of capabilities, including those of a rootkit, bootkit, backdoor, and tunneling proxy. Its most notable feature is a sophisticated network-level evasion technique. Unlike typical malware that sends regular signals to a command server, RESURGE waits indefinitely for a specific, inbound TLS connection initiated by the attacker. This passive stance makes it exceptionally difficult to detect through standard network monitoring.

The malware operates by hooking into the ‘accept()’ function within the device’s ‘web’ process. It inspects incoming TLS packets before they reach the legitimate web server, searching for connection attempts that match a specific cryptographic fingerprint. This fingerprint is calculated using a CRC32 TLS fingerprint hashing scheme. If an incoming connection does not match this precise fingerprint, the traffic is simply passed along to the authentic Ivanti server, leaving no trace of interference.

To further ensure covert communication, the threat actors employ a forged Ivanti certificate for authentication. This fake certificate allows the attacker to verify they are interacting with their own malware implant and not the real server. Importantly, CISA notes this certificate is not used to encrypt communications; its sole purpose is verification. Because this forged certificate is transmitted unencrypted, network defenders can potentially use it as a detectable network signature to identify an active compromise.

Once the initial fingerprint validation and certificate authentication are complete, the attacker establishes a secure, encrypted channel with the implant using a Mutual TLS session secured with the Elliptic Curve protocol. Analysis indicates the implant requests the attacker’s EC key for encryption and verifies it against a hard-coded EC Certificate Authority key embedded within the malware. By meticulously mimicking legitimate TLS and SSH traffic patterns, RESURGE achieves a high degree of stealth and persistence on the infected device.

CISA’s analysis also covers additional components deployed alongside RESURGE. One is a variant of the SpawnSloth malware, named liblogblock.so, which is responsible for tampering with system logs to erase evidence of malicious activity. Another file, called dsmain, is a kernel extraction script. It incorporates open-source utilities to allow RESURGE to decrypt, modify, and re-encrypt coreboot firmware images. This capability enables the malware to achieve boot-level persistence, ensuring it survives device reboots and firmware updates.

The agency emphasizes that because RESURGE can remain completely latent until an attacker connects, it may be dormant and undetected on Ivanti Connect Secure devices for extended periods. This underscores the persistent threat it represents. CISA urges all system administrators to immediately utilize the updated indicators of compromise (IoCs) provided in their advisory to scan for and eradicate any latent RESURGE infections from their networks.

(Source: Bleeping Computer)