DslogdRAT Exploits Ivanti Connect Secure Vulnerability

Date: 2025 April 25
Source: https://blogs.jpcert.or.jp/en/2025/04/dslogdrat.html

Summary

Attackers exploited the zero-day vulnerability CVE-2025-0282 in Ivanti Connect Secure to deploy DslogdRAT malware and a Perl-based web shell on targeted Japanese organizations in December 2024. The web shell, executed via CGI, validates a hardcoded cookie value to run arbitrary commands from HTTP requests. DslogdRAT employs a multi-stage execution process, where the main process spawns child processes to decode configuration data, establish C2 communication, and execute attacker commands.
DslogdRAT communicates with its C2 server using XOR-encoded socket transmissions, exfiltrating host data and enabling file transfers, command execution, and proxy functionality. Security researchers also discovered SPAWNSNARE malware on the same compromised systems, though it remains unclear if this activity ties to the UNC5221 group’s SPAWN malware campaigns. JPCERT/CC warns that attacks leveraging Ivanti vulnerabilities (e.g., CVE-2025-22457) are ongoing.

Attack Sequence

Exploitation of 0-day vulnerability, CVE-2025-0282, allows installation of malware and web-shell on affected machine (web server)

Main process of malware spawns a child process; terminates itself
Child process #1 decodes config data, spawns child process #2; enters loop routines, never terminating
Child process #2 contains core functionality of malware: initiate comms with C2 server based on decoded config data; and create worker thread and pass socket information for comms
worker thread created by child process #2 receives commands from C2 server

Affected Technologies

Ivanti: creates software for IT Security, IT Service Management, IT Asset Management, Unified Endpoint Management, Identity Management and supply chain management.
Ivanti Connect Secure before version 22.7R2.5

Impact

DslogdRAT provides persistent remote access, enabling data theft, lateral movement, and further malware deployment. Its time-restricted operation complicates detection, while the web shell allows rapid exploitation.

Recommendations

Organizations using Ivanti Connect Secure should immediately patch CVE-2025-0282 and CVE-2025-22457, monitor for anomalous CGI/Perl script execution, and inspect network traffic for XOR-encoded C2 communications (notably during business hours).
Organizations should also implement endpoint detection for multi-process spawning and review systems for IOCs listed in JPCERT/CC’s appendices. Regular log analysis and threat-hunting for SPAWN malware variants are advised.

Indicators of Compromise (IOCs)

IPs	3.112.192[.]119
Files	1dd64c00f061425d484dd67b359ad99df533aa430632c55fa7e7617b55dab6a8 f48857263991eea1880de0f62b3d1d37101c2e7739dcd8629b24260d08850f9c b1221000f43734436ec8022caaa34b133f4581ca3ae8eccd8d57ea62573f301d

#dslodgrat #ivanti #CVE-2025-0282 #threat-report #web-shell