Ethical Hacking News
Cybersecurity researchers have warned of a new malware called DslogdRAT that has been deployed via the exploitation of a zero-day vulnerability in Ivanti Connect Secure (ICS). The malware is believed to be part of a larger campaign involving the SPAWN malware family operated by UNC5221. Attacks have been linked to IP addresses in the Netherlands, Germany, and the United States, with malicious IPs being observed using TOR exit nodes.
DslogdRAT, a type of malware, has been detected in recent attacks against organizations in Japan. The malware was deployed via the exploitation of a zero-day vulnerability in Ivanti Connect Secure (ICS). A China-nexus cyber espionage group, UNC5337, had discovered and exploited this flaw to deliver SPAWN malware. The attacks began around December 2024, with DslogdRAT establishing persistent backdoors on infected systems. Cybersecurity researchers link the attacks to a larger campaign involving the SPAWN malware family operated by UNC5221. A significant spike in suspicious scanning activity has been observed targeting ICS and Ivanti Pulse Secure (IPS) appliances from over 270 unique IP addresses.
DslogdRAT, a type of malware known for its ability to establish persistent backdoors on infected systems, has been detected in recent attacks against organizations in Japan. According to reports from cybersecurity researchers, the malware was deployed via the exploitation of a zero-day vulnerability in Ivanti Connect Secure (ICS), which is a critical infrastructure software used by many organizations around the world.
The vulnerability in question, identified as CVE-2025-0282, was addressed by Ivanti in early January 2025. However, it appears that a China-nexus cyber espionage group dubbed UNC5337 had already discovered and exploited this flaw in order to deliver a suite of malware known as SPAWN, which is designed to spy on and manipulate systems.
The attacks involving DslogdRAT began around December 2024, with the malware being installed following the successful exploitation of the Ivanti ICS vulnerability. The malware's primary function is to establish a persistent backdoor on infected systems, allowing attackers to remotely access and control them. In addition to this functionality, DslogdRAT also allows attackers to execute shell commands, upload and download files, and use the infected host as a proxy server.
Cybersecurity researchers from JPCERT/CC have revealed that the attacks involving DslogdRAT are part of a larger campaign involving the SPAWN malware family operated by UNC5221. The attack sequence outlined by the agency entails the exploitation of CVE-2025-0282 to deploy a Perl web shell, which then serves as a conduit to deploy additional payloads, including DslogdRAT.
The attacks have been linked to IP addresses in the Netherlands, Germany, and the United States, with malicious IPs being observed using TOR exit nodes. The GreyNoise threat intelligence firm has warned of a significant spike in suspicious scanning activity targeting ICS and Ivanti Pulse Secure (IPS) appliances from over 270 unique IP addresses in the past 24 hours.
According to the report published by JPCERT/CC, "this surge may indicate coordinated reconnaissance and possible preparation for future exploitation." The company noted that spikes like this often precede active exploitation.
It is worth noting that similar attacks have been reported involving other malware strains, including SPAWNCHIMERA and RESURGE. These attacks are believed to be the result of exploits for two additional zero-day vulnerabilities in ICS, identified as CVE-2025-22457.
The recent surge in suspicious activity highlights the ongoing threat posed by cyber espionage groups operating in China. These groups have shown an alarming ability to exploit zero-day vulnerabilities in critical infrastructure software and use them to gain unauthorized access to systems.
In order to mitigate this risk, organizations are advised to prioritize vulnerability patching and maintain robust security controls. Regular monitoring of network activity is also essential for identifying potential threats.
In conclusion, the recent attacks involving DslogdRAT highlight the ongoing threat posed by cyber espionage groups operating in China. The exploitation of zero-day vulnerabilities in critical infrastructure software remains a significant concern, and organizations must take proactive steps to protect themselves against these types of threats.
Related Information:
https://www.ethicalhackingnews.com/articles/DslogdRAT-Malware-Spreads-After-Exploiting-Ivanti-ICS-Zero-Day-Vulnerability-ehn.shtml
Published: Fri Apr 25 05:01:02 2025 by llama3.2 3B Q4_K_M
