Ethical Hacking News
JPCERT/CC has warned about a new malware threat, DslogdRAT, deployed in Ivanti Connect Secure. This malware exploits a zero-day vulnerability and poses significant risks to enterprise networks. Organizations using Ivanti Connect Secure software are advised to patch their systems with the latest version, implement robust security measures, and conduct regular security audits to mitigate this risk.
JPCERT/CC has issued a warning about a new malware threat, DslogdRAT, detected in Ivanti Connect Secure system. The malware exploits a zero-day vulnerability (CVE-2025-0282, CVSS 9.0) for remote code execution and can be launched by unauthenticated attackers or escalate privileges with local authenticated attacks. CISA has added the same flaw to its KEV catalog, urging organizations to patch their systems with the latest version. Microsoft warned about a China-backed APT group (Silk Typhoon) targeting global IT supply chains using compromised IT firms, which allegedly exploited the same zero-day in January 2025 attacks.
JPCERT/CC, a renowned cybersecurity research organization, has recently issued a warning about a new malware threat that has been detected in the Ivanti Connect Secure system. According to the researchers, this malware, dubbed DslogdRAT, was deployed by exploiting a zero-day vulnerability in Ivanti Connect Secure (ICS) software.
The vulnerability, tracked as CVE-2025-0282 and rated CVSS 9.0, is a stack-based buffer overflow that can be exploited to achieve remote code execution. This means that an unauthenticated attacker can launch a successful attack on the system by exploiting this vulnerability, while a local authenticated attacker can trigger it to escalate privileges.
In January, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the same flaw to its Known Exploited Vulnerabilities (KEV) catalog, acknowledging the severity of the threat. This warning serves as a reminder to organizations that use Ivanti Connect Secure software to patch their systems with the latest version.
Microsoft had also recently warned about China-backed APT group Silk Typhoon, which has been linked to US Treasury hacks and is now targeting global IT supply chains using compromised IT firms. The attackers allegedly exploited the same zero-day in January 2025 attacks.
JPCERT/CC researchers reported that attackers used a Perl-based CGI web shell to check for a specific DSAUTOKEN cookie value and, if matched, execute arbitrary commands via the system function. This Perl script is executed as a CGI and retrieves the Cookie header from incoming HTTP requests.
Upon execution, the main process of DslogdRAT creates a first child process and then terminates itself. The child process decodes the configuration data and creates a second child process, which contains DslogdRAT core functionality. This malware uses socket connections with simple XOR encoding for C2 communication and supports proxy functionality, file upload and download capabilities, and execution of shell commands.
DslogdRAT’s configuration is XOR-encoded and hardcoded to operate only from 8 AM to 8 PM to blend in with normal business activity and evade detection. The malware spawns two child processes: one stays idle in a loop, while the second handles core functions like C2 communication and command execution via the pthread library.
Another malware, tracked as SPAWNSNARE, was also observed in the same compromised system. This malware has been previously reported by CISA and Google in April 2025.
The discovery of DslogdRAT malware highlights the growing threat landscape in enterprise networks. As organizations continue to rely on software-based systems for their critical infrastructure, it is essential that they stay vigilant about patching vulnerabilities and implementing robust security measures to prevent such attacks.
To mitigate this risk, we recommend that organizations using Ivanti Connect Secure software follow these best practices:
1. Regularly update the system with the latest version of the software.
2. Ensure that all systems are patched against known vulnerabilities.
3. Implement strict access controls and monitoring to detect any suspicious activity.
4. Consider conducting regular security audits to identify potential weaknesses.
By taking proactive measures, organizations can significantly reduce the risk of being targeted by this new malware threat.
Related Information:
https://www.ethicalhackingnews.com/articles/JPCERT-Warns-of-DslogdRAT-Malware-Deployed-in-Ivanti-Connect-Secure-A-Threat-to-Enterprise-Networks-ehn.shtml
Published: Fri Apr 25 14:39:42 2025 by llama3.2 3B Q4_K_M
