CISA has updated its analysis of RESURGE malware, revealing it can stay undetected on Ivanti Connect Secure devices until attackers attempt to connect, using sophisticated evasion techniques including TLS fingerprinting and fake certificates.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical warning about RESURGE malware, revealing that the malicious implant can remain dormant and undetected on Ivanti Connect Secure devices until attackers attempt to establish a connection. This sophisticated threat represents a significant escalation in the ongoing campaign targeting Ivanti appliances through the exploitation of CVE-2025-0282.
The Dormant Threat
According to CISA's updated analysis, RESURGE operates as a passive command-and-control (C2) implant that doesn't actively beacon to command servers. Instead, it waits indefinitely for specific inbound TLS connections, making it exceptionally difficult to detect through traditional network monitoring. This latency is particularly concerning because the malware "may be dormant and undetected on Ivanti Connect Secure devices and remains an active threat."
Technical Sophistication
The malware is a 32-bit Linux Shared Object file named libdsupgrade.so that was extracted from compromised devices. When loaded under the 'web' process, it hooks the 'accept()' function to inspect incoming TLS packets before they reach the web server. The implant uses a CRC32 TLS fingerprint hashing scheme to identify connection attempts from remote attackers.
If the fingerprint doesn't match, traffic is directed to the legitimate Ivanti server, allowing normal operations to continue undisturbed. This network-level evasion technique ensures that only authenticated attackers can interact with the implant.
Authentication Through Deception
One of the most concerning aspects of RESURGE is its authentication mechanism. The threat actor uses a fake Ivanti certificate to verify they are interacting with the implant rather than the legitimate Ivanti web server. While CISA notes that this certificate isn't used for encryption, it serves a crucial purpose in authentication and verification.
Because the forged certificate is sent unencrypted over the internet, CISA suggests that defenders could use it as a network signature to detect active compromises. This represents a potential avenue for organizations to identify infected systems.
Advanced Communication Methods
After successful fingerprint validation and authentication, the threat actor establishes secure remote access using a Mutual TLS session encrypted with the Elliptic Curve protocol. Static analysis indicates that the RESURGE implant requests the remote actor's EC key for encryption and verifies it with a hard-coded EC Certificate Authority (CA) key.
By mimicking legitimate TLS/SSH traffic, the implant achieves both stealth and persistence on compromised systems. This sophisticated approach allows attackers to maintain long-term access without triggering security alerts.
Additional Malicious Components
CISA's analysis also identified other malicious files associated with the RESURGE campaign:
- liblogblock.so: A variant of the SpawnSloth malware that performs log tampering to hide malicious activity on compromised devices
- dsmain: A kernel extraction script that embeds the open-source 'extract_vmlinux.sh' script and BusyBox utilities
The dsmain component allows RESURGE to decrypt, modify, and re-encrypt coreboot firmware images and manipulate filesystem contents for boot-level persistence.
Attribution and Timeline
According to researchers at Mandiant, the critical CVE-2025-0282 vulnerability was exploited as a zero-day since mid-December 2024 by a threat actor linked to China, tracked internally as UNC5221. This timeline suggests that the campaign has been active for several months, potentially compromising numerous Ivanti devices worldwide.
CISA's Recommendations
Given the sophisticated nature of this threat and its ability to remain dormant, CISA urges system administrators to use the updated indicators of compromise (IoCs) to discover dormant RESURGE infections and remove them from Ivanti devices. The agency emphasizes that organizations should assume compromise if they have not yet patched the CVE-2025-0282 vulnerability.
Broader Context
This warning comes amid a series of critical vulnerabilities affecting enterprise security infrastructure. The RESURGE malware campaign represents one of the most sophisticated threats targeting network appliances, combining multiple advanced techniques to achieve persistence and stealth.
Organizations using Ivanti Connect Secure devices should immediately review their security posture, apply available patches, and conduct thorough investigations for any signs of compromise. The ability of RESURGE to remain dormant until specific connection attempts makes it particularly dangerous, as traditional detection methods may fail to identify infected systems.
For organizations that have already been compromised, the presence of RESURGE may indicate that attackers have maintained persistent access for an extended period, potentially allowing them to move laterally within networks or exfiltrate sensitive data without detection.
Comments
Please log in or register to join the discussion