Since December 2024, a sophisticated malware campaign has been actively targeting Ivanti Connect Secure VPN devices by exploiting critical vulnerabilities, notably CVE-2025-0282 and CVE-2025-22457. These vulnerabilities have enabled threat actors to deploy multiple malware families, including MDifyLoader, Cobalt Strike Beacon, vshell, and Fscan, aiming to establish persistent access within compromised networks.
Initial Access and Exploitation
The attack sequence commences with adversaries gaining unauthorized access through unpatched Ivanti Connect Secure devices. Once inside, they initiate a complex infection chain designed to evade detection and maintain long-term presence. The primary payload in this campaign is a customized variant of Cobalt Strike Beacon version 4.5. Unlike standard implementations, this variant employs RC4 encryption with a hardcoded key google, deviating from the typical one-byte XOR encryption scheme.
Advanced Loader Mechanisms and Evasion Tactics
A notable component of this campaign is MDifyLoader, a custom loader built upon the open-source libPeConv project. MDifyLoader operates using a three-component architecture: an executable file, the loader itself, and an encrypted data file. The encryption key is derived from the MD5 hash value of the executable file, creating a dependency that complicates isolated analysis.
To further obfuscate their activities, attackers employ extensive code obfuscation techniques within MDifyLoader. This includes inserting junk code with meaningless function calls and variable references, utilizing relative address values, and referencing function return values. Such methods significantly hinder automated deobfuscation efforts.
The attackers also leverage legitimate system files to execute their payloads. For instance, they target files like the Java RMI compiler (rmic.exe) and push_detect.exe to initiate execution, demonstrating a preference for living-off-the-land techniques that utilize legitimate tools for malicious purposes.
Fscan Component and Lateral Movement
Another critical element of the campaign is the Fscan component, which exemplifies the multi-stage approach employed by the attackers. Fscan utilizes a python.exe loader to execute a malicious python311.dll through DLL side-loading. This implementation, based on the FilelessRemotePE tool, includes an Event Tracing for Windows (ETW) bypass mechanism targeting ntdll.dll, specifically designed to evade endpoint detection and response solutions.
The final payload is decrypted using RC4 encryption with the hardcoded key 99999999 before executing in memory, further complicating detection efforts.
Persistence Mechanisms
Following the initial compromise, the threat actors establish persistence through multiple mechanisms:
– Creating New Domain Accounts: Attackers create new accounts within the domain to maintain access.
– Registering Malware as Windows Services: Malicious software is registered as legitimate Windows services to ensure it runs continuously.
– Leveraging Task Scheduler: Scheduled tasks are created to execute malware at specified intervals, maintaining persistence.
Brute-Force Attacks and Exploitation of Vulnerabilities
The campaign demonstrates sustained activity with attackers conducting brute-force attacks against various services, including Active Directory servers, FTP, MSSQL, and SSH. Additionally, they exploit the MS17-010 SMB vulnerability for lateral movement across unpatched systems, allowing them to spread within the network.
Recommendations for Mitigation
Given the sophistication and persistence of this campaign, organizations using Ivanti Connect Secure VPN devices should take immediate action:
1. Apply Security Patches: Ensure that all Ivanti Connect Secure devices are updated to the latest firmware versions that address CVE-2025-0282 and CVE-2025-22457.
2. Monitor Network Traffic: Implement continuous monitoring to detect unusual activities, such as unexpected network connections or data transfers.
3. Conduct Regular Security Audits: Perform comprehensive security assessments to identify and remediate potential vulnerabilities within the network.
4. Enhance Endpoint Detection and Response (EDR): Deploy advanced EDR solutions capable of identifying and mitigating sophisticated threats like those described in this campaign.
5. Educate Employees: Provide training to staff on recognizing phishing attempts and other common attack vectors used by threat actors.
By implementing these measures, organizations can strengthen their defenses against such advanced persistent threats and reduce the risk of compromise.
