SPAWNCHIMERA Malware: The Chimera Spawning from Ivanti Connect Secure Vulnerability
Summary:
In January 2025, Ivanti addressed a stack-based buffer overflow flaw (CVE-2025-0282) in its Ivanti Connect Secure, Ivanti Policy Secure and Ivanti Neurons for ZTA gateways which could enable unauthenticated actors to remotely execute code. A recent advisory from the Japan Computer Emergency Response Team (JPCERT/CC) revealed that the vulnerability had been actively exploited since late December 2024, prior to Ivanti's public disclosure. Notably, these exploitation attempts have led to the deployment of a new variant of the SPAWN malware family, dubbed "SPAWNCHIMERA," which integrates the functionalities of previous SPAWN variants—SPAWNANT, SPAWNMOLE, and SPAWNSNAIL—into a cohesive framework.
SPAWNCHIMERA comes with several new updates designed to enable stealthier operations. In the past, malicious traffic received by SPAWNMOLE was sent to port 8300 on 127.0.0.1, where it was processed by SPAWNSNAIL. However, SPAWNCHIMERA introduced a significant change by using a UNIX domain socket for inter-process communication. “It is created in the below path, and malicious traffic is sent and received between SPAWNCHIMERA injected into the web process and that injected into the dsmdm process. This change made it more difficult to detect the malware, as netstat command results from the Integrity Checker Tool (ICT) may not be displayed,” notes JPCERT/CC in its advisory.
Additionally, whereas earlier versions had a hardcoded SSH private key in plaintext (exported to /tmp/.dskey), SPAWNCHIMERA now encodes the key within the sample itself and decodes it using an XOR-based function. This reduces the likelihood of leaving traces, as the key is not exported as a file. Furthermore, SPAWNCHIMERA employs a new decode function to assess whether traffic is malicious, replacing the previous method, which relied on matching a portion of the received buffer with a hardcoded value. Although the functionality between SPAWNSLOTH and SPAWNCHIMERA is largely similar, the latter removes functions related to debug messages, likely to hinder analysis and detection efforts.
Security Officer Comments:
A notable feature of SPAWNCHIMERA is its incorporation of a fix for CVE-2025-0282. According to JPCERT/CC, the buffer overflow vulnerability is caused by a function called strncpy, which is typically intended to copy a specified number of characters from one string to another. SPAWNCHIMERA addresses this flaw by dynamically hooking the strncpy function and restricting the copy size to 256 characters, effectively mitigating the buffer overflow issue.
By incorporating this fix into SPAWNCHIMERA, the attackers can obscure traces of their malicious activity, making it appear as though the system was already patched at the time of their access. This tactic complicates investigations by removing evidence of the vulnerability being exploited. Additionally, the fix serves to prevent other malicious actors from exploiting the flaw, effectively allowing the perpetrators to monopolize the vulnerability for their own campaign while blocking competitors from utilizing it in their attacks.
Suggested Corrections:
Organizations should ensure that they have applied the latest patches released by Ivanti to prevent potential attacks exploiting CVE-2025-0282. The following malware hash values have also been shared by JPCERT/CC which can be used detect SPAWNCHIMERA and SPAWNSLOTH:
https://blogs.jpcert.or.jp/en/2025/02/spawnchimera.html
In January 2025, Ivanti addressed a stack-based buffer overflow flaw (CVE-2025-0282) in its Ivanti Connect Secure, Ivanti Policy Secure and Ivanti Neurons for ZTA gateways which could enable unauthenticated actors to remotely execute code. A recent advisory from the Japan Computer Emergency Response Team (JPCERT/CC) revealed that the vulnerability had been actively exploited since late December 2024, prior to Ivanti's public disclosure. Notably, these exploitation attempts have led to the deployment of a new variant of the SPAWN malware family, dubbed "SPAWNCHIMERA," which integrates the functionalities of previous SPAWN variants—SPAWNANT, SPAWNMOLE, and SPAWNSNAIL—into a cohesive framework.
SPAWNCHIMERA comes with several new updates designed to enable stealthier operations. In the past, malicious traffic received by SPAWNMOLE was sent to port 8300 on 127.0.0.1, where it was processed by SPAWNSNAIL. However, SPAWNCHIMERA introduced a significant change by using a UNIX domain socket for inter-process communication. “It is created in the below path, and malicious traffic is sent and received between SPAWNCHIMERA injected into the web process and that injected into the dsmdm process. This change made it more difficult to detect the malware, as netstat command results from the Integrity Checker Tool (ICT) may not be displayed,” notes JPCERT/CC in its advisory.
Additionally, whereas earlier versions had a hardcoded SSH private key in plaintext (exported to /tmp/.dskey), SPAWNCHIMERA now encodes the key within the sample itself and decodes it using an XOR-based function. This reduces the likelihood of leaving traces, as the key is not exported as a file. Furthermore, SPAWNCHIMERA employs a new decode function to assess whether traffic is malicious, replacing the previous method, which relied on matching a portion of the received buffer with a hardcoded value. Although the functionality between SPAWNSLOTH and SPAWNCHIMERA is largely similar, the latter removes functions related to debug messages, likely to hinder analysis and detection efforts.
Security Officer Comments:
A notable feature of SPAWNCHIMERA is its incorporation of a fix for CVE-2025-0282. According to JPCERT/CC, the buffer overflow vulnerability is caused by a function called strncpy, which is typically intended to copy a specified number of characters from one string to another. SPAWNCHIMERA addresses this flaw by dynamically hooking the strncpy function and restricting the copy size to 256 characters, effectively mitigating the buffer overflow issue.
By incorporating this fix into SPAWNCHIMERA, the attackers can obscure traces of their malicious activity, making it appear as though the system was already patched at the time of their access. This tactic complicates investigations by removing evidence of the vulnerability being exploited. Additionally, the fix serves to prevent other malicious actors from exploiting the flaw, effectively allowing the perpetrators to monopolize the vulnerability for their own campaign while blocking competitors from utilizing it in their attacks.
Suggested Corrections:
Organizations should ensure that they have applied the latest patches released by Ivanti to prevent potential attacks exploiting CVE-2025-0282. The following malware hash values have also been shared by JPCERT/CC which can be used detect SPAWNCHIMERA and SPAWNSLOTH:
- SPAWNCHIMERA - 94b1087af3120ae22cea734d9eea88ede4ad5abe4bdeab2cc890e893c09be955
- SPAWNSLOTH - 9bdf41a178e09f65bf1981c86324cd40cb27054bf34228efdcfee880f8014baf
https://blogs.jpcert.or.jp/en/2025/02/spawnchimera.html