In a recent development, the SPAWNCHIMERA malware family has been identified exploiting the buffer overflow vulnerability CVE-2025-0282 in Ivanti Connect Secure, as confirmed by JPCERT/CC.
This vulnerability, disclosed in January 2025, had already been actively exploited since late December 2024, prior to its public announcement.
The malware, an evolved variant of the SPAWN family, integrates multiple advanced features to enhance its functionality and evade detection.
Exploitation and Dynamic Vulnerability Fixing
SPAWNCHIMERA introduces a unique capability to dynamically patch the CVE-2025-0282 vulnerability.
This buffer overflow issue stems from improper use of the strncpy function.
The malware mitigates this flaw by hooking the function and restricting the copy size to 256 bytes.
This fix is triggered only when specific conditions are met, such as when the process name is “web.”
Notably, this mechanism not only prevents exploitation by other attackers but also blocks penetration attempts using proof-of-concept (PoC) tools designed to scan for this vulnerability.
Enhanced Stealth Through Inter-Process Communication Changes
The malware has shifted its inter-process communication method from using local port 8300 to UNIX domain sockets.
Malicious traffic is now routed between processes via a hidden path (/home/runtime/tmp/.logsrv), making it significantly harder to detect using standard network monitoring tools like netstat.
According to JPCERT Report, this modification reflects SPAWNCHIMERA’s focus on evading detection while maintaining robust functionality.
SPAWNCHIMERA further obfuscates its activities by encoding its SSH private key within the malware sample itself.
The key is decoded dynamically using an XOR-based function during runtime, leaving minimal forensic traces.
Additionally, the malware has replaced hardcoded traffic identifiers with a calculation-based decode function to determine malicious traffic.
Debugging messages present in earlier versions have also been removed, complicating analysis efforts and reducing opportunities for detection during reverse engineering.
The integration of these advanced features demonstrates SPAWNCHIMERA’s evolution into a more sophisticated threat.
By combining exploitation capabilities with mitigation mechanisms like vulnerability fixing, the malware not only ensures its persistence but also disrupts competing threat actors’ efforts.
These changes highlight a growing trend where malware authors incorporate defensive techniques to secure their foothold within compromised systems.
Organizations using Ivanti Connect Secure are urged to apply vendor-provided patches immediately and monitor for signs of compromise.
Enhanced detection methods focusing on behavioral analysis rather than static signatures may be necessary to identify threats like SPAWNCHIMERA effectively.
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting - Register Here