Deep Dive into DslogdRAT: Analyzing the Ivanti Connect Secure Backdoor

By /

Listen to this Post

Featured Image
The DslogdRAT malware has emerged as a critical threat linked to CVE-2025-0282, targeting Ivanti Connect Secure devices. This backdoor employs sophisticated techniques, including process forking, encrypted configuration blobs, and time-based C2 communication.

Key Findings:

  • Disguises itself via process forking to evade detection.
  • Uses a single static byte XOR key to decrypt its configuration.
  • Contains hardcoded C2 server details, proxy settings, and operational time windows.
  • Collects system data (hostname, kernel version, passwd struct) and sends it to C2.
  • Executes payloads based on opcode-driven routines.

🔗 Source: Hexastrike Analysis

You Should Know: Reverse Engineering & Detection Techniques

1. Static Analysis with IDA & radare2

To analyze the malware:

 Open binary in radare2 
r2 -A ./dslogdrat_sample

Search for XOR decryption routines 
/a xor eax, 0x??

Extract strings 
iz

2. Extracting the Encrypted Configuration

The config is decrypted using a static XOR key (e.g., 0x55): 

encrypted_data = bytes.fromhex("A1B2C3...") 
decrypted = bytes([b ^ 0x55 for b in encrypted_data]) 
print(decrypted.decode('utf-8', errors='ignore'))

3. Detecting C2 Communication

Check network connections:

 Linux: 
netstat -tulnp | grep "malware_process"

Windows: 
netstat -ano | findstr "ESTABLISHED"

4. Hunting for DslogdRAT in Memory

Use Volatility (Linux/Windows):

vol.py -f memory.dump --profile=Win10x64_19041 malfind 
vol.py -f memory.dump linux_pslist | grep -i "dslogd"

5. YARA Rule for Detection

rule DslogdRAT { 
meta: 
description = "Detects DslogdRAT backdoor" 
strings: 
$xor_decrypt = { 80 ?? 55 } // XOR with 0x55 
$c2_string = "malware.c2.server" nocase 
condition: 
any of them 
}

What Undercode Say

The DslogdRAT attack demonstrates how threat actors exploit unpatched vulnerabilities (CVE-2025-0282) in enterprise VPNs. Key takeaways:
– Monitor process forking (ps -ef --forest on Linux).
– Analyze XOR-based payloads in memory dumps.
– Block hardcoded C2 IPs in firewall rules.
– Use threat intelligence (JPCERT/CC reports) for IOCs.

Relevant Commands for DFIR Teams:

 Check cron jobs (Linux): 
crontab -l 
ls -la /etc/cron.

Windows persistence checks: 
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Run"

🔗 Further Reading: JPCERT/CC Report

Expected Output:

A detailed technical breakdown of DslogdRAT, including reverse engineering steps, detection methods, and mitigation strategies for cybersecurity professionals.

References:

Reported By: Mauricefielenbach Ivanti – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: