In a concerning development, the SPAWNCHIMERA malware family has been confirmed to exploit a critical vulnerability in Ivanti Connect Secure VPN (CVE-2025-0282) while simultaneously patching the flaw to block competing attackers.
This vulnerability, disclosed in January 2025, is a buffer overflow issue caused by improper use of the strncpy function.
Exploitation of this flaw has been reported in Japan since December 2024, prior to its public disclosure.
SPAWNCHIMERA represents an evolution of the SPAWN malware family, integrating features from its predecessors (SPAWNANT, SPAWNMOLE, and SPAWNSNAIL) with significant updates.
Notably, it introduces a unique mechanism to dynamically fix the very vulnerability it exploits.
By hooking into the strncpy function and limiting the copy size to 256 bytes, SPAWNCHIMERA prevents other attackers from leveraging CVE-2025-0282.
This self-patching capability is triggered under specific conditions, such as when the process name is “web,” effectively neutralizing external exploitation attempts.
Enhanced Stealth Tactics
According to JPCERT, SPAWNCHIMERA employs advanced techniques to evade detection.
Unlike earlier versions of SPAWN malware, which relied on TCP ports for inter-process communication, this variant uses UNIX domain sockets.
This change minimizes visibility in network monitoring tools like netstat, complicating detection efforts.
Additionally, the malware encodes its SSH private key within its code using an XOR-based decoding function, eliminating file-based traces that could be flagged during forensic analysis.
The malware also features updated traffic identification mechanisms.
Instead of relying on hardcoded values for detecting malicious traffic, SPAWNCHIMERA uses a new decoding algorithm to determine whether incoming data is malicious.
These updates demonstrate a clear intent to enhance operational security and reduce forensic footprints.
Removal of Debug Messages
Another notable modification in SPAWNCHIMERA is the removal of debug messages present in earlier versions of the malware family.
This adjustment appears aimed at hindering malware analysis and reducing opportunities for cybersecurity professionals to identify behavioral patterns.
The dual capability of SPAWNCHIMERA to exploit and patch vulnerabilities underscores its sophistication and poses challenges for cybersecurity defenses.
By neutralizing CVE-2025-0282 post-exploitation, it not only secures its foothold but also prevents other threat actors from leveraging the same vulnerability.
This behavior highlights an emerging trend where malware developers adopt self-preservation strategies to dominate compromised environments.
As SPAWNCHIMERA continues to evolve, organizations must remain vigilant.
Regularly updating software, applying security patches promptly, and employing advanced threat detection solutions are critical steps in mitigating risks associated with such advanced threats.
