Rising Cyber Threat: Insights from CISA’s Malware Analysis Report

The Cybersecurity and Infrastructure Security Agency (CISA) recently published a detailed Malware Analysis Report (MAR) that reveals a concerning trend in cyberattacks aimed at Ivanti Endpoint Manager Mobile (EPMM) systems. The report outlines two distinct malware sets used by attackers to exploit critical vulnerabilities, specifically CVE-2025-4427 and CVE-2025-4428.

Understanding the Vulnerabilities: CVE-2025-4427 and CVE-2025-4428

Both vulnerabilities, CVE-2025-4427 and CVE-2025-4428, were identified and patched by Ivanti on May 13, 2025. Alarmingly, exploitation attempts were detected shortly after the patches were released. This rapid exploitation prompted CISA to include these vulnerabilities in its Catalog of Known Exploited Vulnerabilities.

Attackers have taken advantage of these flaws to infiltrate EPMM servers, notably targeting the /mifs/rs/api/v2/ endpoint through meticulously crafted HTTP GET requests. Once they gained access, cybercriminals executed remote commands to gather a plethora of sensitive information including configuration files, LDAP credentials, and detailed network listings. Additionally, they introduced malware capable of providing long-term system persistence and remote access.

The Malware Breakdown

CISA’s report categorizes the identified malware into two primary sets, each designed with specific roles including a loader and a malicious listener. These components are typically installed in the /tmp directory of the compromised machine, enabling threat actors to inject and run arbitrary code remotely.

Targeted Software Versions

The vulnerabilities primarily affect the following versions of Ivanti EPMM:

• Ivanti EPMM 11.12.0.4 and earlier
• 12.3.0.1 and earlier
• 12.4.0.1 and earlier
• 12.5.0.0 and earlier

Organizations using any of these versions are strongly advised to apply the latest security updates without delay.

Technical Insights: Set 1

Set 1 of the malware features three key components:

• Loader 1 (web-install.jar)
• ReflectUtil.class
• SecurityHandlerWanListener.class

The loader serves as a Java Archive (JAR) that fetches the ReflectUtil.class, which uses reflective programming techniques to dynamically incorporate the SecurityHandlerWanListener into Apache Tomcat—an application server commonly utilized in Ivanti EPMM setups. If the malicious listener is absent during initial execution, the loader decodes a Base64 string containing bytecode, decompresses it, and loads it into memory. The SecurityHandlerWanListener monitors HTTP requests, executing arbitrary Java classes when specific encrypted payloads are detected.

Technical Insights: Set 2

Set 2 also includes two files:

• Loader 2 (web-install.jar)
• WebAndroidAppInstaller.class

This variant functions as a malicious servlet, masquerading as part of the com.mobileiron.service package. It is activated through HTTP requests that specify Content-Type: application/x-www-form-urlencoded. Upon activation, it retrieves a password parameter from the request, decodes and decrypts it, and executes the embedded malicious Java class. The entire process affords attackers full control over the compromised system.

Malware Delivery Techniques

One noteworthy aspect of this campaign is the delivery method employed. Attackers utilize Base64-encoded fragments transmitted via HTTP GET requests, reconstructing the payload directly on the server. This clever approach circumvents traditional endpoint defenses, which typically flag larger or more suspicious file transfers. The reconstructed malware is then stored as .jar files in the /tmp directory, allowing attackers to evade detection from security systems.

Tools for Detection and Response

To assist cybersecurity teams, CISA has provided a set of resources for detection:

• Indicators of Compromise (IOCs): Useful for forensic investigations and scrutiny.
• YARA Rules: Five rules designed to identify components such as ReflectUtil.class, Loader 1, and WebAndroidAppInstaller.class.
• SIGMA Rule: Customized to identify exploitation signs for CVE-2025-4427 and CVE-2025-4428, including modifications to files, execution of commands, and unauthorized access attempts to JSP files.

Aligning with MITRE ATT&CK Framework

CISA’s report also aligns the activities with specific tactics and techniques from the MITRE ATT&CK framework:

• T1027.004: Obfuscation utilizing Base64 chunking
• T1036: Class masquerading
• T1140: Bytecode decompression and decryption
• T1071.001: HTTP usage for command-and-control
• T1573.001: Symmetric encryption of command payloads

These mappings aid security professionals in correlating detected behaviors with known adversary methodologies.

Recommendations for Incident Response

In the event of a potential compromise, CISA recommends the following actions:

1. Isolate Affected Systems: Remove compromised devices from the network immediately.
2. Collect Artifacts: Assemble logs, memory dumps, and activity data for analysis.
3. Capture Disk Images: Preserve the disk contents for in-depth review.
4. Reset Credentials: Especially important if lateral movement is suspected.
5. Reimage Systems: Fully restore compromised devices to eliminate persistent malware.
6. Apply Mitigations: Upgrade EPMM systems, enforce network segmentation, and implement strict access controls.

Essential Mitigation Strategies

CISA has identified several key steps for organizations to minimize their risk:

• Update Ivanti EPMM systems to the latest secured versions.
• Treat mobile device management platforms as high-value assets, ensuring they are isolated from untrusted segments of the network.
• Implement the suggested YARA and SIGMA rules for automatic threat detection.
• Enforce multi-factor authentication (MFA) and follow the best practices outlined in the Cross-Sector Cybersecurity Performance Goals (CPGs).

By staying informed and proactive, organizations can better safeguard their systems and respond effectively to emerging cyber threats.