Indicator (IOC)
Essential information
- Value / Name
M_APT_Installer_SPAWNSNAIL_1- Confidence
- 100/100
- Revoked
- Yes
- Valid from
- 09/01/2025 10:03
- Valid until
- 26/10/2025 21:12
- Pattern type
- yara
- Published
- 21/12/2025 08:44
- Modified
- 21/12/2025 08:44
- Author / Source
- AlienVault
Description
M_APT_Installer_SPAWNSNAIL_1
Detects SPAWNSNAIL. SPAWNSNAIL is an SSH backdoor targeting Ivanti devices. It has an ability to inject a specified binary to other process, running local SSH backdoor when injected to dsmdm process, as well as injecting additional malware to dslogserver
Pattern
rule M_APT_Installer_SPAWNSNAIL_1 {
meta:
author = "Mandiant"
description = "Detects SPAWNSNAIL. SPAWNSNAIL is an SSH backdoor targeting Ivanti devices. It has an ability to inject a specified binary to other process, running local SSH backdoor when injected to dsmdm process, as well as injecting additional malware to dslogserver"
md5 = "e7d24813535f74187db31d4114f607a1"
strings:
$priv = "PRIVATE KEY-----" ascii fullword
$key1 = "%d/id_ed25519" ascii fullword
$key2 = "%d/id_ecdsa" ascii fullword
$key3 = "%d/id_rsa" ascii fullword
$sl1 = "[selinux] enforce" ascii fullword
$sl2 = "DSVersion::getReleaseStr()" ascii fullword
$ssh1 = "ssh_set_server_callbacks" ascii fullword
$ssh2 = "ssh_handle_key_exchange" ascii fullword
$ssh3 = "ssh_add_set_channel_callbacks" ascii fullword
$ssh4 = "ssh_channel_close" ascii fullword
condition:
uint32(0) == 0x464c457f and $priv and any of ($key*) and any of ($sl*) and any of ($ssh*)
}Labels / Tags
Marking (TLP)
TLP:CLEAR