After unearthing a malware campaign targeting ESXi hypervisors two years ago, researchers have now revealed extensive details into their investigation of UNC3886, a suspected China-nexus cyberespionage group targeting strategic global organizations. In January 2023, Google-owned cybersecurity firm Mandiant identified that UNC3886 had exploited a now-patched FortiOS vulnerability. In March 2023, further analysis revealed a custom malware ecosystem affecting Fortinet devices with compromised VMware technologies facilitating access to guest virtual machines.

Persistent and Evasive Techniques of UNC3886 Group

UNC3886 demonstrated sophisticated and cautious approaches by employing multiple layers of persistence across network devices, hypervisors and virtual machines to maintain long-term access, Mandiant said in its detailed analysis. The threat group's strategies include:

• Using publicly available rootkits like REPTILE and MEDUSA for long-term persistence.
• Deploying malware that leverages trusted third-party services for command and control (C2) communications.
• Installing Secure Shell (SSH) backdoors to subvert access and collect credentials.
• Extracting credentials from TACACS+ authentication using custom malware.

[caption id="attachment_77918" align="aligncenter" width="1024"] UNC3886 Attack Lifecycle (Source: Mandiant)[/caption]

Initial Access through Zero-Days

Mandiant's earlier findings detailed UNC3886's exploitation of CVE-2023-34048, an out-of-bounds write vulnerability in the implementation of the DCERPC protocol in VMware's vCenter Server. This critical-rated flaw allowed unauthenticated malicious actor remote command execution on vCenter servers. Additional zero-day vulnerabilities exploited included:

• CVE-2022-41328 in FortiOS for executing backdoors on FortiGate devices. CVE-2022-22948 in VMware vCenter to access encrypted credentials in vCenter's postgres DB. CVE-2023-20867 in VMware Tools for unauthenticated guest operations from ESXi host to virtual machines.

Rootkits and Malware

The deeper investigation into UNC3886's operations also revealed their expansive malware arsenal that includes customized open-source variants.

REPTILE Rootkit

REPTILE, an open-source Linux rootkit, was heavily utilized by UNC3886 for its backdoor and stealth functionalities, enabling the threat actor to maintain undetected access to compromised systems. Key components include:

• REPTILE.CMD: A user-mode component for hiding files, processes, and network connections. REPTILE.SHELL: A reverse shell backdoor activated by specific network packets. Kernel-Level Component: A loadable kernel module (LKM) for achieving rootkit functionality. LKM Launcher: A custom launcher for loading the kernel module into memory.

UNC3886 modified REPTILE for persistence and stealth using unique keywords and customized scripts to evade detection.

MEDUSA Rootkit

MEDUSA employs dynamic linker hijacking to log user credentials and command executions, which complements UNC3886’s strategy of using valid credentials for lateral movement. Deployment on MEDUSA involved a customized installer  called "SEAELF" and modified configuration files.

Malware Leveraging Trusted Third-Party Services

MOPSLED is a modular backdoor that communicates over HTTP or a custom binary protocol, retrieving plugins from its C2 server. It was shared among Chinese cyberespionage groups and used by UNC3886 primarily on vCenter servers. RIFLESPINE is a backdoor that uses Google Drive for command and control communication and executes commands from encrypted files. It relied on "systemd" for persistence but was less favored due to its detectable nature.

Network Reconnaissance and Lateral Movement

UNC3886 has employed internal reconnaissance and lateral movement techniques using custom tools like LOOKOVER to capture TACACS+ credentials. Backdoored TACACS+ binaries further facilitated unauthorized access and credential logging.

VMCI Backdoors

UNC3886 also used VMCI backdoors for communication between guest and host systems, enhancing their control over compromised environments. Notable VMCI backdoors included:

• VIRTUALSHINE: Provided access to a bash shell via VMCI sockets. VIRTUALPIE: A Python-based backdoor supporting file transfer, command execution and reverse shell capabilities.

Mandiant observed UNC3886 using valid credentials for lateral movement between guest VMs on compromised VMware ESXi. The threat actor deployed backdoored SSH clients and daemons to intercept and collect credentials stored in XOR-encrypted files.

Backdoored SSH Executables

The threat group modified SSH client (/usr/bin/ssh) and daemon (/usr/sbin/sshd) to harvest and store credentials. The SSH client stored credentials in "/var/log/ldapd<unique_keyword>.2.gz," while the SSH daemon stores them in "/var/log/ldapd<unique_keyword>.1.gz." To persist the malicious SSH components, the threat actor used yum-versionlock to prevent OpenSSH package upgrades.

Custom SSH Server

UNC3886 also used the MEDUSA rootkit to deploy a custom SSH server. They employed executables (/usr/sbin/libvird and /usr/bin/NetworkManage) to hijack SSH connections and redirect them to a Unix socket for credential collection. SELinux contexts ensured socket accessibility. Additional tools (sentry and sshdng-venter-7.0) were used on another endpoint for similar injection and redirection operations.

Indicators of Compromise (IOCs)

Mandiant has published IOCs to aid in detecting UNC3886 activities. These IOCs, along with detection and hardening guidelines, help organizations protect against sophisticated threats posed by UNC3886.