Researchers Deep Dive into UNC3886 Actorsβ Cyberespionage Realm
19 June 2024 at 14:34
Persistent and Evasive Techniques of UNC3886 Group
UNC3886 demonstrated sophisticated and cautious approaches by employing multiple layers of persistence across network devices, hypervisors and virtual machines to maintain long-term access, Mandiant said in its detailed analysis. The threat group's strategies include:- Using publicly available rootkits like REPTILE and MEDUSA for long-term persistence.
- Deploying malware that leverages trusted third-party services for command and control (C2) communications.
- Installing Secure Shell (SSH) backdoors to subvert access and collect credentials.
- Extracting credentials from TACACS+ authentication using custom malware.
![UNC3886](../themes/icons/grey.gif)
Initial Access through Zero-Days
Mandiant's earlier findings detailed UNC3886's exploitation of CVE-2023-34048, an out-of-bounds write vulnerability in the implementation of the DCERPC protocol in VMware's vCenter Server. This critical-rated flaw allowed unauthenticated malicious actor remote command execution on vCenter servers. Additional zero-day vulnerabilities exploited included:- CVE-2022-41328 in FortiOS for executing backdoors on FortiGate devices. CVE-2022-22948 in VMware vCenter to access encrypted credentials in vCenter's postgres DB. CVE-2023-20867 in VMware Tools for unauthenticated guest operations from ESXi host to virtual machines.
Rootkits and Malware
The deeper investigation into UNC3886's operations also revealed their expansive malware arsenal that includes customized open-source variants.REPTILE Rootkit
REPTILE, an open-source Linux rootkit, was heavily utilized by UNC3886 for its backdoor and stealth functionalities, enabling the threat actor to maintain undetected access to compromised systems. Key components include:- REPTILE.CMD: A user-mode component for hiding files, processes, and network connections. REPTILE.SHELL:Β A reverse shell backdoor activated by specific network packets. Kernel-Level Component:Β A loadable kernel module (LKM) for achieving rootkit functionality. LKM Launcher:Β A custom launcher for loading the kernel module into memory.
MEDUSA Rootkit
MEDUSA employs dynamic linker hijacking to log user credentials and command executions, which complements UNC3886βs strategy of using valid credentials for lateral movement. Deployment on MEDUSA involved a customized installerΒ called "SEAELF" and modified configuration files.Malware Leveraging Trusted Third-Party Services
MOPSLED is aΒ modular backdoor that communicates over HTTP or a custom binary protocol, retrieving plugins from its C2 server. It was shared among Chinese cyberespionage groups and used by UNC3886 primarily on vCenter servers. RIFLESPINEΒ is a backdoor that uses Google Drive for command and control communication and executes commands from encrypted files. It relied on "systemd" for persistence but was less favored due to its detectable nature.Network Reconnaissance and Lateral Movement
UNC3886 has employed internal reconnaissance and lateral movement techniques using custom tools like LOOKOVER to capture TACACS+ credentials. Backdoored TACACS+ binaries further facilitated unauthorized access and credential logging.VMCI Backdoors
UNC3886 also used VMCI backdoors for communication between guest and host systems, enhancing their control over compromised environments. Notable VMCI backdoors included:- VIRTUALSHINE: Provided access to a bash shell via VMCI sockets. VIRTUALPIE: A Python-based backdoor supporting file transfer, command execution and reverse shell capabilities.