0-Day RCE Flaw in SonicWall SMA Devices Exploited to Launch OVERSTEP Ransomware

Google’s Threat Intelligence Group (GTIG) has uncovered a sophisticated cyberattack campaign targeting end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances, where threat actors are exploiting previously stolen credentials and deploying a new rootkit called OVERSTEP.

The financially motivated group, tracked as UNC6148, has been operating since at least October 2024 and is suspected of leveraging an unknown zero-day remote code execution vulnerability to maintain persistent access to fully patched systems.

The campaign represents a significant escalation in attacks against network infrastructure devices, as the threat actors are successfully compromising appliances even after organizations have applied the latest security updates.

GTIG assesses with high confidence that UNC6148 is reusing credentials and one-time password (OTP) seeds stolen during previous intrusions, creating a persistent threat that extends beyond traditional patching cycles.

Evidence suggests the group may be connected to ransomware operations, with one targeted organization appearing on the “World Leaks” data leak site in June 2025, and overlaps identified with previously reported SonicWall exploitation campaigns linked to Abyss-branded ransomware deployment.

Advanced Rootkit Deployment

The OVERSTEP malware represents a sophisticated evolution in network appliance targeting, functioning as both a backdoor and user-mode rootkit specifically designed for SonicWall SMA devices.

The malware modifies the appliance’s boot process by injecting itself into the INITRD image and leveraging the /etc/ld.so.preload mechanism to ensure persistence across reboots.

This technique allows OVERSTEP to intercept system calls from all processes running on the compromised device, effectively creating an invisible presence that can steal credentials, establish reverse shells, and hide its own components from system administrators.

The rootkit’s primary functionality centers around hijacking standard library functions including open, readdir, and write operations.

When activated, OVERSTEP can receive commands through web requests containing specific strings like “dobackshell” or “dopasswords,” which trigger either reverse shell establishment or credential theft operations.

The malware targets critical databases including temp.db and persist.db, which contain user credentials, session tokens, and OTP seed values that enable continued access even after password resets.

Additionally, OVERSTEP implements sophisticated anti-forensic capabilities by selectively removing log entries from httpd.log, http_request.log, and inotify.log files, significantly hampering incident response efforts.

Critical Security Implications

The discovery of UNC6148’s operations highlights several critical vulnerabilities in the SonicWall ecosystem, with evidence pointing to exploitation of multiple known CVEs including CVE-2024-38475, which allows unauthenticated attackers to exfiltrate sensitive database files through path traversal attacks.

However, the suspected use of an unknown zero-day vulnerability for deploying OVERSTEP suggests that traditional vulnerability management approaches may be insufficient against this threat actor.

Organizations using SonicWall SMA appliances face immediate risk of recompromise even after applying patches, as stolen credentials can provide persistent access regardless of firmware updates.

GTIG strongly recommends that all organizations with SMA appliances perform comprehensive forensic analysis using disk images rather than live system examination, as OVERSTEP’s rootkit capabilities can hide evidence of compromise from standard detection methods.

Critical mitigation steps include immediately rotating all credentials including passwords and OTP bindings for all users, revoking and reissuing certificates with private keys stored on appliances, and implementing enhanced monitoring for suspicious VPN sessions from external IP addresses.

The campaign’s extended timeline, with some intrusions occurring months before ransomware deployment, emphasizes the importance of proactive threat hunting and the potential for dormant compromises in affected environments.

Indicators of Compromise (IOCs)

Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now