In 2021, UNC3886, a suspected China nexus cyber espionage actor, was found to be targeting strategic organizations on a large scale, utilizing multiple vulnerabilities in FortiOS and VMware to install backdoors on the infected machines.
Fortinet and VMware have released patches to fix the vulnerabilities.
However, further investigations on the threat actor’s attack vector revealed the threat actor’s sophisticated, cautious, and evasive nature as they employed several layers of organized persistence over compromised machines.
This includes maintaining access to network devices, hypervisors, and virtual machines to gain alternative channel access.
Once they gained access to the compromised environment, they used publicly available rootkits for long-term persistence and also deployed malware to establish a connection with the C&C server.
Free Webinar on API vulnerability scanning for OWASP API Top 10 vulnerabilities -> Book Your Spot
Further, they also extracted information from TACACS+ (Terminal Access Controller Access Control Server) authentication using custom malware.
Zero-Day Exploitation
According to the reports shared with Cyber Security News, the UNC3886 threat actor has been exploiting VMware vCenter vulnerability CVE-2023-34048 since 2021, which allows unauthenticated remote command execution on vulnerable vCenter machines.
Adding to this, there were several other vulnerabilities, such as:
- CVE-2022-41328 – Path Traversal – used to download and execute backdoors on FortiGate devices
- CVE-2022-22948 – Information Disclosure – Used to obtain encrypted credentials in vCenter’s postgresDB
- CVE-2023-20867 – Authentication Bypass – Used to execute unauthenticated Guest operations from compromised ESXi host
- CVE-2022-42475 – Heap-based Buffer Overflow – Used to execute unauthenticated arbitrary code or commands via specially crafted requests.
Further, several publicly available rootkits were used to establish long-term persistence. The rootkits used by UNC3886 are REPTILE, MEDUSA, and SEAELF.
REPTILE
This is an open-source linux rootkit that provides backdoor access to a system.
Additionally, this rootkit offered several functionalities, including actions like hiding files, processes, and network connections, the option to listen to specialized packets like TCP, UDP, or ICMP for activation, and an LKM launcher, which can be used to decrypt the actual kernel module code from the file and load it into memory.
Though this was an open-source rootkit, the threat actor made several code changes to customize it to their needs.
Most of the code changes were observed to be before version 2.1, introduced on March 1, 2020.
One of the important changes that was identified was inside the LKM launcher, which included a new function to daemonize a process.
MEDUSA And SEAELF
MEDUSA was another open-source rootkit that was implemented with dynamic linker hijacking via LD_PRELOAD.
The loader of MEDUSA was termed SEAELF. Two versions of MEDUSA were identified, both of which used XOR encryption keys to encrypt configuration strings.
Further, several additional changes were seen in the MEDUSA configuration, which can be used to create multiple MEDUSA artifacts.
Malware Usage
In addition to rootkits, the threat actor used several malware, such as MOPSLED and RIFLESPINE. MOPSLED is a shellcode-based modular backdoor that is capable of communicating over HTTP or a custom binary protocol over TCP to the C2.
The main core functionality of this backdoor was its capability to retrieve plugins from the C2 server, and it also uses the ChaCha20 encryption algorithm.
Moreover, UNC3886 was found to be using a Linux variant of this backdoor to deploy on vCenter servers and on some compromised endpoints that already had REPTILE installed.
RIFLESPINE is another cross-platform backdoor that uses Google Drive to transfer files and execute commands.
This backdoor uses CryptoPP library to implement the AES algorithm to encrypt the data transmitted between the compromised machine and the threat actor.
The deployment of this backdoor starts with creating an encrypted file on Google Drive with instructions to RIFLESPINE when getting executed on the compromised endpoint.
Further, the execution outputs will be encrypted, stored in a temporary file, and then uploaded to Google Drive again.
The instructions on the RIFLESPINE include the following:
- Download the file with the get command.
- Upload file with put command.
- Set the next call out time in milliseconds with settime.
- Execution of arbitrary commands with /bin/sh
Indicators Of Compromise
| Filename | MD5 | Family | Role |
| gl.py | 381b7a2a6d581e3482c829bfb542a7de | UTILITY | |
| install-20220615.py | 876787f76867ecf654019bd19409c5b8 | INSTALLER | |
| lsuv2_nv.v01 | 827d8ae502e3a4d56e6c3a238ba855a7 | ARCHIVE | |
| payload1.v00 | 9ea86dccd5bbde47f8641b62a1eeff07 | ARCHIVE | |
| rdt | fcb742b507e3c074da5524d1a7c80f7f | ARCHIVE | |
| sendPacket.py | 129ba90886c5f5eb0c81d901ad10c622 | UTILITY | |
| sendPacket.py | 0f76936e237bd87dfa2378106099a673 | UTILITY | |
| u.py | d18a5f1e8c321472a31c27f4985834a4 | UTILITY | |
| vmware_ntp.sh | 4ddca39b05103aeb075ebb0e03522064 | LAUNCHER | |
| wp | 0e43a0f747a60855209b311d727a20bf | GHOSTTOWN | UTILITY |
| aububbaditd | 1d89b48548ea1ddf0337741ebdb89d92 | LOOKOVER | SNIFFER |
| bubba_sniffer | ecb34a068eeb2548c0cbe2de00e53ed2 | LOOKOVER | SNIFFER |
| ksbubba | 89339821cdf6e9297000f3e6949f0404 | MOPSLED.LINUX | BACKDOOR |
| ksbubba.service | c870ea6a598c12218e6ac36d791032b5 | MOPSLED.LINUX | LAUNCHER |
| 99-bubba.rules | 1079d416e093ba40aa9e95a4c2a5b61f | REPTILE | LAUNCHER |
| admin | ed9be20fea9203f4c4557c66c5b9686c | REPTILE | BACKDOOR |
| authd | 568074d60dd4759e963adc5fe9f15eb1 | REPTILE | BACKDOOR |
| bubba | 4d5e4f64a9b56067704a977ed89aa641 | REPTILE | LAUNCHER |
| bubba_icmp | 1b7aee68f384e252286559abc32e6dd1 | REPTILE | BACKDOOR |
| bubba_loader | b754237c7b5e9461389a6d960156db1e | REPTILE | BACKDOOR |
| client | f41ad99b8a8c95e4132e850b3663cb40 | REPTILE | BACKDOOR |
| dash | 48f9bbdb670f89fce9c51ad433b4f200 | REPTILE | LAUNCHER |
| listener | 4fb72d580241f27945ec187855efd84a | REPTILE | BACKDOOR |
| packet | e2cdf2a3380d0197aa11ff98a34cc59e | REPTILE | CONTROLLER |
| authdd | fd3834d566a993c549a13a52d843a4e1 | REPTILE.SHELL | BACKDOOR |
| authdd | 4282de95cc54829d7ac275e436e33b78 | REPTILE.SHELL | BACKDOOR |
| bubba_reverse | c9c00c627015bd78fda22fa28fd11cd7 | REPTILE.SHELL | BACKDOOR |
| unknown | 047ac6aebe0fe80f9f09c5c548233407 | REPTILE.SHELL | BACKDOOR |
| usbubbaxd | bca2ccff0596a9f102550976750e2a89 | RIFLESPINE | BACKDOOR |
| audit | 3a8a60416b7b0e1aa5d17eefb0a45a16 | TINYSHELL | CONTROLLER |
| lang_ext | 6e248f5424810ea67212f1f2e4616aa5 | TINYSHELL | BACKDOOR |
| sync | 5d232b72378754f7a6433f93e6380737 | TINYSHELL | CONTROLLER |
| x64 | 3c7316012cba3bbfa8a95d7277cda873 | VIRTUALGATE | DROPPER |
| ndc4961 | 9c428a35d9fc1fdaf31af186ff6eec08 | VIRTUALPEER | UTILITY |
| lsu_lsi_.v05 | 2716c60c28cf7f7568f55ac33313468b | VIRTUALPIE | ARCHIVE |
| vmsyslog.py | 61ab3f6401d60ec36cd3ac980a8deb75 | VIRTUALPIE | BACKDOOR |
| vmware_local.sh | bd6e38b6ff85ab02c1a4325e8af29ce4 | VIRTUALPIE | LAUNCHER |
| cleanupStatefulHost.sh | 9ef5266a9fdd25474227c3e33b8e6d77 | VIRTUALPITA | LAUNCHER |
| client | a7cd7b61d13256f5478feb28ab34be72 | VIRTUALPITA | BACKDOOR |
| duci | cd3e9e4df7e607f4fe83873b9d1142e3 | VIRTUALPITA | BACKDOOR |
| payload1 | 62bed88bd426f91ddbbbcfcd8508ed6a | VIRTUALPITA | ARCHIVE |
| rdt | 8e80b40b1298f022c7f3a96599806c43 | VIRTUALPITA | BACKDOOR |
| rhttpproxy | c9f2476bf8db102fea7310abadeb9e01 | VIRTUALPITA | BACKDOOR |
| rhttpproxy-IO | 2c28ec2d541f555b2838099ca849f965 | VIRTUALPITA | BACKDOOR |
| rpci | 2bade2a5ec166d3a226761f78711ce2f | VIRTUALPITA | BACKDOOR |
| ssh | 969d7f092ed05c72f27eef5f2c8158d6 | VIRTUALPITA | BACKDOOR |
| nds4961l.so | 084132b20ed65b2930129b156b99f5b3 | VIRTUALSHINE | BACKDOOR |
Network-Based Indicators
| IPv4 | ASN | Netblock |
| 8.222.218.20 | 45102 | Alibaba |
| 8.222.216.144 | 45102 | Alibaba |
| 8.219.131.77 | 45102 | Alibaba |
| 8.219.0.112 | 45102 | Alibaba |
| 8.210.75.218 | 45102 | Alibaba |
| 8.210.103.134 | 45102 | Alibaba |
| 47.252.54.82 | 45102 | Alibaba |
| 47.251.46.35 | 45102 | Alibaba |
| 47.246.68.13 | 45102 | Alibaba |
| 47.243.116.155 | 45102 | Alibaba |
| 47.241.56.157 | 45102 | Alibaba |
| 45.77.106.183 | 20473 | Choopa, LLC |
| 45.32.252.98 | 20473 | Choopa, LLC |
| 207.246.64.38 | 20473 | Choopa, LLC |
| 149.28.122.119 | 20473 | Choopa, LLC |
| 155.138.161.47 | 20473 | Gigabit Hosting Sdn Bhd |
| 154.216.2.149 | 55720 | Gigabit Hosting Sdn Bhd |
| 103.232.86.217 | 55720 | Gigabit Hosting Sdn Bhd |
| 103.232.86.210 | 55720 | Gigabit Hosting Sdn Bhd |
| 103.232.86.209 | 55720 | Gigabit Hosting Sdn Bhd |
| 58.64.204.165 | 17444 | HKBN Enterprise Solutions Limited |
| 58.64.204.142 | 17444 | HKBN Enterprise Solutions Limited |
| 58.64.204.139 | 17444 | HKBN Enterprise Solutions Limited |
| 165.154.7.145 | 135377 | Ucloud Information Technology Hk Limited |
| 165.154.135.108 | 135377 | Ucloud Information Technology Hk Limited |
| 165.154.134.40 | 135377 | Ucloud Information Technology Hk Limited |
| 152.32.231.251 | 135377 | Ucloud Information Technology Hk Limited |
| 152.32.205.208 | 135377 | Ucloud Information Technology Hk Limited |
| 152.32.144.15 | 135377 | Ucloud Information Technology Hk Limited |
| 152.32.129.162 | 135377 | Ucloud Information Technology Hk Limited |
| 123.58.207.86 | 135377 | Ucloud Information Technology Hk Limited |
| 123.58.196.34 | 135377 | Ucloud Information Technology Hk Limited |
| 118.193.63.40 | 135377 | Ucloud Information Technology Hk Limited |
| 118.193.61.71 | 135377 | Ucloud Information Technology Hk Limited |
| 118.193.61.178 | 135377 | Ucloud Information Technology Hk Limited |
Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free