Tuesday, November 12, 2024
HomeCyber AttackChinese UNC3886 Actors Exploiting VMware, Fortinet 0-days For Spying

Chinese UNC3886 Actors Exploiting VMware, Fortinet 0-days For Spying

Published on

Malware protection

In 2021, UNC3886, a suspected China nexus cyber espionage actor, was found to be targeting strategic organizations on a large scale, utilizing multiple vulnerabilities in FortiOS and VMware to install backdoors on the infected machines.

Fortinet and VMware have released patches to fix the vulnerabilities.

However, further investigations on the threat actor’s attack vector revealed the threat actor’s sophisticated, cautious, and evasive nature as they employed several layers of organized persistence over compromised machines.

- Advertisement - SIEM as a Service

This includes maintaining access to network devices, hypervisors, and virtual machines to gain alternative channel access.

Once they gained access to the compromised environment, they used publicly available rootkits for long-term persistence and also deployed malware to establish a connection with the C&C server.

Free Webinar on API vulnerability scanning for OWASP API Top 10 vulnerabilities -> Book Your Spot

Further, they also extracted information from TACACS+ (Terminal Access Controller Access Control Server) authentication using custom malware.

Zero-Day Exploitation

According to the reports shared with Cyber Security News, the UNC3886 threat actor has been exploiting VMware vCenter vulnerability CVE-2023-34048 since 2021, which allows unauthenticated remote command execution on vulnerable vCenter machines.

Adding to this, there were several other vulnerabilities, such as:

  • CVE-2022-41328 – Path Traversal – used to download and execute backdoors on FortiGate devices
  • CVE-2022-22948 – Information Disclosure – Used to obtain encrypted credentials in vCenter’s postgresDB
  • CVE-2023-20867 – Authentication Bypass – Used to execute unauthenticated Guest operations from compromised ESXi host
  • CVE-2022-42475 – Heap-based Buffer Overflow – Used to execute unauthenticated arbitrary code or commands via specially crafted requests.

Further, several publicly available rootkits were used to establish long-term persistence. The rootkits used by UNC3886 are REPTILE, MEDUSA, and SEAELF.

REPTILE

This is an open-source linux rootkit that provides backdoor access to a system.

Additionally, this rootkit offered several functionalities, including actions like hiding files, processes, and network connections, the option to listen to specialized packets like TCP, UDP, or ICMP for activation, and an LKM launcher, which can be used to decrypt the actual kernel module code from the file and load it into memory.

Though this was an open-source rootkit, the threat actor made several code changes to customize it to their needs.

Most of the code changes were observed to be before version 2.1, introduced on March 1, 2020.

One of the important changes that was identified was inside the LKM launcher, which included a new function to daemonize a process.

MEDUSA And SEAELF

MEDUSA was another open-source rootkit that was implemented with dynamic linker hijacking via LD_PRELOAD.

The loader of MEDUSA was termed SEAELF. Two versions of MEDUSA were identified, both of which used XOR encryption keys to encrypt configuration strings.

Further, several additional changes were seen in the MEDUSA configuration, which can be used to create multiple MEDUSA artifacts.

Malware Usage

In addition to rootkits, the threat actor used several malware, such as MOPSLED and RIFLESPINE. MOPSLED is a shellcode-based modular backdoor that is capable of communicating over HTTP or a custom binary protocol over TCP to the C2. 

The main core functionality of this backdoor was its capability to retrieve plugins from the C2 server, and it also uses the ChaCha20 encryption algorithm.

Moreover, UNC3886 was found to be using a Linux variant of this backdoor to deploy on vCenter servers and on some compromised endpoints that already had REPTILE installed. 

RIFLESPINE is another cross-platform backdoor that uses Google Drive to transfer files and execute commands.

This backdoor uses CryptoPP library to implement the AES algorithm to encrypt the data transmitted between the compromised machine and the threat actor.

The deployment of this backdoor starts with creating an encrypted file on Google Drive with instructions to RIFLESPINE when getting executed on the compromised endpoint.

Further, the execution outputs will be encrypted, stored in a temporary file, and then uploaded to Google Drive again.

The instructions on the RIFLESPINE include the following:

  • Download the file with the get command.
  • Upload file with put command.
  • Set the next call out time in milliseconds with settime.
  • Execution of arbitrary commands with /bin/sh

Indicators Of Compromise

FilenameMD5FamilyRole
gl.py381b7a2a6d581e3482c829bfb542a7de UTILITY
install-20220615.py876787f76867ecf654019bd19409c5b8 INSTALLER
lsuv2_nv.v01827d8ae502e3a4d56e6c3a238ba855a7 ARCHIVE
payload1.v009ea86dccd5bbde47f8641b62a1eeff07 ARCHIVE
rdtfcb742b507e3c074da5524d1a7c80f7f ARCHIVE
sendPacket.py129ba90886c5f5eb0c81d901ad10c622 UTILITY
sendPacket.py0f76936e237bd87dfa2378106099a673 UTILITY
u.pyd18a5f1e8c321472a31c27f4985834a4 UTILITY
vmware_ntp.sh4ddca39b05103aeb075ebb0e03522064 LAUNCHER
wp0e43a0f747a60855209b311d727a20bfGHOSTTOWNUTILITY
aububbaditd1d89b48548ea1ddf0337741ebdb89d92LOOKOVERSNIFFER
bubba_snifferecb34a068eeb2548c0cbe2de00e53ed2LOOKOVERSNIFFER
ksbubba89339821cdf6e9297000f3e6949f0404MOPSLED.LINUXBACKDOOR
ksbubba.servicec870ea6a598c12218e6ac36d791032b5MOPSLED.LINUXLAUNCHER
99-bubba.rules1079d416e093ba40aa9e95a4c2a5b61fREPTILELAUNCHER
admined9be20fea9203f4c4557c66c5b9686cREPTILEBACKDOOR
authd568074d60dd4759e963adc5fe9f15eb1REPTILEBACKDOOR
bubba4d5e4f64a9b56067704a977ed89aa641REPTILELAUNCHER
bubba_icmp1b7aee68f384e252286559abc32e6dd1REPTILEBACKDOOR
bubba_loaderb754237c7b5e9461389a6d960156db1eREPTILEBACKDOOR
clientf41ad99b8a8c95e4132e850b3663cb40REPTILEBACKDOOR
dash48f9bbdb670f89fce9c51ad433b4f200REPTILELAUNCHER
listener4fb72d580241f27945ec187855efd84aREPTILEBACKDOOR
packete2cdf2a3380d0197aa11ff98a34cc59eREPTILECONTROLLER
authddfd3834d566a993c549a13a52d843a4e1REPTILE.SHELLBACKDOOR
authdd4282de95cc54829d7ac275e436e33b78REPTILE.SHELLBACKDOOR
bubba_reversec9c00c627015bd78fda22fa28fd11cd7REPTILE.SHELLBACKDOOR
unknown047ac6aebe0fe80f9f09c5c548233407REPTILE.SHELLBACKDOOR
usbubbaxdbca2ccff0596a9f102550976750e2a89RIFLESPINEBACKDOOR
audit3a8a60416b7b0e1aa5d17eefb0a45a16TINYSHELLCONTROLLER
lang_ext6e248f5424810ea67212f1f2e4616aa5TINYSHELLBACKDOOR
sync5d232b72378754f7a6433f93e6380737TINYSHELLCONTROLLER
x643c7316012cba3bbfa8a95d7277cda873VIRTUALGATEDROPPER
ndc49619c428a35d9fc1fdaf31af186ff6eec08VIRTUALPEERUTILITY
lsu_lsi_.v052716c60c28cf7f7568f55ac33313468bVIRTUALPIEARCHIVE
vmsyslog.py61ab3f6401d60ec36cd3ac980a8deb75VIRTUALPIEBACKDOOR
vmware_local.shbd6e38b6ff85ab02c1a4325e8af29ce4VIRTUALPIELAUNCHER
cleanupStatefulHost.sh9ef5266a9fdd25474227c3e33b8e6d77VIRTUALPITALAUNCHER
clienta7cd7b61d13256f5478feb28ab34be72VIRTUALPITABACKDOOR
ducicd3e9e4df7e607f4fe83873b9d1142e3VIRTUALPITABACKDOOR
payload162bed88bd426f91ddbbbcfcd8508ed6aVIRTUALPITAARCHIVE
rdt8e80b40b1298f022c7f3a96599806c43VIRTUALPITABACKDOOR
rhttpproxyc9f2476bf8db102fea7310abadeb9e01VIRTUALPITABACKDOOR
rhttpproxy-IO2c28ec2d541f555b2838099ca849f965VIRTUALPITABACKDOOR
rpci2bade2a5ec166d3a226761f78711ce2fVIRTUALPITABACKDOOR
ssh969d7f092ed05c72f27eef5f2c8158d6VIRTUALPITABACKDOOR
nds4961l.so084132b20ed65b2930129b156b99f5b3VIRTUALSHINEBACKDOOR

Network-Based Indicators

IPv4ASNNetblock
8.222.218.2045102Alibaba
8.222.216.14445102Alibaba
8.219.131.7745102Alibaba
8.219.0.11245102Alibaba
8.210.75.21845102Alibaba
8.210.103.13445102Alibaba
47.252.54.8245102Alibaba
47.251.46.3545102Alibaba
47.246.68.1345102Alibaba
47.243.116.15545102Alibaba
47.241.56.15745102Alibaba
45.77.106.18320473Choopa, LLC
45.32.252.9820473Choopa, LLC
207.246.64.3820473Choopa, LLC
149.28.122.11920473Choopa, LLC
155.138.161.4720473Gigabit Hosting Sdn Bhd
154.216.2.14955720Gigabit Hosting Sdn Bhd
103.232.86.21755720Gigabit Hosting Sdn Bhd
103.232.86.21055720Gigabit Hosting Sdn Bhd
103.232.86.20955720Gigabit Hosting Sdn Bhd
58.64.204.16517444HKBN Enterprise Solutions Limited
58.64.204.14217444HKBN Enterprise Solutions Limited
58.64.204.13917444HKBN Enterprise Solutions Limited
165.154.7.145135377Ucloud Information Technology Hk Limited
165.154.135.108135377Ucloud Information Technology Hk Limited
165.154.134.40135377Ucloud Information Technology Hk Limited
152.32.231.251135377Ucloud Information Technology Hk Limited
152.32.205.208135377Ucloud Information Technology Hk Limited
152.32.144.15135377Ucloud Information Technology Hk Limited
152.32.129.162135377Ucloud Information Technology Hk Limited
123.58.207.86135377Ucloud Information Technology Hk Limited
123.58.196.34135377Ucloud Information Technology Hk Limited
118.193.63.40135377Ucloud Information Technology Hk Limited
118.193.61.71135377Ucloud Information Technology Hk Limited
118.193.61.178135377Ucloud Information Technology Hk Limited

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and...

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS...

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Tor Network Suffers IP Spoofing Attack Via Non-Exit Relays

In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting...