'

Chinese UNC3886 Actors Exploiting VMware, Fortinet 0-days For Spying

In 2021, UNC3886, a suspected China nexus cyber espionage actor, was found to be targeting strategic organizations on a large scale, utilizing multiple vulnerabilities in FortiOS and VMware to install backdoors on the infected machines.

Fortinet and VMware have released patches to fix the vulnerabilities.

However, further investigations on the threat actor’s attack vector revealed the threat actor’s sophisticated, cautious, and evasive nature as they employed several layers of organized persistence over compromised machines.

This includes maintaining access to network devices, hypervisors, and virtual machines to gain alternative channel access.

Once they gained access to the compromised environment, they used publicly available rootkits for long-term persistence and also deployed malware to establish a connection with the C&C server.

Free Webinar on API vulnerability scanning for OWASP API Top 10 vulnerabilities -> Book Your Spot

Further, they also extracted information from TACACS+ (Terminal Access Controller Access Control Server) authentication using custom malware.

Zero-Day Exploitation

According to the reports shared with Cyber Security News, the UNC3886 threat actor has been exploiting VMware vCenter vulnerability CVE-2023-34048 since 2021, which allows unauthenticated remote command execution on vulnerable vCenter machines.

Adding to this, there were several other vulnerabilities, such as:

  • CVE-2022-41328 – Path Traversal – used to download and execute backdoors on FortiGate devices
  • CVE-2022-22948 – Information Disclosure – Used to obtain encrypted credentials in vCenter’s postgresDB
  • CVE-2023-20867 – Authentication Bypass – Used to execute unauthenticated Guest operations from compromised ESXi host
  • CVE-2022-42475 – Heap-based Buffer Overflow – Used to execute unauthenticated arbitrary code or commands via specially crafted requests.

Further, several publicly available rootkits were used to establish long-term persistence. The rootkits used by UNC3886 are REPTILE, MEDUSA, and SEAELF.

REPTILE

This is an open-source linux rootkit that provides backdoor access to a system.

Additionally, this rootkit offered several functionalities, including actions like hiding files, processes, and network connections, the option to listen to specialized packets like TCP, UDP, or ICMP for activation, and an LKM launcher, which can be used to decrypt the actual kernel module code from the file and load it into memory.

Though this was an open-source rootkit, the threat actor made several code changes to customize it to their needs.

Most of the code changes were observed to be before version 2.1, introduced on March 1, 2020.

One of the important changes that was identified was inside the LKM launcher, which included a new function to daemonize a process.

MEDUSA And SEAELF

MEDUSA was another open-source rootkit that was implemented with dynamic linker hijacking via LD_PRELOAD.

The loader of MEDUSA was termed SEAELF. Two versions of MEDUSA were identified, both of which used XOR encryption keys to encrypt configuration strings.

Further, several additional changes were seen in the MEDUSA configuration, which can be used to create multiple MEDUSA artifacts.

Malware Usage

In addition to rootkits, the threat actor used several malware, such as MOPSLED and RIFLESPINE. MOPSLED is a shellcode-based modular backdoor that is capable of communicating over HTTP or a custom binary protocol over TCP to the C2. 

The main core functionality of this backdoor was its capability to retrieve plugins from the C2 server, and it also uses the ChaCha20 encryption algorithm.

Moreover, UNC3886 was found to be using a Linux variant of this backdoor to deploy on vCenter servers and on some compromised endpoints that already had REPTILE installed. 

RIFLESPINE is another cross-platform backdoor that uses Google Drive to transfer files and execute commands.

This backdoor uses CryptoPP library to implement the AES algorithm to encrypt the data transmitted between the compromised machine and the threat actor.

The deployment of this backdoor starts with creating an encrypted file on Google Drive with instructions to RIFLESPINE when getting executed on the compromised endpoint.

Further, the execution outputs will be encrypted, stored in a temporary file, and then uploaded to Google Drive again.

The instructions on the RIFLESPINE include the following:

  • Download the file with the get command.
  • Upload file with put command.
  • Set the next call out time in milliseconds with settime.
  • Execution of arbitrary commands with /bin/sh

Indicators Of Compromise

Filename MD5 Family Role
gl.py 381b7a2a6d581e3482c829bfb542a7de   UTILITY
install-20220615.py 876787f76867ecf654019bd19409c5b8   INSTALLER
lsuv2_nv.v01 827d8ae502e3a4d56e6c3a238ba855a7   ARCHIVE
payload1.v00 9ea86dccd5bbde47f8641b62a1eeff07   ARCHIVE
rdt fcb742b507e3c074da5524d1a7c80f7f   ARCHIVE
sendPacket.py 129ba90886c5f5eb0c81d901ad10c622   UTILITY
sendPacket.py 0f76936e237bd87dfa2378106099a673   UTILITY
u.py d18a5f1e8c321472a31c27f4985834a4   UTILITY
vmware_ntp.sh 4ddca39b05103aeb075ebb0e03522064   LAUNCHER
wp 0e43a0f747a60855209b311d727a20bf GHOSTTOWN UTILITY
aububbaditd 1d89b48548ea1ddf0337741ebdb89d92 LOOKOVER SNIFFER
bubba_sniffer ecb34a068eeb2548c0cbe2de00e53ed2 LOOKOVER SNIFFER
ksbubba 89339821cdf6e9297000f3e6949f0404 MOPSLED.LINUX BACKDOOR
ksbubba.service c870ea6a598c12218e6ac36d791032b5 MOPSLED.LINUX LAUNCHER
99-bubba.rules 1079d416e093ba40aa9e95a4c2a5b61f REPTILE LAUNCHER
admin ed9be20fea9203f4c4557c66c5b9686c REPTILE BACKDOOR
authd 568074d60dd4759e963adc5fe9f15eb1 REPTILE BACKDOOR
bubba 4d5e4f64a9b56067704a977ed89aa641 REPTILE LAUNCHER
bubba_icmp 1b7aee68f384e252286559abc32e6dd1 REPTILE BACKDOOR
bubba_loader b754237c7b5e9461389a6d960156db1e REPTILE BACKDOOR
client f41ad99b8a8c95e4132e850b3663cb40 REPTILE BACKDOOR
dash 48f9bbdb670f89fce9c51ad433b4f200 REPTILE LAUNCHER
listener 4fb72d580241f27945ec187855efd84a REPTILE BACKDOOR
packet e2cdf2a3380d0197aa11ff98a34cc59e REPTILE CONTROLLER
authdd fd3834d566a993c549a13a52d843a4e1 REPTILE.SHELL BACKDOOR
authdd 4282de95cc54829d7ac275e436e33b78 REPTILE.SHELL BACKDOOR
bubba_reverse c9c00c627015bd78fda22fa28fd11cd7 REPTILE.SHELL BACKDOOR
unknown 047ac6aebe0fe80f9f09c5c548233407 REPTILE.SHELL BACKDOOR
usbubbaxd bca2ccff0596a9f102550976750e2a89 RIFLESPINE BACKDOOR
audit 3a8a60416b7b0e1aa5d17eefb0a45a16 TINYSHELL CONTROLLER
lang_ext 6e248f5424810ea67212f1f2e4616aa5 TINYSHELL BACKDOOR
sync 5d232b72378754f7a6433f93e6380737 TINYSHELL CONTROLLER
x64 3c7316012cba3bbfa8a95d7277cda873 VIRTUALGATE DROPPER
ndc4961 9c428a35d9fc1fdaf31af186ff6eec08 VIRTUALPEER UTILITY
lsu_lsi_.v05 2716c60c28cf7f7568f55ac33313468b VIRTUALPIE ARCHIVE
vmsyslog.py 61ab3f6401d60ec36cd3ac980a8deb75 VIRTUALPIE BACKDOOR
vmware_local.sh bd6e38b6ff85ab02c1a4325e8af29ce4 VIRTUALPIE LAUNCHER
cleanupStatefulHost.sh 9ef5266a9fdd25474227c3e33b8e6d77 VIRTUALPITA LAUNCHER
client a7cd7b61d13256f5478feb28ab34be72 VIRTUALPITA BACKDOOR
duci cd3e9e4df7e607f4fe83873b9d1142e3 VIRTUALPITA BACKDOOR
payload1 62bed88bd426f91ddbbbcfcd8508ed6a VIRTUALPITA ARCHIVE
rdt 8e80b40b1298f022c7f3a96599806c43 VIRTUALPITA BACKDOOR
rhttpproxy c9f2476bf8db102fea7310abadeb9e01 VIRTUALPITA BACKDOOR
rhttpproxy-IO 2c28ec2d541f555b2838099ca849f965 VIRTUALPITA BACKDOOR
rpci 2bade2a5ec166d3a226761f78711ce2f VIRTUALPITA BACKDOOR
ssh 969d7f092ed05c72f27eef5f2c8158d6 VIRTUALPITA BACKDOOR
nds4961l.so 084132b20ed65b2930129b156b99f5b3 VIRTUALSHINE BACKDOOR

Network-Based Indicators

IPv4 ASN Netblock
8.222.218.20 45102 Alibaba
8.222.216.144 45102 Alibaba
8.219.131.77 45102 Alibaba
8.219.0.112 45102 Alibaba
8.210.75.218 45102 Alibaba
8.210.103.134 45102 Alibaba
47.252.54.82 45102 Alibaba
47.251.46.35 45102 Alibaba
47.246.68.13 45102 Alibaba
47.243.116.155 45102 Alibaba
47.241.56.157 45102 Alibaba
45.77.106.183 20473 Choopa, LLC
45.32.252.98 20473 Choopa, LLC
207.246.64.38 20473 Choopa, LLC
149.28.122.119 20473 Choopa, LLC
155.138.161.47 20473 Gigabit Hosting Sdn Bhd
154.216.2.149 55720 Gigabit Hosting Sdn Bhd
103.232.86.217 55720 Gigabit Hosting Sdn Bhd
103.232.86.210 55720 Gigabit Hosting Sdn Bhd
103.232.86.209 55720 Gigabit Hosting Sdn Bhd
58.64.204.165 17444 HKBN Enterprise Solutions Limited
58.64.204.142 17444 HKBN Enterprise Solutions Limited
58.64.204.139 17444 HKBN Enterprise Solutions Limited
165.154.7.145 135377 Ucloud Information Technology Hk Limited
165.154.135.108 135377 Ucloud Information Technology Hk Limited
165.154.134.40 135377 Ucloud Information Technology Hk Limited
152.32.231.251 135377 Ucloud Information Technology Hk Limited
152.32.205.208 135377 Ucloud Information Technology Hk Limited
152.32.144.15 135377 Ucloud Information Technology Hk Limited
152.32.129.162 135377 Ucloud Information Technology Hk Limited
123.58.207.86 135377 Ucloud Information Technology Hk Limited
123.58.196.34 135377 Ucloud Information Technology Hk Limited
118.193.63.40 135377 Ucloud Information Technology Hk Limited
118.193.61.71 135377 Ucloud Information Technology Hk Limited
118.193.61.178 135377 Ucloud Information Technology Hk Limited

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free

The post Chinese UNC3886 Actors Exploiting VMware, Fortinet 0-days For Spying appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.


Go to Source
Author: Eswar