Monday, July 22, 2024

Chinese UNC3886 Actors Exploiting VMware, Fortinet 0-days For Spying

In 2021, UNC3886, a suspected China nexus cyber espionage actor, was found to be targeting strategic organizations on a large scale, utilizing multiple vulnerabilities in FortiOS and VMware to install backdoors on the infected machines.

Fortinet and VMware have released patches to fix the vulnerabilities.

However, further investigations on the threat actor’s attack vector revealed the threat actor’s sophisticated, cautious, and evasive nature as they employed several layers of organized persistence over compromised machines.

This includes maintaining access to network devices, hypervisors, and virtual machines to gain alternative channel access.

Once they gained access to the compromised environment, they used publicly available rootkits for long-term persistence and also deployed malware to establish a connection with the C&C server.

Free Webinar on API vulnerability scanning for OWASP API Top 10 vulnerabilities -> Book Your Spot

Further, they also extracted information from TACACS+ (Terminal Access Controller Access Control Server) authentication using custom malware.

Zero-Day Exploitation

According to the reports shared with Cyber Security News, the UNC3886 threat actor has been exploiting VMware vCenter vulnerability CVE-2023-34048 since 2021, which allows unauthenticated remote command execution on vulnerable vCenter machines.

Adding to this, there were several other vulnerabilities, such as:

  • CVE-2022-41328 – Path Traversal – used to download and execute backdoors on FortiGate devices
  • CVE-2022-22948 – Information Disclosure – Used to obtain encrypted credentials in vCenter’s postgresDB
  • CVE-2023-20867 – Authentication Bypass – Used to execute unauthenticated Guest operations from compromised ESXi host
  • CVE-2022-42475 – Heap-based Buffer Overflow – Used to execute unauthenticated arbitrary code or commands via specially crafted requests.

Further, several publicly available rootkits were used to establish long-term persistence. The rootkits used by UNC3886 are REPTILE, MEDUSA, and SEAELF.


This is an open-source linux rootkit that provides backdoor access to a system.

Additionally, this rootkit offered several functionalities, including actions like hiding files, processes, and network connections, the option to listen to specialized packets like TCP, UDP, or ICMP for activation, and an LKM launcher, which can be used to decrypt the actual kernel module code from the file and load it into memory.

Though this was an open-source rootkit, the threat actor made several code changes to customize it to their needs.

Most of the code changes were observed to be before version 2.1, introduced on March 1, 2020.

One of the important changes that was identified was inside the LKM launcher, which included a new function to daemonize a process.


MEDUSA was another open-source rootkit that was implemented with dynamic linker hijacking via LD_PRELOAD.

The loader of MEDUSA was termed SEAELF. Two versions of MEDUSA were identified, both of which used XOR encryption keys to encrypt configuration strings.

Further, several additional changes were seen in the MEDUSA configuration, which can be used to create multiple MEDUSA artifacts.

Malware Usage

In addition to rootkits, the threat actor used several malware, such as MOPSLED and RIFLESPINE. MOPSLED is a shellcode-based modular backdoor that is capable of communicating over HTTP or a custom binary protocol over TCP to the C2. 

The main core functionality of this backdoor was its capability to retrieve plugins from the C2 server, and it also uses the ChaCha20 encryption algorithm.

Moreover, UNC3886 was found to be using a Linux variant of this backdoor to deploy on vCenter servers and on some compromised endpoints that already had REPTILE installed. 

RIFLESPINE is another cross-platform backdoor that uses Google Drive to transfer files and execute commands.

This backdoor uses CryptoPP library to implement the AES algorithm to encrypt the data transmitted between the compromised machine and the threat actor.

The deployment of this backdoor starts with creating an encrypted file on Google Drive with instructions to RIFLESPINE when getting executed on the compromised endpoint.

Further, the execution outputs will be encrypted, stored in a temporary file, and then uploaded to Google Drive again.

The instructions on the RIFLESPINE include the following:

  • Download the file with the get command.
  • Upload file with put command.
  • Set the next call out time in milliseconds with settime.
  • Execution of arbitrary commands with /bin/sh

Indicators Of Compromise

gl.py381b7a2a6d581e3482c829bfb542a7de UTILITY
install-20220615.py876787f76867ecf654019bd19409c5b8 INSTALLER
lsuv2_nv.v01827d8ae502e3a4d56e6c3a238ba855a7 ARCHIVE
payload1.v009ea86dccd5bbde47f8641b62a1eeff07 ARCHIVE
rdtfcb742b507e3c074da5524d1a7c80f7f ARCHIVE
sendPacket.py129ba90886c5f5eb0c81d901ad10c622 UTILITY
sendPacket.py0f76936e237bd87dfa2378106099a673 UTILITY
u.pyd18a5f1e8c321472a31c27f4985834a4 UTILITY
vmware_ntp.sh4ddca39b05103aeb075ebb0e03522064 LAUNCHER

Network-Based Indicators

IPv4ASNNetblock, LLC, LLC, LLC, LLC Hosting Sdn Bhd Hosting Sdn Bhd Hosting Sdn Bhd Hosting Sdn Bhd Hosting Sdn Bhd Enterprise Solutions Limited Enterprise Solutions Limited Enterprise Solutions Limited Information Technology Hk Limited Information Technology Hk Limited Information Technology Hk Limited Information Technology Hk Limited Information Technology Hk Limited Information Technology Hk Limited Information Technology Hk Limited Information Technology Hk Limited Information Technology Hk Limited Information Technology Hk Limited Information Technology Hk Limited Information Technology Hk Limited

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free


Latest articles

SonicOS IPSec VPN Vulnerability Let Attackers Cause Dos Condition

SonicWall has disclosed a critical heap-based buffer overflow vulnerability in its SonicOS IPSec VPN....

Hackers Registered 500k+ Domains Using Algorithms For Extensive Cyber Attack

Hackers often register new domains for phishing attacks, spreading malware, and other deceitful activities. Such...

Hackers Claim Breach of Daikin: 40 GB of Confidential Data Exposed

Daikin, the world's largest air conditioner manufacturer, has become the latest target of the...

Emojis Are To Express Emotions, But CyberCriminals For Attacks

There are 3,664 emojis that can be used to express emotions, ideas, or objects...

Beware Of Fake Browser Updates That Installs Malicious BOINC Infrastructre

SocGholish malware, also known as FakeUpdates, has exhibited new behavior since July 4th, 2024,...

Data Breach Increases by Over 1,000% Annually

The Identity Theft Resource Center® (ITRC), a nationally recognized nonprofit organization established to support...

UK Police Arrested 17-year-old Boy Responsible for MGM Resorts Hack

UK police have arrested a 17-year-old boy from Walsall in connection with a notorious...
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles