UNC3886, identified as a suspected Chinese threat actor, employs sophisticated tactics involving open-source rootkits like ‘Reptile’ and ‘Medusa‘ to infiltrate and maintain control over VMware ESXi virtual machines. These rootkits facilitate stealthy operations such as credential theft, command execution, and lateral movement within compromised environments. Mandiant’s extensive tracking reveals UNC3886’s use of custom malware tools like ‘Mopsled’ and ‘Riflespine,’ leveraging GitHub and Google Drive for command and control across targeted industries globally, including government, technology, and defense sectors.
The threat actor gains initial access by exploiting zero-day vulnerabilities in VMware and Fortinet systems, subsequently deploying ‘Reptile’ and ‘Medusa’ on guest virtual machines to ensure long-term persistence and evade detection. ‘Reptile’ functions as a Linux loadable kernel module (LKM), providing backdoor access and stealthy communication channels through TCP, UDP, or ICMP protocols. Meanwhile, ‘Medusa’ focuses on credential logging and command execution, enhancing UNC3886’s ability to gather intelligence and maintain control over compromised systems.
UNC3886 further customizes these rootkits and malware tools with unique deployment keywords and configuration adjustments to evade detection and enhance persistence. Additionally, the threat actor deploys a range of specialized tools like ‘Lookover’ for credential capture and ‘VMCI backdoors’ for communication between virtual machines, demonstrating a comprehensive approach to maintaining access and control. Mandiant’s ongoing investigation underscores the critical need for robust cybersecurity measures to detect and mitigate sophisticated threats targeting virtualized environments.
Reference:
