FOCUS MODE
EXTRACT IOC
MINDMAP
Threat Research

UNC5174’s evolution in China’s ongoing cyber warfare: From SNOWLIGHT to VShell

Sysdig
UNC5174’s evolution in China’s ongoing cyber warfare: From SNOWLIGHT to VShell
This article discusses the latest developments of the Chinese state-sponsored threat actor UNC5174, known for its advanced cyber warfare techniques. The actor has transitioned from using the SUPERSHELL tool to the open source VShell, which has been integrated into their SNOWLIGHT malware campaign. This evolution highlights their persistent espionage activities targeting organizations in Western countries and critical infrastructure sectors, using stealthy methods including fileless malware and sophisticated command-and-control tactics. Affected: Cybersecurity, Technology companies, Government organizations, Research institutions, Critical infrastructure.

Keypoints :

  • UNC5174 has shifted from SUPERSHELL to VShell as part of a new campaign.
  • The SNOWLIGHT malware acts as a dropper for the fileless VShell payload.
  • VShell is perceived as `even better` than widely known frameworks like Cobalt Strike.
  • UNC5174 targets Western countries including the US, Canada, and the UK.
  • The threat actor focuses on research institutions, governmental bodies, and NGOs.
  • Domain squatting is employed for phishing and social engineering attacks.
  • Stealth and evasion techniques, including the use of WebSockets for C2, increase detection difficulty.
  • SNOWLIGHT is linked to attacks targeting MacOS and Linux systems.
  • Sysdig customers are protected against these threats through specific detection measures.
  • The campaign has been observed to be active since at least November 2024.

MITRE Techniques :

  • TA0001 – Initial Access: Targeting Linux-based systems for exploitation.
  • TA0005 – Defense Evasion: Utilizing fileless payloads to avoid detection.
  • TA0011 – Command and Control: Employing WebSockets for C2 communication.
  • TA0007 – Discovery: Using internal reconnaissance methods after initial access.
  • TA0040 – Impact: Espionage and access brokering for ulterior motives.

Indicator of Compromise :

  • [Domain] vs[.]gooogleasia[.]com (C2 Console)
  • [IP Address] 34[.]96[.]239[.]183 (C2 Address)
  • [Domain] apib[.]googlespays[.]com (SNOWLIGHT Dropper Domain)
  • [SHA256] e6db3de3a21debce119b16697ea2de5376f685567b284ef2dee32feb8d2d44f8 (SNOWLIGHT)
  • [SHA256] 21ccb25887eae8b17349cefc04394dc3ad75c289768d7ba61f51d228b4c964db (Sliver Implant)

Full Story: https://sysdig.com/blog/unc5174-chinese-threat-actor-vshell/

Views: 35

Tags: FINANCIAL, HEALTHCARE, CRITICAL INFRASTRUCTURE, WINDOWS, RECONNAISSANCE, DEFENSE EVASION, TOOL, CHINA
en en