The entities targeted by these incursions have mostly been found in North America, Southeast Asia, and Oceania; victims have also been found in Europe, Africa, and other regions of Asia. Governments, telecommunications, technology, aerospace and defense, energy, and utility sectors are among the industries that are targeted. One of UNC3886's most noteworthy strategies is that it created methods to bypass security software, which allows it to infiltrate corporate and governmental networks and spy on targets covertly for protracted periods.

This involves employing rootkits that are publicly available, like Medusa and Reptile, on guest virtual machines (VMs). Medusa is installed using an installation component called SEAELF. In contrast to Reptile, which only offers interactive access with rootkit features, Medusa demonstrates the ability to log user credentials from successful local or remote authentications as well as command executions. UNC3886 benefits from these capabilities since they can use them to travel laterally with legitimate credentials.

Two backdoors, MOPSLED and RIFLESPINE, are also installed on the systems. They use reputable services, such as GitHub and Google Drive, as command-and-control (C2) channels. While RIFLESPINE is a cross-platform tool that uses Google Drive to transfer files and run commands, MOPSLED is a shellcode-based modular implant that connects via HTTP to retrieve plugins from a GitHub C2 server. It is most likely an outgrowth of the Crosswalk malware.

Mandiant reported that it had observed UNC3886 using Medusa to create custom SSH servers and using backdoored SSH clients to harvest credentials after 2023-20867 was exploited. Using LOOKOVER was the threat actor's initial attempt to get additional access to the network equipment by focusing on the TACACS server. The C sniffer LOOKOVER reads TACACS+ authentication packets, decrypts them, and then publishes the contents to a designated file path. Below are a few more malware families that were distributed during assaults against VMware instances:

• A valid TACACS daemon that has been compromised by malware and has credential-logging capabilities.
• A backdoor based on VMware VMCI sockets that gives access to a bash shell called VIRTUALSHINE.
• A Python backdoor that executes commands arbitrarily, transfers files and performs reverse shell operations named VIRTUALPIE.
• A controller module, VIRTUALSPHERE, is connected to a backdoor based on VMCI.

Because virtual machines are so widely used in cloud environments, threat actors have found them to be attractive targets over time. Attackers may be able to access both the rights granted to the VM instance and its contents through a hacked virtual machine. Given the transient and unchangeable nature of computing workloads such as virtual machines (VMs), the risk associated with a compromised identity may be higher than that of compromised data within a VM.

Impact

• Cyber Espionage
• Unauthorized Access
• Privilege Escalation
• Credential Theft

Indicators of Compromise

IP

• 45.77.106.183
• 45.32.252.98
• 207.246.64.38
• 149.28.122.119
• 155.138.161.47
• 58.64.204.165
• 165.154.7.145

MD5

• 3c7316012cba3bbfa8a95d7277cda873

SHA-256

• 1893523f2a4d4e7905f1b688c5a81b069f06b3c3d8c0ff9d16620468d117edbb

SHA-1

• d6a57b9aaa20fe4f3330f5979979081af09a4232

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Implement a robust vulnerability management program to regularly scan and identify any potential vulnerabilities in your virtualization environment. Prioritize patching and remediation based on criticality and impact.
• Implement network segmentation to isolate critical systems, such as ESXi hosts, from other less critical systems. This can help contain the impact of a potential compromise and limit lateral movement within the network.
• Follow the principle of least privilege for user accounts and ensure that only authorized personnel have administrative access to ESXi hosts. Regularly review and revoke unnecessary privileges to minimize the attack surface.
• Deploy robust security monitoring and intrusion detection systems to detect any suspicious activities or indicators of compromise. Implement real-time log analysis and alerting mechanisms to identify potential unauthorized access attempts.
• Educate users and system administrators about the latest threats, phishing techniques, and social engineering tactics employed by APT groups. Encourage a culture of security awareness and promote safe computing practices.
• Conduct periodic security audits and assessments of your virtualization infrastructure to identify any misconfigurations or vulnerabilities. Engage third-party security experts if necessary to perform thorough assessments.
• Continuously monitor the security posture of your virtualization environment, including ESXi hosts and virtual machines. Implement hardening measures recommended by VMware and security best practices to minimize the attack surface and strengthen defenses.