Article Details

UNC3886 hackers use Linux rootkits to hide on VMware ESXi VMs. A suspected Chinese threat actor tracked as UNC3886 uses publicly available open-source rootkits named 'Reptile' and 'Medusa' to remain hidden on VMware ESXi virtual machines, allowing them to conduct credential theft, command execution, and lateral movement. Mandiant has been tracking the threat actor for a long time, previously reporting attacks on government organizations leveraging a Fortinet zero-day and two VMware zero-day vulnerabilities exploited for extended periods. A new report by Mandiant unveils UNC3886's use of the mentioned rootkits on virtual machines for long-term persistence and evasion, as well as custom malware tools such as 'Mopsled' and 'Riflespine,' which leveraged GitHub and Google Drive for command and control. The most recent attacks by UNC3886, according to Mandiant, targeted organizations in North America, Southeast Asia, and Oceania, with additional victims identified in Europe, Africa, and other parts of Asia. The targeted industries included governments, telecommunications, technology, aerospace, defense, and energy and utility sectors. Rootkitting VMware ESXi VMs Mandiant says the threat actors breach VMware ESXi VMs and install open-source rootkits to maintain access for long-term operations. A rootkit is malicious software that allows threat actors to run programs and make modifications that are not viewable to users on the operating system. This type of malware allows the threat actors to hide their presence while engaging in malicious behavior. "After exploiting zero-day vulnerabilities to gain access to vCenter servers and subsequently managed ESXi servers, the actor obtained total control of guest virtual machines that shared the same ESXi server as the vCenter server," explained Mandiant. "Mandiant observed the actor use two publicly available rootkits, REPTILE and MEDUSA, on the guest virtual machines to maintain access and evade detection. Reptile is an open-source Linux rootkit implemented as a loadable kernel module (LKM), designed to provide backdoor access and facilitate stealthy persistence. Reptile's main components are: "REPTILE appeared to be the rootkit of choice by UNC3886 as it was observed being deployed immediately after gaining access to compromised endpoints," continued Mandiant. "REPTILE offers both the common backdoor functionality, such as command execution and file transfer capabilities, as well as stealth functionality that enables the threat actor to evasively access and control the infected endpoints via port knocking." UNC3886 modified the rootkit to use unique keywords for different deployments, aiding in evasion, while they also made changes to the rootkit's launcher and startup scripts aimed at boosting persistence and stealth. The second open-source rootkit the threat actor deploys in attacks is Medusa, known for its dynamic linker hijacking via 'LD_PRELOAD.' Medusa's functional focus is credential logging, capturing account passwords from successful local and remote logins. It also performs command execution logging, providing the attackers with information about the victim's activities and insight into the compromised environment. Mandiant says Medusa is typically deployed after Reptile as a complementary tool using a separate component named 'Seaelf.'  Some customization was observed on Medusa, too, with UNC3886 turning off certain filters and altering configuration strings. Custom malware UNC3886 was also observed using a collection of custom malware tools in its operations, some of which are presented for the first time. The most important of the listed attack tools are: Mandiant plans to release more technical details about those VMCI backdoors in a future post. The complete list with indicators of compromise and YARA rules to detect UNC3886 activity is at the bottom of Mandiant's report.