June 20, 2024 at 01:49PM
Threat actor UNC3886, suspected to be Chinese, uses open-source rootkits like ‘Reptile’ and ‘Medusa’ on VMware ESXi virtual machines to conduct credential theft, command execution, and lateral movement. Mandiant tracked UNC3886’s attacks on government organizations and revealed their recent use of rootkits, custom malware tools, and attacks targeting various industries in different regions.
From the provided meeting notes, I have gathered the following key takeaways:
1. Threat actor UNC3886, believed to be of Chinese origin, has been tracked using open-source rootkits like ‘Reptile’ and ‘Medusa’ to remain undetected on VMware ESXi virtual machines. They exploit zero-day vulnerabilities and use custom malware tools such as ‘Mopsled’ and ‘Riflespine’ for command and control.
2. UNC3886 has targeted various organizations in North America, Southeast Asia, Oceania, Europe, Africa, and other parts of Asia. The attacked industries include governments, telecommunications, technology, aerospace, defense, and energy and utility sectors.
3. Mandiant reports that UNC3886 breaches VMware ESXi VMs and installs open-source rootkits like ‘Reptile’ and ‘Medusa’ to maintain long-term access for malicious activities. These rootkits enable them to run programs and make modifications that are not visible to users, effectively hiding their presence.
4. The threat actor customizes the deployed rootkits and uses unique keywords for different deployments to aid in evasion.
5. UNC3886 deploys custom malware tools such as ‘Mopsled’, ‘Riflespine’, ‘Lookover’, and backdoor families like ‘Backdoored SSH execs’ and ‘VMCI backdoors’ to achieve various objectives, including backdoor access, file transfer, command execution, reverse shell, and information collection.
These takeaways provide a comprehensive overview of the threat actor UNC3886’s tactics, techniques, and procedures and their impact on targeted organizations.