UNC3886’s espionage operations deploy MOPSLED and RIFLESPINE to control Linux hosts, harvest credentials, and move laterally, using trusted third parties as covert C2 channels. The campaign also exploits VMware ESXi, uses backdoored SSH components, and employs systemd services for execution persistence on compromised machines.
#MOPSLED #RIFLESPINE #UNC3886 #APT41 #Mandiant #GitHub #GoogleDrive
#MOPSLED #RIFLESPINE #UNC3886 #APT41 #Mandiant #GitHub #GoogleDrive
Keypoints
- Malware (MOPSLED and RIFLESPINE) leverages GitHub and Google Drive as C2 channels, with rootkits aiding persistence.
- MOPSLED.LINUX on vCenter servers retrieves its actual C2 address from a dead-drop URL and uses ChaCha20 for config decryption.
- RIFLESPINE transfers commands and data via Google Drive, encrypts communications with CryptoPP AES, and executes instructions retrieved from Drive.
- Backdoored SSH components intercept credentials from outgoing connections, storing them in XOR-encrypted files.
- UNC3886 uses VMware ESXi guest credentials for lateral movement, including exploitation of CVE-2023-20867 with VMware Guest Operations.
- Systemd service files are used to run malware as a means of execution, though the malware reportedly lacks deeper persistence mechanisms.
- Credential-collection techniques include harvesting credentials from valid accounts to move between guest VMs on compromised infrastructure.
MITRE Techniques
- [T1071.001] Web Protocols – Used HTTP or a custom binary protocol over TCP to C2; “MOPSLED is a shellcode-based modular backdoor that has the capability to communicate over HTTP or a custom binary protocol over TCP to its C2 server.”
- [T1102] Web Service – Leverages GitHub and Google Drive as C2 channels; “the threat actor was observed deploying malware, including MOPSLED and RIFLESPINE, that leverages trusted third parties like GitHub and Google Drive as C2 channels while relying on the rootkits for persistence.”
- [T1132] Data Encoding – Encrypts/decrypts configurations with ChaCha20; “uses a custom ChaCha20 encryption algorithm to decrypt embedded and external configuration files.”
- [T1567.002] Exfiltration to Cloud Storage – Encrypts outputs and uploads them to Google Drive; “The executions’ outputs will be encrypted, stored in a temporary file, and then uploaded to Google Drive once more.”
- [T1190] Exploit Public-Facing Application – Exploits CVE-2023-20867 with VMware Guest Operations to gain access; “by exploiting CVE-2023-20867 in conjunction with VMware Guest Operations abuse to facilitate malicious file transfer and execution.”
- [T1078] Valid Accounts – Lateral movement using collected valid credentials between guest VMs; “collecting and utilizing valid credentials for lateral movement between guest virtual machines.”
- [T1543.003] Create/Modify Systemd Service – Creates a systemd service to run malware; “A systemd service file was created and used to execute the malware as the malware does not contain a persistence mechanism.”
- [T1059.003] Command and Scripting Interpreter – Executes arbitrary commands via /bin/sh; “Execution arbitrary commands with /bin/sh.”
Indicators of Compromise
- [URL] C2 / dead-drop URL – https://cyberponke.github[.]io/*, used to obtain the actual C2 address
- [File] Credentials file – /var/log/ldapd.2.gz, stores harvested SSH credentials (XOR-encrypted)
- [File] SSH binary path – /usr/bin/ssh, modified to capture credentials via userauth_passwd()
- [MAC Address] Filename containing MAC address – example: 2@<mac_address>, used in Google Drive instruction workflow
Read more: https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations/