Threat Research

Revisiting UNC3886 Tactics to Defend Against Present Risk

TrendMicro
Revisiting UNC3886 Tactics to Defend Against Present Risk

UNC3886 is an advanced persistent threat group targeting critical infrastructure sectors such as telecommunications, government, and technology through exploitation of zero-day vulnerabilities and sophisticated malware like TinyShell and Reptile. The group employs advanced techniques including custom Linux rootkits and living-off-the-land tactics to maintain stealth and persistence in compromised networks. #UNC3886 #TinyShell #Reptile #Medusa #FortinetFortiOS #VMwarevCenter

Keypoints

  • UNC3886 is a cyber espionage group active since late 2021, targeting critical infrastructure across Singapore, the US, and Europe.
  • The group exploits high-impact zero-day vulnerabilities in network and virtualization devices such as VMware vCenter/ESXi, Fortinet FortiOS, and Juniper Junos OS.
  • UNC3886 uses custom malware including TinyShell (a Python-based remote access tool), Reptile and Medusa (Linux kernel rootkits) for stealthy persistence and defense evasion.
  • The group employs advanced tactics such as exploiting public-facing applications, using valid accounts for persistence, remote access tools, and encrypted command and control channels.
  • Several critical CVEs exploited by UNC3886 include CVE-2023-34048, CVE-2022-41328, and CVE-2022-22948, targeting VMware and Fortinet devices to gain remote code execution and file access.
  • UNC3886 maintains persistence through techniques including backdoored SSH servers and rootkit-enabled hiding of processes, files, and network activity.
  • Trend Vision One™ offers detection, blocking, and threat intelligence capabilities against UNC3886 operations and IoCs to enhance proactive defense.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – UNC3886 uses exploitation of network and virtualization device vulnerabilities for initial access (‘Exploiting public-facing applications for initial access’).
  • [T1078] Valid Accounts – The group maintains persistence by using legitimate accounts within compromised networks (‘Using valid accounts for persistence’).
  • [T1219] Remote Access Software C2 – UNC3886 employs remote access tools such as TinyShell to control compromised hosts (‘Employing remote access tools for command and control’).
  • [T1071] Application Layer Protocol – Utilized for command and control communication over established application protocols (‘Application layer protocol for C2’).
  • [T1059.004] Command and Scripting Interpreter: Unix Shell – Execution of commands via Unix shell environments in target systems.
  • [T1059.008] Command and Scripting Interpreter: Network Device CLI – Use of network device command lines for executing malware commands.
  • [T1547] Boot or Logon Autostart Execution – Techniques to maintain persistence by launching malware at boot or logon.
  • [T1562.003] Impair Defenses: Impair Command History Logging – Used to evade detection by disabling command logging (‘Impair command history logging’).
  • [T1036.005] Masquerading: Match Legitimate Name or Location – Malware files disguise themselves as legitimate system files.
  • [T1055.009] Process Injection: Proc Memory – Injection of malicious code into legitimate processes for stealth.
  • [T1140] Deobfuscate/Decode Files or Information – Malware uses decoding routines to execute obfuscated payloads.
  • [T1014] Rootkit – Deployment of kernel-level rootkits like Reptile and Medusa to hide malware presence (‘Rootkit usage to hide processes, files, and network connections’).
  • [T1027] Obfuscated Files or Information – Use of obfuscation to hinder malware detection.
  • [T1003] Credential Dumping – Extraction of credentials from compromised systems.
  • [T1056] Input Capture – Techniques to capture input data including credentials.
  • [T1563.001] Remote Service Session Hijacking: SSH Hijacking – Hijacking of SSH sessions to facilitate lateral movement.
  • [T1041] Exfiltration Over C2 Channel – Data exfiltration through encrypted command and control channels.
  • [T1573] Encrypted Channel – Use of encrypted communication channels to evade network detection.
  • [T1090] Proxy – Using proxy techniques to disguise C2 communication.
  • [T1205.002] Traffic Signaling: Socket Filters – Utilizing socket filters to signal traffic for remote control operations.
  • [T1074] Data Staged – Preparing and staging data prior to exfiltration.

Indicators of Compromise

  • [File Hashes] Malware and Rootkits – examples include TinyShell and Reptile binaries detected by Trend Vision One (hashes not specified, multiple variants referenced).
  • [Domains/IP Addresses] Command and Control Servers – C2 infrastructure used by TinyShell, Medusa, and CastleTap backdoors (specific domains/IPs not listed).
  • [File Names] Malware disguise – legitimate file mimicry such as ‘/bin/fgfm’ used by CastleTap on FortiGate firewalls.
  • [CVE Identifiers] Vulnerabilities exploited – CVE-2023-34048 (VMware vCenter RCE), CVE-2022-41328 (Fortinet FortiOS path traversal), CVE-2022-22948 (VMware vCenter information disclosure), CVE-2023-20867 (VMware Tools privilege escalation), CVE-2022-42475 (Fortinet FortiOS heap overflow), CVE-2025–21590 (Juniper Junos OS kernel privilege escalation).

Read more: https://www.trendmicro.com/en_us/research/25/g/revisiting-unc3886-tactics-to-defend-against-present-risk.html

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint