Google Threat Intelligence Group (GTIG) identified UNC6148 leveraging stolen credentials and deploying a persistent backdoor called OVERSTEP on SonicWall SMA 100 series appliances. The campaign involves sophisticated rootkit techniques for persistence and data exfiltration, posing risks of data theft and possible ransomware attacks. #UNC6148 #OVERSTEP #SonicWallSMA
Keypoints
- UNC6148 targets fully patched, end-of-life SonicWall SMA 100 series appliances using stolen credentials and possibly unknown zero-day vulnerabilities.
- The threat actor deployed a previously unknown persistent user-mode rootkit named OVERSTEP that modifies the appliance’s boot process for stealthy persistence.
- OVERSTEP hijacks system libraries and implements a backdoor capable of executing reverse shells and exfiltrating sensitive credentials including OTP seeds.
- Malware uses log wiping and timestomping anti-forensic techniques to hinder detection and forensic investigation.
- Exploitation likely involves known vulnerabilities such as CVE-2021-20038, CVE-2024-38475, CVE-2021-20035, CVE-2021-20039, and CVE-2025-32819.
- There is a potential link between UNC6148 activity, earlier SonicWall exploits, and deployment of Abyss-branded ransomware.
- GTIG recommends comprehensive credential rotation, forensic disk imaging, and close monitoring of suspicious VPN sessions and web requests containing backdoor commands.
MITRE Techniques
- [T1078] Valid Accounts – UNC6148 used stolen administrator credentials and OTP seeds from prior intrusions to access SonicWall SMA appliances (“leveraging credentials and one-time password (OTP) seeds stolen during previous intrusions”).
- [T1213] Data from Information Repositories – OVERSTEP exfiltrates sensitive files such as persist.db and certificate files to steal credentials (“ability to exfiltrate the persist.db database and certificate files from /etc/EasyAccess/var/cert”).
- [T1547.001] Boot or Logon Autostart Execution: Windows Registry Run Keys / Startup Folder – The malware achieves persistence by modifying the appliance’s boot process and rc.fwboot script to load itself early in boot (“modified the legitimate RC file /etc/rc.d/rc.fwboot to achieve persistence for OVERSTEP”).
- [T1543.003] Create or Modify System Processes: Systemd Service – OVERSTEP injects itself via ld.so.preload to persist across processes and boots (“path to the malicious shared object was added to the /etc/ld.so.preload file”).
- [T1070.004] Indicator Removal on Host: File Deletion – The attacker selectively deletes log entries from httpd.log, http_request.log, and inotify.log to evade detection (“selectively remove log entries”).
- [T1204] User Execution – The backdoor executes commands received through crafted web requests containing dobackshell or dopasswords commands (“malware was designed to receive commands embedded within web requests”).
- [T1059.004] Command and Scripting Interpreter: Unix Shell – The backdoor executes reverse shell commands and archives files using bash commands (“starts a reverse shell using bash -i” and “creates a TAR archive”).
Indicators of Compromise
- [File Hash] OVERSTEP malware and modified file hashes – b28d57269fe4cd90d1650bde5e9056116de26d211966262e59359d0e2a67d473 (libsamba-errors.so.6), f0e0db06ca665907770e2202957d3eccd5a070acac1debaf0889d0d48c10e149 (/etc/rc.d/rc.fwboot modified script)
- [IP Address] Malicious VPN and shell access – 193.149.180.50 (BitLaunch VPS source of SSL VPN sessions), 64.52.80.80 (reverse shell IP address)