Threat Research

Suspected Chinese Campaign to Persist on SonicWall Devices, Highlights Importance of Monitoring Edge Devices | Mandiant

Securonix

Mandiant, with SonicWall PSIRT, identifies a suspected Chinese campaign that maintains long-term persistence by running malware on an unpatched SonicWall SMA appliance, with capabilities to steal credentials, provide shell access, and survive firmware upgrades. The actor is tracked as UNC4540 and shows effort to ensure stability and persistence on the device. #UNC4540 #SonicWall #TinyShell #firewalld #geoBotnetd

Keypoints

  • Security researchers link a suspected Chinese campaign to UNC4540 targeting SonicWall SMA appliances for long-term persistence.
  • The malware is a suite of bash scripts plus a TinyShell ELF, with a table listing files and their roles on the device.
  • The main entry point is a bash script named firewalld, which orchestrates the payloads and credential theft via SQL commands.
  • Credential theft is a primary goal, using SQL against a local sqlite3 database to exfiltrate hashed credentials.
  • The operators emphasize persistence and resilience, deploying boot-time startups and redundant malware processes, and extending persistence across firmware updates.
  • Firmware-related techniques include backdooring update zips, adding a root user, and synchronizing malware across upgraded images.
  • Patching guidance from SonicWall recommends upgrading SMA100 devices to 10.2.1.7+ to gain hardening features and improved detection.

MITRE Techniques

  • [T1547.001] Boot or Logon Initialization Scripts – Boot persistence for the SMA appliance via rc.local; The startup script rc.local runs firewalld at boot time.
  • [T1059.004] Command and Scripting Interpreter – Bash-based malware components; The main malware entry point is a bash script named firewalld.
  • [T1003] Credential Dumping – Extraction of hashed credentials from a Sessions table in sqlite3 (/tmp/temp.db) and copying to /tmp/syslog.db; The command ‘select userName,password from Sessions’ is used.
  • [T1136] Create Account – Backdoor root user ‘acme’ added to the system via /etc/passwd modification.
  • [T1543.001] Create or Modify System Process – Patching a legitimate SonicWall binary and creating a new script to enable persistence (sed replacement and new /bin/ifconfig6 script).

Indicators of Compromise

  • [Path] malware files – /bin/firewalld, /bin/httpsd, /etc/rc.d/rc.local, /bin/iptabled, /bin/geoBotnetd, /bin/ifconfig6
  • [Hash] file hashes – e4117b17e3d14fe64f45750be71dbaa6, 2d57bcb8351cf2b57c4fd2d1bb8f862e, 559b9ae2a578e1258e80c45a5794c071, 8dbf1effa7bc94fc0b9b4ce83dfce2e6, 619769d3d40a3c28ec83832ca521f521, fa1bf2e427b2defffd573854c35d4919
  • [Path] credential-related databases – /tmp/temp.db and /tmp/syslog.db (contain hashed credentials and logs)

Read more: https://www.mandiant.com/resources/blog/suspected-chinese-persist-sonicwall