Have Your Cake and Eat it Too? An Overview of UNC2891 | Mandiant
Tags
cmtmf-attack-pattern: Command And Scripting Interpreter Obfuscated Files Or Information System Network Connections Discovery
maec-delivery-vectors: Watering Hole
attack-pattern: Data /Etc/Passwd And /Etc/Shadow - T1003.008 Archive Collected Data - T1560 Archive Collected Data - T1532 Archive Via Library - T1560.002 Archive Via Utility - T1560.001 At (Linux) - T1053.001 Bash History - T1552.003 Clear Linux Or Mac System Logs - T1070.002 Command And Scripting Interpreter - T1623 Domains - T1583.001 Domains - T1584.001 Dynamic Dns - T1311 Dynamic Dns - T1333 Embedded Payloads - T1027.009 Environmental Keying - T1480.001 File And Directory Discovery - T1420 File Deletion - T1070.004 File Deletion - T1630.002 Hardware - T1592.001 Hooking - T1617 Indicator Removal On Host - T1630 Ingress Tool Transfer - T1544 Kernel Modules And Extensions - T1547.006 Keylogging - T1056.001 Keylogging - T1417.001 System Network Configuration Discovery - T1422 System Network Connections Discovery - T1421 Malware - T1587.001 Malware - T1588.001 Obfuscated Files Or Information - T1406 System Information Discovery - T1426 Password Guessing - T1110.001 Pluggable Authentication Modules - T1556.003 Private Keys - T1552.004 Protocol Tunneling - T1572 Reflective Code Loading - T1620 Server - T1583.004 Server - T1584.004 Setuid And Setgid - T1548.001 Ssh - T1021.004 Symmetric Cryptography - T1521.001 Symmetric Cryptography - T1573.001 Systemd Service - T1543.002 Systemd Service - T1501 Unix Shell - T1059.004 Timestomp - T1070.006 Unsecured Credentials - T1552 Vulnerabilities - T1588.006 Unix Shell - T1623.001 Bash History - T1139 Brute Force - T1110 Command-Line Interface - T1059 Connection Proxy - T1090 Credential Dumping - T1003 Deobfuscate/Decode Files Or Information - T1140 File And Directory Discovery - T1083 File Deletion - T1107 Hooking - T1179 Indicator Removal On Host - T1070 Remote File Copy - T1105 Kernel Modules And Extensions - T1215 Network Share Discovery - T1135 Standard Non-Application Layer Protocol - T1095 Obfuscated Files Or Information - T1027 Private Keys - T1145 Remote Services - T1021 Remote System Discovery - T1018 Rootkit - T1014 Setuid And Setgid - T1166 System Information Discovery - T1082 System Network Configuration Discovery - T1016 System Network Connections Discovery - T1049 Timestomp - T1099 Hooking Indicator Removal On Host Remote System Discovery Rootkit
Show in Graph
Common Information
Type Value
UUID 4f6eef91-3587-40d3-860b-90d136722d13
Fingerprint 352798716ebf42f1
Analysis status DONE
Considered CTI value 2
Text language
Published March 16, 2022, midnight
Added to db Nov. 6, 2023, 6:55 p.m.
Last updated Nov. 17, 2024, 6:56 p.m.
Headline Have Your Cake and Eat it Too? An Overview of UNC2891
Title Have Your Cake and Eat it Too? An Overview of UNC2891 | Mandiant
Detected Hints/Tags/Attributes 160/3/53
Source URLs
Redirection Url
Details Source https://www.mandiant.com/resources/blog/unc2891-overview
URL Provider
Details Provider Source level domain
Details mandiant.com www.mandiant.com
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 330 Threat Intelligence https://www.mandiant.com/resources/blog/rss.xml 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details Domain 1 
libhelpx.so
Details Domain 1 
libatdcf.so
Details Domain 1 
libnscd.so
Details Domain 1 
libsystemdcf.so
Details Domain 41 
multi-user.target
Details File 37 
multi-user.tar
Details IPv4 45 
192.168.1.10
Details Mandiant Uncategorized Groups 7 
UNC2891
Details Mandiant Uncategorized Groups 18 
UNC1945
Details MITRE ATT&CK Techniques 245 
T1016
Details MITRE ATT&CK Techniques 243 
T1018
Details MITRE ATT&CK Techniques 119 
T1049
Details MITRE ATT&CK Techniques 1006 
T1082
Details MITRE ATT&CK Techniques 585 
T1083
Details MITRE ATT&CK Techniques 176 
T1135
Details MITRE ATT&CK Techniques 159 
T1021
Details MITRE ATT&CK Techniques 59 
T1021.004
Details MITRE ATT&CK Techniques 289 
T1003
Details MITRE ATT&CK Techniques 15 
T1003.008
Details MITRE ATT&CK Techniques 125 
T1110
Details MITRE ATT&CK Techniques 44 
T1110.001
Details MITRE ATT&CK Techniques 113 
T1552
Details MITRE ATT&CK Techniques 5 
T1552.003
Details MITRE ATT&CK Techniques 26 
T1552.004
Details MITRE ATT&CK Techniques 4 
T1556.003
Details MITRE ATT&CK Techniques 152 
T1090
Details MITRE ATT&CK Techniques 159 
T1095
Details MITRE ATT&CK Techniques 492 
T1105
Details MITRE ATT&CK Techniques 95 
T1572
Details MITRE ATT&CK Techniques 130 
T1573.001
Details MITRE ATT&CK Techniques 2 
T1053.001
Details MITRE ATT&CK Techniques 695 
T1059
Details MITRE ATT&CK Techniques 86 
T1059.004
Details MITRE ATT&CK Techniques 118 
T1056.001
Details MITRE ATT&CK Techniques 157 
T1560
Details MITRE ATT&CK Techniques 116 
T1560.001
Details MITRE ATT&CK Techniques 29 
T1560.002
Details MITRE ATT&CK Techniques 41 
T1014
Details MITRE ATT&CK Techniques 627 
T1027
Details MITRE ATT&CK Techniques 247 
T1070
Details MITRE ATT&CK Techniques 12 
T1070.002
Details MITRE ATT&CK Techniques 297 
T1070.004
Details MITRE ATT&CK Techniques 93 
T1070.006
Details MITRE ATT&CK Techniques 504 
T1140
Details MITRE ATT&CK Techniques 18 
T1480.001
Details MITRE ATT&CK Techniques 12 
T1548.001
Details MITRE ATT&CK Techniques 91 
T1620
Details MITRE ATT&CK Techniques 23 
T1543.002
Details MITRE ATT&CK Techniques 7 
T1547.006
Details Yara rule 1 
rule TINYSHELL {
	meta:
		author = "Mandiant "
	strings:
		$sb1 = { C6 00 48 C6 4? ?? 49 C6 4? ?? 49 C6 4? ?? 4C C6 4? ?? 53 C6 4? ?? 45 C6 4? ?? 54 C6 4? ?? 3D C6 4? ?? 46 C6 4? ?? 00 }
		$sb2 = { C6 00 54 C6 4? ?? 4D C6 4? ?? 45 C6 4? ?? 3D C6 4? ?? 52 }
		$ss1 = "fork" ascii wide fullword
		$ss2 = "socket" ascii wide fullword
		$ss3 = "bind" ascii wide fullword
		$ss4 = "listen" ascii wide fullword
		$ss5 = "accept" ascii wide fullword
		$ss6 = "alarm" ascii wide fullword
		$ss7 = "shutdown" ascii wide fullword
		$ss8 = "creat" ascii wide fullword
		$ss9 = "write" ascii wide fullword
		$ss10 = "open" ascii wide fullword
		$ss11 = "read" ascii wide fullword
		$ss12 = "execl" ascii wide fullword
		$ss13 = "gethostbyname" ascii wide fullword
		$ss14 = "connect" ascii wide fullword
	condition:
		uint32(0) == 0x464c457f and 1 of ($sb*) and 10 of ($ss*)
}
Details Yara rule 1 
rule TINYSHELL_SPARC {
	meta:
		author = "Mandiant"
	strings:
		$sb_xor_1 = { DA 0A 80 0C 82 18 40 0D C2 2A 00 0B 96 02 E0 01 98 03 20 01 82 1B 20 04 80 A0 00 01 82 60 20 00 98 0B 00 01 C2 4A 00 0B 80 A0 60 00 32 BF FF F5 C2 0A 00 0B 81 C3 E0 08 }
		$sb_xor_2 = { C6 4A 00 00 80 A0 E0 00 02 40 00 0B C8 0A 00 00 85 38 60 00 C4 09 40 02 84 18 80 04 C4 2A 00 00 82 00 60 01 80 A0 60 04 83 64 60 00 10 6F FF F5 90 02 20 01 81 C3 E0 08 }
	condition:
		uint32(0) == 0x464C457F and (uint16(0x10) & 0x0200 == 0x0200) and (uint16(0x12) & 0x0200 == 0x0200) and 1 of them
}
Details Yara rule 1 
rule SLAPSTICK {
	meta:
		author = "Mandiant "
	strings:
		$ss1 = "%Y %b %d %H:%M:%S    \x00"
		$ss2 = "%-23s %-23s %-23s\x00"
		$ss3 = "%-23s %-23s %-23s %-23s %-23s %s\x0a\x00"
	condition:
		(uint32(0) == 0x464c457f) and all of them
}
Details Yara rule 1 
rule STEELCORGI {
	meta:
		author = "Mandiant "
	strings:
		$s1 = "\x00\xff/\xffp\xffr\xffo\xffc\xff/\xffs\xffe\xffl\xfff\xff/\xffe\xffx\xffe\x00"
		$s2 = "\x00\xff/\xffv\xffa\xffr\xff/\xffl\xffi\xffb\xff/\xffd\xffb\xffu\xffs\xff/\xffm\xffa\xffc\xffh\xffi\xffn\xffe\xff-\xffi\xffd\x00"
		$sb1 = { FE 1B 7A DE 23 D1 E9 A1 1D 7F 9E C1 FD A4 }
		$sb2 = { 3B 8D 4F 45 7C 4F 6A 6C D8 2F 1F B2 19 C4 45 6A 6A }
	condition:
		(uint32(0) == 0x464c457f) and all of them
}