Cloaked and Covert: Uncovering UNC3886 Espionage Operations | Google Cloud Blog
Tags
country: China
attack-pattern: Data Credentials - T1589.001 Cron - T1053.003 Dns - T1071.004 Dns - T1590.002 Dynamic Linker Hijacking - T1574.006 Exploits - T1587.004 Exploits - T1588.005 Hooking - T1617 Malicious File - T1204.002 Malware - T1587.001 Malware - T1588.001 Network Devices - T1584.008 Pluggable Authentication Modules - T1556.003 Port Knocking - T1205.001 Traffic Signaling - T1205 Python - T1059.006 Rc Scripts - T1037.004 Server - T1583.004 Server - T1584.004 Ssh - T1021.004 Systemd Service - T1543.002 Systemd Service - T1501 Vulnerabilities - T1588.006 Connection Proxy - T1090 Hooking - T1179 Hypervisor - T1062 Rootkit - T1014 Sudo - T1169 Hooking Rootkit
Show in Graph
Common Information
Type Value
UUID b2c9d066-f87b-432a-9ad6-7fb1170b3b95
Fingerprint 2caf9d130d3a9281
Analysis status DONE
Considered CTI value 2
Text language
Published June 18, 2024, midnight
Added to db Aug. 31, 2024, 10:13 a.m.
Last updated Nov. 17, 2024, 6:54 p.m.
Headline Cloaked and Covert: Uncovering UNC3886 Espionage Operations
Title Cloaked and Covert: Uncovering UNC3886 Espionage Operations | Google Cloud Blog
Detected Hints/Tags/Attributes 130/2/30
Source URLs
Redirection Url
Details Source https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations/
URL Provider
Details Provider Source level domain
Details google.com cloud.google.com
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 330 Threat Intelligence https://www.mandiant.com/resources/blog/rss.xml 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details CVE 31 
cve-2023-34048
Details CVE 34 
cve-2022-41328
Details CVE 8 
cve-2022-22948
Details CVE 38 
cve-2023-20867
Details CVE 90 
cve-2022-42475
Details Domain 1 
reptile.shell
Details Domain 3 
boot.sh
Details Domain 1 
cron.data
Details Domain 1 
cyberponke.github.io
Details Domain 3 
libcrypt.so
Details Domain 1 
libev.so
Details Domain 1 
libseconfd.so
Details Domain 2 
libsyslog.so
Details File 1 
orbit.txt
Details File 1 
cron.dat
Details File 1 
random_number.tmp
Details File 8 
2.gz
Details File 8 
1.gz
Details File 32 
result.txt
Details File 2 
cs.log
Details Mandiant Uncategorized Groups 52 
UNC3886
Details Threat Actor Identifier - APT 522 
APT41
Details Url 1 
https://cyberponke.github.io
Details Yara rule 1 
rule M_Sniffer_LOOKOVER_1 {
	meta:
		author = "Mandiant"
	strings:
		$str1 = "TKEY"
		$str2 = "FILTER"
		$str3 = "DEVICE"
		$str4 = "SNFILENAME"
		$str5 = "/var/lib/libsyslog.so"
		$code = { 8B 55 F8 48 8B 45 E8 48 01 C2 8B 45 FC 48 8D 0C 85 00 00 00 00 48 8B 45 E0 48 01 C8 8B 00 88 02 8B 45 F8 83 C0 01 89 C2 48 8B 45 E8 48 01 C2 8B 45 FC 48 8D 0C 85 00 00 00 00 48 8B 45 E0 48 01 C8 8B 00 C1 E8 08 88 02 8B 45 F8 83 C0 02 89 C2 48 8B 45 E8 48 01 C2 8B 45 FC 48 8D 0C 85 00 00 00 00 48 8B 45 E0 48 01 C8 8B 00 C1 E8 10 88 02 8B 45 F8 83 C0 03 89 C2 48 8B 45 E8 48 01 C2 8B 45 FC 48 8D 0C 85 00 00 00 00 48 8B 45 E0 48 01 C8 8B 00 C1 E8 18 88 02 83 45 FC 01 83 45 F8 04 }
	condition:
		uint32(0) == 0x464c457f and filesize < 5MB and all of them
}
Details Yara rule 1 
rule M_Utility_GHOSTTOWN_1 {
	meta:
		author = "Mandiant"
	strings:
		$code1 = { 2F 76 61 72 2F 6C 6F 67 }
		$code2 = { 2F 76 61 72 2F 72 75 6E }
		$debug1 = "=== results ==="
		$debug2 = "=== %s ==="
		$debug3 = "searching record in file %s"
		$debug4 = "record not matched, not modifing %s"
		$debug5 = "delete %d records in %s"
		$debug6 = "NEVER_LOGIN"
		$debug7 = "you need to specify a username to clear"
		$pattern1 = "%-10s%-10s%-10s%-20s%-10s"
		$pattern2 = "%-15s%-10s%-15s%-10s"
	condition:
		uint32(0) == 0x464C457F and all of them
}
Details Yara rule 1 
rule M_Utility_VIRTUALPEER_1 {
	meta:
		author = "Mandiant"
	strings:
		$vmci_socket_family = { B? 00 00 00 00 B? 02 00 00 00 B? 28 00 00 00 E8 [4-128] B? 00 00 00 00 48 8D [5] B? 00 00 00 00 E8 [4-64] B? 00 00 00 00 48 8D [5] B? 00 00 00 00 E8 [4-64] B? B8 07 00 00 [0-8] B? 00 00 00 00 E8 }
		$vmci_socket_marker1 = "/dev/vsock" ascii wide
		$vmci_socket_marker2 = "/vmfs/devices/char/vsock/vsock" ascii wide
		$vmci_socket_init_bind_listen = { E8 [4] 89 45 [4-64] 8B 45 ?? B? 00 00 00 00 B? 01 00 00 00 [0-4] E8 [4-128] B? 10 00 00 00 [1-16] E8 [4-128] BE 01 00 00 00 [1-16] E8 [4] 83 F8 FF }
		$socket_read_write = { BA 01 00 00 00 48 89 CE 89 C7 E8 [4] 48 85 C0 [1-64] BA 01 00 00 00 48 89 CE 89 C7 E8 [4] 48 85 C0 7E ?? EB }
		$marker1 = "nc <port>"
	condition:
		uint32(0) == 0x464c457f and all of them
}
Details Yara rule 1 
rule M_Hunting_VIRTUALPITA_1 {
	meta:
		author = "Mandiant"
	strings:
		$forpid = { 70 69 64 20 [0-10] 69 6E 20 60 [0-10] 70 73 20 2D [0-10] 63 20 7C 20 [0-10] 67 72 65 70 [0-10] 20 76 6D 73 [0-10] 79 73 6C 6F [0-10] 67 64 20 7C [0-10] 20 61 77 6B [0-10] 20 27 7B 20 [0-10] 70 72 69 6E [0-10] 74 20 24 31 [0-10] 20 7D 27 60 [0-10] 3B 20 64 6F [0-10] 20 6B 69 6C [0-10] 6C 20 2D 39 [0-10] 20 24 70 69 [0-10] 64 3B 20 64 [0-10] 6F 6E 65 00 }
		$vmsyslogd = { 2F 75 73 72 [0-10] 2F 6C 69 62 [0-10] 2F 76 6D 77 [0-10] 61 72 65 2F [0-10] 76 6D 73 79 [0-10] 73 6C 6F 67 [0-10] 2F 62 69 6E [0-10] 2F 76 6D 73 [0-10] 79 73 6C 6F [0-10] 67 64 00 00 }
	condition:
		uint32(0) == 0x464c457f and any of them
}
Details Yara rule 1 
rule M_APT_Launcher_REPTILE_1 {
	meta:
		author = "Mandiant"
	strings:
		$str1 = { B8 00 00 00 00 E8 A1 FE FF FF 48 8B 85 40 FF FF FF 48 83 C0 08 48 8B 00 BE 00 00 00 00 48 89 C7 B8 00 00 00 00 E8 ?? FD FF FF 89 45 ?8 48 8D 95 50 FF FF FF 8B 45 ?8 48 89 D6 89 C7 E8 ?? 0? 00 00 48 8B 45 80 48 89 45 F0 48 8B 45 F0 48 89 C7 E8 ?? F? FF FF 48 89 45 ?8 48 8B 55 F0 48 8B 4D ?8 8B 45 ?8 48 89 CE 89 C7 E8 ?? FC FF FF 48 8B 55 F0 48 8B 45 ?8 B9 4? 0C 40 00 48 89 C6 BF AF 00 00 00 B8 00 00 00 00 E8 ?? FC FF FF E8 ?? FC FF FF 8B 00 83 F8 25 75 07 C7 45 ?C 00 00 00 00 }
		$str2 = { 81 7D F? FF 03 00 00 7E E9 BE 02 00 00 00 BF ?? 0C 40 00 B8 00 00 00 00 E8 ?? F? FF FF 89 45 F? 8B 45 F? BE 01 00 00 00 89 C7 E8 ?? FD FF FF 8B 45 F? BE 02 00 00 00 89 C7 E8 ?? F? FF FF C9 C3 }
	condition:
		uint32(0) == 0x464C457F and all of them
}
Details Yara rule 1 
rule M_APT_Backdoor_VIRTUALSHINE_1 {
	meta:
		author = "Mandiant"
	strings:
		$str1 = "/dev/vsock"
		$str2 = "/vmfs/devices/char/vsock/vsock"
		$str3 = "nds4961l <cid> <vport>"
		$str4 = "[!] VMCISock_GetAFValue()."
		$str5 = "[+] Connected to server.[ %s:%s ]"
		$str6 = "TERM=xterm"
		$str7 = "PWD=/tmp/"
	condition:
		uint32(0) == 0x464C457F and all of them
}
Details Yara rule 1 
rule M_APT_BACKDOOR_MOPSLED_1 {
	meta:
		author = "Mandiant"
	strings:
		$x = { E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 4? 8D ?? ?4 ?8 BE ?? ?? ?? ?? E8 ?? ?? ?? ?? 84 C0 0F 84 ?? ?? ?? ?? 4? 8B 94 ?? ?? ?? ?? ?? 4? 8B 44 ?? ?? 4? 89 E1 [0-6] BE ?? ?? ?? ?? B? ?? ?? ?? ?? 4? 89 10 8B 94 ?? ?? ?? ?? ?? [0-6] 89 50 08 4? 8B 54 ?? ?? C7 42 0C ?? ?? ?? ?? E8 ?? ?? ?? ?? }
	condition:
		uint32(0) == 0x464c457f and uint8(4) == 2 and filesize < 5MB and $x
}