SonicWall SMA Devices Under Attack: UNC6148 Deploys OVERSTEP Rootkit for Persistent Access • Daily CyberSecurity

Google’s Threat Intelligence Group (GTIG) uncovers a stealthy, sophisticated campaign led by a financially motivated actor tracked as UNC6148. This campaign targets end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances, even when fully patched—leveraging previously stolen credentials and deploying a new rootkit dubbed OVERSTEP to establish persistent access.

“GTIG assesses with high confidence that UNC6148 is leveraging credentials and one-time password (OTP) seeds stolen during previous intrusions, allowing them to regain access even after organizations have applied security updates,” the report states.

UNC6148 has a proven affinity for exploiting unmonitored cracks in enterprise armor. By abusing vulnerabilities such as CVE-2021-20038, CVE-2024-38475, and CVE-2021-20035, the group has managed to harvest administrator credentials—either directly from the appliance or indirectly through exposed logs and credential marketplaces.

Mandiant incident responders noted that the attackers were often already in possession of local admin credentials, enabling direct access via SSL VPN connections. From there, they launched reverse shells, created custom network access control rules, and ultimately deployed the OVERSTEP backdoor—a malware specimen designed for stealth, resilience, and data exfiltration.

“Once the SSL VPN session was established, the attacker spawned a reverse shell on the targeted SMA appliance… suggesting they may have modified an exported settings file offline,” the report explains.

OVERSTEP is more than just malware—it’s a usermode rootkit and backdoor hybrid. Written in C and compiled as a 32-bit ELF shared object for x86, it is injected into every newly launched process via /etc/ld.so.preload.

“The backdoor’s primary functionalities are to establish a reverse shell and exfiltrate passwords from the compromised host.”

Its methods include:

LD_PRELOAD hijacking to interpose and override standard library functions (open, write, readdir).
Log tampering and timestomping to evade detection.
Persistence through modified boot scripts (rc.fwboot), ensuring that the rootkit survives reboots.

Commands such as dobackshell and dopasswords can be embedded in benign-looking web requests. These trigger reverse shells or tarball creation of sensitive databases (e.g., persist.db, temp.db) into web-accessible directories for easy exfiltration.

“The path to the malicious shared object was added to the /etc/ld.so.preload file, which effectively ensures the malware will persist on the compromised appliance.”

GTIG reports that OVERSTEP is equipped with log-clearing functionality, eliminating traces of its command usage from httpd.log, http_request.log, and inotify.log. This dramatically limits forensic visibility, making detection nearly impossible without full disk imaging.

“This anti-forensic measure, combined with a lack of shell history on disk, significantly reduces visibility into the actor’s secondary objectives.”

Though no direct evidence of monetization has surfaced, overlaps with historical campaigns suggest UNC6148 may be a precursor to ransomware deployment, such as Abyss-branded ransomware (tracked by GTIG as VSOCIETY). Notably, a UNC6148-targeted organization was later listed on the “World Leaks” data leak site.

GTIG’s top recommendation: Rotate all credentials and OTP seeds, even if your appliance is up to date. Also, perform forensic disk analysis—as runtime scans may be ineffective against the rootkit’s stealth capabilities.

Rate this post

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Related Posts:

Support Our Threat Intelligence

Related posts:

Leave a Reply Cancel reply