Ddos 
The Sysdig Threat Research Team (TRT) has uncovered a new campaign by the Chinese state-sponsored threat actor UNC5174, marking a shift in their tactics. After a year of operating under the radar, UNC5174 has been observed utilizing a new open-source tool and command and control (C2) infrastructure.
The initial discovery by TRT involved a malicious bash script designed to download multiple executable files for persistence. Notably, one of these binaries is a variant of UNC5174’s SNOWLIGHT malware, previously identified by Mandiant.
UNC5174, known for its past use of the SUPERSHELL reverse shell, has now adopted a newly released open-source tool called VShell. The report highlights VShell’s reputation in underground channels, noting that it is considered “even better” than the widely used Cobalt Strike framework.
This adoption of open-source tools aligns with a broader trend observed by Sysdig, where threat actors are increasingly leveraging such tools for cost-effectiveness, obfuscation, and to blend in with less sophisticated adversaries. The report states: “threat actors are increasingly using open source tools in their arsenals for cost-effectiveness and obfuscation to save money and, in this case, plausibly blend in with the pool of non-state-sponsored and often less technical adversaries (e.g., script kiddies), thereby making attribution even more difficult.”
The report delves into the technical details of the attack, explaining how the SNOWLIGHT malware acts as a dropper for a fileless payload, VShell. VShell, a Remote Access Trojan (RAT) popular among Chinese-speaking cybercriminals, is not typically included in malware droppers, making its use in this manner noteworthy.
The analysis emphasizes the sophistication and customization of UNC5174’s tools and techniques, suggesting a high level of technical capability. The report indicates that UNC5174’s motives likely revolve around espionage and/or selling access to compromised environments.
UNC5174 employs several evasive tactics to avoid detection. This campaign uses fileless payloads and WebSocket for command and control, which adds to the sophisticated nature of this threat. As the report states, “SNOWLIGHT and VShell pose a significant risk to organizations due to their stealthy and sophisticated techniques. This is evidenced by the employment of WebSockets for command and control, as well as the fileless VShell payload we have found.”
UNC5174 is believed to be a contractor working for the Chinese government, targeting Western countries and various organizations in the Asian-Pacific region. The group has been linked to attacks on Ivanti’s Cloud Service Appliance (CSA) products and has also used phishing as an initial access method.
The report concludes with an assessment that UNC5174 will likely continue to support the Chinese government, utilizing a mix of custom and open-source tools for espionage and access brokering.
Related Posts:
- Chinese State-Linked Hackers Target Critical Systems; Exploit F5 and ScreenConnect Flaws
- EMERALDWHALE Operation Exposes Over 15,000 Cloud Credentials in Widespread Git Exploit
About The Author
