A Chinese threat actor known as UNC3886 has been using open source rootkits Reptile and Medusa to hide on VMware ESXi virtual machines while stealing credentials and executing commands. Mandiant has been tracking UNC3886’s activities against government organizations, including attacks exploiting zero-day vulnerabilities in Fortinet and VMware products.
UNC3886 has recently targeted organizations in North America, Southeast Asia, and Oceania, with victims also identified in Europe, Africa, and Asia. The affected sectors include government, telecommunications, technology, aerospace, defense, and energy and utilities.
The threat actor uses Reptile and Medusa rootkits to maintain access to virtual machines for long-term operations, along with custom malware tools such as Mopsled and Riflespine for command and control. UNC3886 has modified these tools to evade detection, enhance persistence, and expand functionalities.
Reptile is a Linux rootkit that provides backdoor access and stealthy persistence, while Medusa focuses on logging credentials and capturing account passwords. UNC3886 has also developed tailor-made malware tools, including Pug Sled, Rifle Back, Look Through, Backdoor SSH Execs, and VMCI Backdoors, to extend its capabilities and control over compromised environments.
Mandiant plans to release more technical details on UNC3886’s VMCI backdoors in the future. The report includes a list of indicators of compromise and YARA rules for detecting this threat actor’s activities. This demonstrates the sophisticated tactics and tools used by UNC3886 to evade detection and carry out cyber attacks on organizations worldwide.
Article Source
https://www.bleepingcomputer.com/news/security/unc3886-hackers-use-linux-rootkits-to-hide-on-VMware-esxi-vms/amp/