Intelligence-Driven Response to UNC5174 by Alessandra Rizzo

[music]

[music]

[music]

Thanks everyone for having me. So, as it was said, I am a threat detection engineer assisted. I've been for a little over two years now. Before I was in threat intelligence. Uh, so overall, I've been in the cyber security space around four or five years. And yeah, it's been a very nice journey, especially focusing on Linux malware, which doesn't always get the same spotlight as Windows. So, it's definitely been a really cool thing. Uh, be sure to check out the SYIC blog as well for more Linux and cloud threads if this is something you're interested in. Um, so for this talk, the main agenda will be trying to build an actor profile for UNCC 5174, which is a moniker for a

threat actor that was first discovered by Mandian in 2024. and it's supposed to be like a Chinese uh state linked party. Uh we're going to be looking at recent campaigns in terms of the 2024 one from Mandant briefly for the introduction since they did a pretty good job in uh building actor profile themselves and then the campaign that we've seen as cydig in early 2025. And we're going to be talking about techniques specifically. So with the miter attack framework in case it is helpful um it is a very good way to try uh to rationalize the techniques that we see with these actors and we're going to be talking about attribution challenges because in this case the main focus is

that this actor has been using open source tools which anyone can use. So the idea is that it is challenging to know whether you're being targeted by somebody like them or it's an isolated incident. Uh so we're going to be trying to look at some ways that defenders can actually try to make that distinction. Uh and yeah, we're going to be looking at some defense open source tooling because open source tools are not malicious per se. They're not bad. Uh and then we're going to have a Q&A in case there are any questions. Yeah, >> you can't hear me. >> Okay, maybe I'll just try to hold it. Is this better? Okay, perfect. Okay. So as I said it was first

discovered in 2024 by Mandant and the research like highlighted well basically in terms of attribution and intelligence uh who the main targets were which are western government organization and research institutions and think tanks for example and NOS's basically you know western targets that could be of interest to a Chinese uh state aligned threat actor. and they mainly target Linux- based systems. Um not sure why they probably are just more skilled in Linux uh which we will see because they definitely are. Their main goal um is to resell the access that they acquire to compromise infrastructure to Chinese state interested uh parties. So in this case we've seen them act as a broker uh for illicit access

and that's why like we haven't really seen any post exploitation activities once they land on the system they install back doors they remain there remote access tools mostly they don't like try to exploit it themselves so they just stay silent and resell the access when it's needed and as yeah as we've that they they employ open source tools. Um, again, we can speculate as to why, but it is a very powerful thing for an attacker that is able to develop custom malware and is very financially skillful and resourceful to actually decide to use tools that anyone can use. Uh, we believe that this is to their advantage. uh we've seen pretty sophisticated techniques in this case

which are not something that we believe any threat actor with you know basic uh technical knowledge could do and we've also seen considerable financial resources being spent on infrastructure while we were tracking this campaign since November 2024 we've seen the first uh domains distributing their malicious tool we were basically able to see that every few days there were like hundreds of new domains or something like this like that is not something that anyone could be able to keep up with. So as to our campaign that we investigated um we I've actually while I was putting together this presentation one thing that is missing here that we didn't have a cyst dig that trix had discovered in

uh August uh late August so just you know a few weeks ago is that the main initial access vector was a fishing email with a bar archive that contained the payloads here. So the initial bash script. So that's pretty interesting because at the time we didn't really see uh we weren't really able to make that uh assessment with the initial access vector. So this graph is not showing that for that reason. Uh but the main initial access vector was fishing. So we have a malicious bash script that basically ended up downloading two executables from a remote server which in this case was this Google with three O's Asia.com nothing to do with the real Google and it basically acted both as uh

the main C2 and the main initial distribution factor this remote server. So we found like I think while we were researching this it had like a dozen of subdomains and they were all used for different purposes. So that's kind of interesting that they have their own central um domain. So this DNS logger is the Snowlight malware which is a custom malware. This was named by Mandian and identified first by Mandian in 2024 and it is a dropper that ends up dropping a fileless payload uh which in our case was vshell and in their case it was super shell which is another open source tools and then it also downloads and executes sliver which is a red teaming

framework as well. uh we believe that it was done like for fallback that the main payload is supposed to be snowy but in case something doesn't work and we'll see a little bit later why um that they would still try to rely on sliver to have a foothold in the system. So in this case yes so the DNS logger doesn't have the vshell payload embedded to unpack like it has to download it with a specific get request to the remote server. So that's quite interesting because it's kind of a dynamic execution like if there are checks in the malware to know whether to run or not. So it is like going the extra mile not to just

drop traces uh of the final payload which we believe is going to be the bshell one which is fileless. Um and that is not a very common thing although it has been I think it has been documented just a few months ago that now it's starting to be used this technique of file fileless malware also for like crypto mining which is kind of interesting uh because so far like this is a pretty sophisticated technique and way of distributing malware um not everyone's going to be able to do that the malware was also heavily obiscated with I think vshell is written in go and like the OG open source vshell one and it was like offiscated with a few uh I

think it's called go garbo uh the one that offiscates go malware so we had to like install like plugins and stuff to try to decrypt like what what it was actually going to do um so yeah basically we've seen this campaign overall going the extra mile to be sure that nothing is left you know that it doesn't have to run uh and even when it does run supposed to be very silent and very stealthy. So yeah, so these are snippets from the initial bash script that we've seen. So the main idea, yes, is that it downloads the executables from the remote server and then it runs them. it makes a few check uh which is kind of interesting

like if it is root um it will try to move them from tmp a temporary writable directory to user bin and it's going to try to modify the time stamp so that we suppose for defense evasion purposes so that you know if you're auditing or you have some alerts um you're not like basically the binaries are going to match the target folder timestamps so for example any newly added binaries there may not be flagged. Um so that was quite interesting. Uh we also seen them use the classic uh chrome tab for for basically trying to persist on the system because like if it is not rooe and isn't tmp uh it's not going to it's

not a persistent storage tmp. So in this case, it's going to be adding them uh to a chronab pile so that it will run every hour and it will try to run every reboot as well. So this is a way for the attackers to know that the malware is going to persist. And it also ended up using system CDL as well, which is a way to manage systemd services on Linux. And that's another persistent technique we think because in this case it register the executables as services on Linux and then it's going to make them run in the background. So yeah, let's see if I forgot something. Um yeah, I think that should be all for the

initial bash script. So in this oops in this case the bash script downloads this which is no light. Um as I pointed out it has been named and found by mandant in 2024. Uh it is very straightforward. It is a dropper. So the main purpose of this malware is to fetch the the payload with a specially crafted get request. You can see that in the sent to snippet uh in the slide. um which is going to be basically giving some parameters to the server in order to actually get the binary back. Um so this is like an anti-analysis technique because in case you're trying to connect to the remote server and try to get the binary

yourself like you're not going to be able to unless you know the parameters that the server wants uh before giving you the final payload. Um so that's definitely not something we see every day in terms of uh security incidents like this. So yeah, one interesting thing that we said is that it downloads the vshell payload at runtime like it doesn't just you know unpack it. Um this we believe is not something that is usually able to be kept up with at a small scale type of incident because if you think about it like the C2 is our coded. Uh so you know there could be like a point of failure in this strategy where the C2 gets taken down and that's

that like you can't get the payload in the end. But in this case like yeah we've seen them basically shuffling IP addresses like very quickly. So you know this is not again something that every isolated incident attacker is going to do like it takes a lot of effort uh to maintain a central infrastructure like this and considerable financial resources. Um so of course we've seen different domains being used. Uh we'll dive into this a little bit later, but the idea is that yeah, basically like the domains and the IP addresses involved in here are in the hundreds. Um and this is like a large scale campaign for being so. And the final thing is it retrieves the payload

and then it executes it filelessly. This is a way in Linux with the mammothd create system call to execute a file that doesn't actually exist on disk. So it's backed by volatile storage and we've seen this threat increasingly used uh even by less skilled actors. Uh but it's still not very common. So this definitely caught our eye. Um in this case the binary was named K worker uh which is like a benign uh kernel process name given all Linux processes that are related to kernel. So yeah we'll look at the vshell binary itself. Again, this wasn't really malicious like it was developed for security purposes uh by a Chinese speaking person, we believe uh because

the GitHub repo um information was in Chinese, but again it wasn't necessarily malicious. It was used as a remote access tool and the author himself or herself, I don't know, but they decided to take it down basically because as soon as it were released, it started being abused and they expired the license of the software in a way that couldn't really be used. And the thing that is interesting uh from this author here is that expiring the license like I did have to poke around and try to make it run myself because and there are guides basically on telegram and like on how to basically use this and we've seen that the first guides uh that the software was cracked

double quote uh started appearing in September 2024 and by November 2024 we started seeing vshell being used by this actor. So yeah, I mean we can't really speculate that much on what happened, why they chose to use vshell because as we said in 2024 they were using superh which is a very similar tool. It is possible that they did that because Mandian exposed them. So they exposed their techniques and the open source tool. So they just found another one or I don't know another thing that we've seen on underground forums is that this Vshell uh malware is basically being called like better than cobalt strike. It's very intuitive. As you can see, it has a UI. So [clears throat] it's not

like it's it's a UI where you can centrally manage like your compromised systems and from there uh if you look on the side you can choose the payload that you want to deploy through vshell. So the interesting thing here is that not only there's a back door but you can continue to deliver malicious payload um in the future basically. So, and everything is through the UI in this case. So, that's pretty neat basically. Um, yeah. So, we're going to be looking at Vshell in a little more details on what we have observed uh during the research. So, as soon as it's executed, it tries to read quite a few sensitive files on the system. Uh we believe this is done

for rec like reconnaissance and then basically sending back like the information about the system where it landed. Um one thing that was interesting is that as soon as it's executed it allocates like huge chunks of memory but these are not accessible. So we tested around like is this something that everyone does and no it is not. We believe that this is done on purpose because as we said it is possible to deploy further payloads. So in this case we believe it maps these chunks of memory so that it can deploy further payloads once it needs to. And in this case we didn't see it. Um we left it running for a few days but we

didn't really see the attacker sending us back anything. Uh but yeah, that is that that was a cool artifact in terms of behavioral uh behavioral indicator that we've seen. Uh we've created a falco rule which I'm going to be sharing at the end also shared in the blog. Uh which basically can flag this like since it is not a very common behavior. Um so another interesting thing that is not very common is the usage of websockets. Uh well we've seen that I think there are like a handful of reports on malware trying to use websockets uh for C2 communication but there weren't very many and I believe it is like kind of tedious to set up a web socket uh

compared to the classic protocols because basically it runs like on a standard port and it's also like it requires uh like very lowware heads. So, in this case, it was perfect for them because if you're trying to get like a payload as soon as possible to a system, like it's it's going to be very fast. Um, and it's encrypted. So, for example, like when the malware upgraded to a built websocket, we couldn't really see anything of interest in the network traffic anymore. So, it could also be a defense evasion technique in this case where Yeah.

So, Vshell is kind of like I would say Yeah.

>> Yeah. Yeah. So, in in this campaign specifically, Vshell is going to be fileless, but sliver is just deployed as is. Yeah. So, and it's going to be like for the sliver part, we had the analysis on it as well because it used different uh remote servers as well to connect and different protocols. Um but yeah, like in terms of we left them running for a few days, but we didn't really see the attacker um sending us back anything. So we can just speculate in this case as to why they were used uh and how they were used uh just by researching them like this. But yeah, the sliver one was a standalone binary and I think it wasn't really supposed to

be the main payload. I think it was because in case for example Snowlight wasn't able to download the vshell one. Um but in terms of why they would choose ear sliver or vshell in this case like yeah vshell is pretty neat like you can have a UI where you can see all your compromised systems and it's also like way less common than sliver as well which I think you know if you're doing like intelligence uh trying to like block sliver it's going to be much easier uh because it is way more tracked than something like vshaw which is, you know, until we we researched it, I think there we've seen that we've seen it used

uh in different campaigns, which I'm not sure that they're related to the same actor. Uh but they were used um it was used against um Mac OS and Windows system is a crossplatform malware as well. Um so yeah it has quite a few utilities in the sense like it can be a back door uh it can be a remote access tool it can deploy shell code on the system um so it does offer like a few functionalities um yeah and all of this again is happening like flessly like there isn't really a program uh that you're going to be finding on your system that's going to be doing this um yeah So overall once it upgrades the

network connection to the websocket then it just waits uh for further commands and that's that's that in our case. So at this point I think maybe a little recap with the attack needs could be good uh given the amount of information. So in this case we can build the profile by looking like at the main miter attacks tactics that we've seen. So the motivation is not really a matter attack tactics but it's a good recap. So as it was said also by by the cyber security center in France uh while we were researching it we've seen a report um from them while they were having the summer Olympics. they were targeted by this actor and they

also put out uh their own report and they said that it was uh it did look like um looking for valuable initial access to resell. So that confirmed what Mandant had also said on this actor for the initial access. So we can see a mix of vectors. So what Mandian found and what the French uh cyber security agency found was exploitation of vulnerabilities that at the time were zero days. So they weren't patched like it wasn't even out. Uh so that's pretty interesting because this is like the level that they can actually target is through zero days. Do they develop them themselves? Do they collaborate with other Chinese sponsored thread actors? We don't know, but we can probably

speculate that they do. And in our case um yes these are some of the domains that we have seen for the fishing domain. So we've seen the googleia.com and this telegrams.icu who you want is um I think it's a Chinese service financial service and then cloudflare. So they're all like typo squatted and again this slide does not contain part of the trlex report where they detailed uh very well the initial access vector for fishing. Uh so they've seen like our archive distributed uh distributing that initial script bash script. I think it was a little different but the campaign is basically the same. and for execution. Yeah. So, Mandian called uh SuperShell Go Reverse. Uh I

believe they're the same tool. Uh it is a publicly available backdoor and so is vshell although again uh vshell was taken off legitimately but you can find it anywhere basically. Well, we were trying to research our own way of vshell like to understand what was changed like from the actor to to the original binary. We found many third parties um where you could download vshell. So, it's definitely still out there. So, yeah, and it's possible to circumvent uh the configurations that were expired by the author to run it. So in terms of defense evasion, yeah, the main uh the main idea is definitely the fileless malware uh that we've seen um in this case, yeah, the MAFD create uh system

call, which again is not something that we have observed um in our sandboxes or honeypots and research. It's not something that we have observed um very much. Basically, I think this was the first instance really um where we've seen it like at such a large scale with a distribution vector and a network infrastructure. Um but I am aware that there have been a few reports now that it's being used for crypto mining. So yeah, in this case uh we've also seen the websocket usage. Again, I think there are like a handful of reports that detail malware using websockets. It's not a very common protocol. So yeah, so far now we're going to be moving to the attribution challenge. So

in this case it's like you know if somebody who is a nation state actor is using the same tools as someone who just wants to like mine cryptocurrency on your system. Like how are you going to be able to tell the difference? Basically, it's it's very difficult because we believe this is on purpose. Um because it's to their advantage, you know, like if you are not able to tell them apart or if you don't have um definitive proof that they are a nation state, well, your threat modeling strategies are going to be very different if you know that you're being targeted by a Chinese nation state or just, you know, a script kitty that wants to do crypto mining. So

yeah in this case um we definitely need more than indicators although they are not completely useless this is not you know what this slide is about uh they have to be complemented with behavioral indicators and there's no getting around that because as we have seen especially for the domains and the IOC that are like network IoC's or even the fileless payload like they're going to be very different if this attacker is financially resource forceful and is able to change them like every few days. Um by the time they get deployed like they're not going to be they're going to be obsolete already. So you know in the way that we researched this malware and the way we developed like uh rules

through Falco which is a detection engine uh for Linux through system calls um and it's completely open source as well is to look at the behavior is to look at the system calls like what is this malware actually doing once it's deployed more than you know where is it connecting to because that may change but you know the behavior of the malware it's not going to change as easily. uh it's not you know every day that you develop a custom dropper that implements a custom vi payload and then you know you get flagged with your behavior uh it's going to be way harder for an attacker to circumvent those type of IOC's. So yeah, so one thing uh I want to note is

that who is XML API actually built off the IOC's that we've first seen uh for this thread actor. Um they did a pretty cool report on the network infrastructure only uh where they basically found like yeah close to 200 connected domains and email addresses 67 IP like basically this this is not something you know that you're going to be seeing a lot in terms of um you know if you don't have the financial resources to do this then you just don't you know it's not that easy for anyone to do this. And you know in this case again uh shifting the focus from static indicators and network indicators alone to both uh static indicators but

behavioral patterns as well is going to be helping you a lot in your strategy in your defense strategy. And in this case, the deniability is, you know, to their advantage. I think, you know, Mand identified an individual that was basically state aligned. But in what sense are they state aligned? You know, like they're going to be basically also be very useful asset to a hostile nation state because in this case, they act as a third party. you know, the ST and say, well, they don't work for us, you know, like they're their own thing. But obviously, you know, they're compromising these systems and trying to resell them whenever they can. So, in this case, this is going to be a

challenge for threat modeling as well because you're going to have to look at the incident and make a very quick response and quick strategy on how to react based like on a few indicators. And in this case, like based on an open- source tool, like that's basically not something that can be done like on the fly to know whether you're being attacked by a nation state or, you know, a low-level technical actor. Basically, it's this idea, you know, that if you start to use what everybody else is using, then you're kind of protected uh by the pool of cyber attackers that are using this, of course, for different reasons because we haven't really seen them use their

their tools for financial motives. We haven't seen them like trying to, you know, deploy crypto mining or anything like this. And I don't believe that all the reports so far this actor all point to the same idea that they gain the access and they stay quiet like they don't they don't try to exploit it for their own financial reasons. Um so you know that's another thing uh usually on Linux system crypto mining is a big attack uh pattern that we see. Uh so this was definitely really cool in the sense that it's not something that we've seen very often. So in this case the open like the context in which we find these open source tools is going to help

us because I put up a slide of the original uh like a snippet of the original repo that hosted vshell you know it was a pretty benign thing and it was asis like it wasn't you know distributed through a fileless custom payload uh it was just hosted on GitHub anyone could use it for their own security reasons and like it definitely wasn't supposed to be abused the way it was. Um yeah, so for us this is a good indicator because you know when you're seeing like an attacker going the extra mile trying to make their payload violence although it's like open source like you have to distinguish that from someone who's just deploying vial as is right and they have

like an IP address that's no map to anything. Um that's basically going to be a good indicator for context in this case and that's kind of true for all open source we believe like you know before vshell they were using super shell that's also hosted standalone like it's not injected in memory in a fileless way by custom dropper like basically like the context in which you find these executables running although they are open source and they could be anyone they can give you insights into But the the capability of the attacker that you're dealing with is um for example like vsha uh that's the websocket protocol is not the is not the default one. Uh most of the standalone

malicious attackers that we've seen they weren't using that. So clearly like that's another distinguishable artifact for the attacker uh for this attacker. Yeah. So what can we do? Well, in our case, um, you know, Falco again is an open- source detection engine. Uh, you can deploy it, you know, in all your systems or, you know, in containers or something like this. It is very userfriendly in terms that, you know, you can do whatever you want with this detection engine. There are default rules, uh, which are totally open source, uh, but you can also build your own rules. So that's going to be working a lot for your environment the open source version and it is it is very good

you know it is an engine that can look for example at this behavior fileless malware detected what's it looking at it's basically looking at any process that was executed from memory um you can flag that you can make an alert you can say okay if this happens this is a critical thing I want to know about it and you can also do the same for what we said before the huge chunks of memory that were reserved but not accessible. In this case, you can also make a rule for that. You can say okay I want to know when a program is mapping more than 64 megabytes of memory and these memories memory pages are not

accessible because that's pretty strange in terms that if a fileless program does that like basically we were able to make a high severity rule out of this uh research because it is not a very common behavior and of course there's also yara that's also an open-source tool uh you So if we go back um a little bit you can see here I put uh in the string artifacts these are artifacts that you know you can use in this case maybe you wouldn't use uh the remote server because that can change but you could use for example the specially crafted get request like that is not very very common uh to be doing that with a

specific user agent and then try and find uh a specific log file on in the system. So we we were also able to make a YAR rule for that. And again, these are open- source um open- source tool sets that can be used for you. Um I've also put the virus total query uh that we have used to see other instances of this actor. So, we were looking at the file name which in Linux um it's going to be looking like MFD deleted because it's like a non-existent memory file descriptor and that is called K worker and we were able to find quite a few executables like that. So virus totally is you know is also has a free version

uh that can be used to do triaging triaging and you know trying to find like other infrastructure and connected um patterns of distribution for executables and of course I've you know the IOC le expansion findings that who is XML did that that was pretty good uh I think you can download the report uh where they do have the IOC Because again it's not because IOC's are useless. It's because they can't do everything you know like if the attacker is able to set up 200 domains like you know you you can't just it's like it's a cat and mouse race that we have to win also by complementing it with behavioral indicators. Uh and in this case you know these are free again

uh open source tools are not inherently bad. That's not what this talk is about. I hope it is clear they are good but they can be misused and you know we can use them to our advantage as well as defenders. So yeah I've also put some hunting that you could do. Uh for example T-shark is another tool that is completely free. Um you can for example flag when a web soocket is being used. uh you can look for example at you know the header containing the websocket or you can look [snorts] for example at when DNS queries are being made on you know if it's like in a remote server that you have an isolated server like maybe could be

weird not that DNS queries are weird inherently but depending on where this is happening uh it could be useful and I've also put some general hunts uh I believe you can do with like elastic search which I do think it's also has a free version uh where for example if we've seen them used uh for vshell like a non-standard port uh in this case for example you want to flag a set of ports that you know for you they're not they're disallowed like they're not allowed to be used or you don't use them very much uh like to know your environment and to make these type of queries and hunts it could be useful to

you and what makes sense for your environment. Or for example, we've seen them access those files that we said like the excess shadow on Linux and XA password like those are pretty sensitive files like not everyone should be able to just access them. Uh or for example some of these files they're for environment fingerprinting. Um so for example the the UID map it's going to give you like a lot of information on you know whether your root and capability you got and what are the mapping of your you know user space process which means like if you're in a sandbox or you're like on a host uh if some of the configurations are more hardened uh than normal like it

can't give the attacker the ability to say okay this is a sandbox I'm not going to run like I know that this is not good for So yeah, another one is for example you want to see for persistence hunt you want to see okay uh cron jobs for example executed by weird parents or not like expected uh Linux processes of course this has to make sense for you but you know I put some um thread hunting queries that could be helpful in regards to this type of campaign that we've observed And yeah, so final recap in this case, we've seen them this thread actor UNCC5174 being able to develop their own custom malware and develop their own

sophisticated tech like use their own sophisticated technique like a fileless payload, but still choosing to use an open source tool. And again, I want to reiterate this is to their advantage because if you as a defender are not able to make sure that you're being targeted from a Chinese nation state or a low-level actor, like that's to their advantage because maybe you're going to be thinking this is a, you know, an isolated security incident, but you're being targeted at scale. That's that's going to be good for them basically. And the context is the key also to try to make an attribution of of this kind because we as we've seen the vshell binary that was a standalone binary that

was not made uh you know in a custom dropper that was not made in a fileless payload that was distributed as is. Um, so yeah, that's going to help you to make that distinction. And of course, for this reason, intelligence sharing is really good. Like since we put out the report, I think I've seen three reports building up building off what we found. And this is a good thing because it really helps to expose these attackers. Uh, when you know, security vendors collaborate and they put out and build off others findings. We built off Mandy and what they found first. So, you know, it's a continuous thing that we have to try to keep up with because there

they're definitely like there are probably hundreds of other campaigns just like that just a stealthy uh but in this case like it's you know we have to try to do our best and in our case defensive open source tools are effective uh you know you are able to see with Yara with Falco like these are good tools uh to try to flag malicious behavior. You may not always get, you know, being targeted by a Chinese nation state. Uh but it's definitely good to know that in case this happens, you do have some flagging happening on your system. You're not completely blind. Um so yeah, open source tools are not inherently malicious. They can be used

to our advantage as well. So that's the key takeaway for this talk. And I want to do a little shout out to the cystic open source community. It's a new community where you know defenders they can collaborate with other defenders and you can find me in there too. Basically uh where this talk was advertised as well. Uh it's a very cool thing to learn and to collaborate with other defenders. So please be sure to check it out. And that's that for do you have any [applause] questions?