“REPTILE appeared to be the rootkit of choice by UNC3886 as it was observed being deployed immediately after gaining access to compromised endpoints,” Mandiant added. “REPTILE is an open-source Linux rootkit, implemented as a loadable kernel module (LKM), that provides backdoor access to a system.”

MEDUSA, too, is an open-source rootkit with capabilities of logging user credentials from successful authentications, either locally or remotely, and command executions. “These capabilities are advantageous to UNC3886 as their modus operandi to move laterally using valid credentials,” Mandiant added.

Using a trusted third party as C2

The threat actor was seen using malware, such as MOPSLED and RIFLESPINE, which exploits trusted third-party services including GitHub and Google Drive as command-and-control (C2) channels, while depending on rootkits for maintaining persistence.