A suspected Chinese threat actor tracked as UNC3886 uses publicly available open-source rootkits named ‘Reptile’ and ‘Medusa’ to remain hidden on VMware ESXi virtual machines, allowing them to conduct credential theft, command execution, and lateral movement.

Mandiant has been tracking the threat actor for a long time, previously reporting attacks on government organizations leveraging a Fortinet zero-day and two VMware zero-day vulnerabilities exploited for extended periods.

A new report by Mandiant unveils UNC3886’s use of the mentioned rootkits on virtual machines for long-term persistence and evasion, as well as custom malware tools such as ‘Mopsled’ and ‘Riflespine,’ which leveraged GitHub and Google Drive for command and control.

The most recent attacks by UNC3886, according to Mandiant, targeted organizations in North America, Southeast Asia, and Oceania, with additional victims identified in Europe, Africa, and other parts of Asia.

The targeted industries included governments, telecommunications, technology, aerospace, defense, and energy and utility sectors.

Rootkitting VMware ESXi VMs

Mandiant says the threat actors breach VMware ESXi VMs and install open-source rootkits to maintain access for long-term operations.

A rootkit is malicious software that allows threat actors to run programs and make modifications that are not viewable to users on the operating system. This type of malware allows the threat actors to hide their presence while engaging in malicious behavior.

“After exploiting zero-day vulnerabilities to gain access to vCenter servers and subsequently managed ESXi servers, the actor obtained total control of guest virtual machines that shared the same ESXi server as the vCenter server,” explained Mandiant.

“Mandiant observed the actor use two publicly available rootkits, REPTILE and MEDUSA, on the guest virtual machines to maintain access and evade detection.

Reptile is an open-source Linux rootkit implemented as a loadable kernel module (LKM), designed to provide backdoor access and facilitate stealthy persistence.

Reptile’s main components are:

1. A user-mode component (REPTILE.CMD) that communicates with the kernel-mode component to hide files, processes, and network connections.
2. A reverse shell component (REPTILE.SHELL) which can be configured to listen for activation packets via TCP, UDP, or ICMP, providing a hidden channel for remote command execution.
3. A kernel-level component that hooks into kernel functions to perform the actions tasked by the user-mode component.

“REPTILE appeared to be the rootkit of choice by UNC3886 as it was observed being deployed immediately after gaining access to compromised endpoints,” continued Mandiant.

“REPTILE offers both the common backdoor functionality, such as command execution and file transfer capabilities, as well as stealth functionality that enables the threat actor to evasively access and control the infected endpoints via port knocking.”

UNC3886 modified the rootkit to use unique keywords for different deployments, aiding in evasion, while they also made changes to the rootkit’s launcher and startup scripts aimed at boosting persistence and stealth.

The second open-source rootkit the threat actor deploys in attacks is Medusa, known for its dynamic linker hijacking via ‘LD_PRELOAD.’

Medusa’s functional focus is credential logging, capturing account passwords from successful local and remote logins. It also performs command execution logging, providing the attackers with information about the victim’s activities and insight into the compromised environment.

Mandiant says Medusa is typically deployed after Reptile as a complementary tool using a separate component named ‘Seaelf.’ 

Some customization was observed on Medusa, too, with UNC3886 turning off certain filters and altering configuration strings.

Custom malware

UNC3886 was also observed using a collection of custom malware tools in its operations, some of which are presented for the first time.

The most important of the listed attack tools are:

• Mopsled – Shellcode-based modular backdoor designed to retrieve and execute plugins, allowing it to expand its capabilities dynamically. It’s seen in vCenter servers, and other breached endpoints alongside Reptile.
• Riflespine – Cross-platform backdoor leveraging Google Drive for command and control (C2). It uses a systemd service for persistence, collects system information, and executes commands received from the C2.
• Lookover – Custom sniffer to capture TACACS+ credentials by processing authentication packets, decrypting, and logging their contents. Deployed in TACACS+ servers, it helps attackers extend their network access reach.
• Backdoored SSH execs – UNC3886 deployed modified versions of SSH clients and daemons to capture credentials and store them in XOR-encrypted log files. To prevent overwriting by updates, the attackers use ‘yum-versionlock.’
• VMCI backdoors – Backdoor family exploiting the Virtual Machine Communication Interface (VMCI) to facilitate communication between guest and host virtual machines. Includes ‘VirtualShine’ (bash shell access through VMCI sockets), ‘VirtualPie’ (file transfer, command execution, reverse shell), and ‘VirtualSphere’ (controller transmitting the commands).

Mandiant plans to release more technical details about those VMCI backdoors in a future post.

The complete list with indicators of compromise and YARA rules to detect UNC3886 activity is at the bottom of Mandiant’s report.