Uncovering Espionage Operations
June 24, 2024, 8:23 a.m.
Description
This comprehensive analysis delves into the intricate tactics employed by a suspected China-nexus cyber espionage actor, UNC3886. The report unveils the group's sophisticated exploitation of zero-day vulnerabilities and their deployment of rootkits like REPTILE and MEDUSA for persistent system access. It explores their use of malware leveraging trusted third-party services for command and control, as well as their techniques for credential theft, including backdoored applications and targeting TACACS+ authentication servers. The group's operations spanned strategic global organizations across diverse sectors, emphasizing their advanced capabilities and cautious, evasive approach.
Tags
Date
- Created: June 24, 2024, 7:58 a.m.
- Published: June 24, 2024, 7:58 a.m.
- Modified: June 24, 2024, 8:23 a.m.
Indicators
- 1893523f2a4d4e7905f1b688c5a81b069f06b3c3d8c0ff9d16620468d117edbb
- 8.222.216.144
- 8.219.131.77
- 8.219.0.112
- 8.210.75.218
- 8.210.103.134
- 58.64.204.165
- 58.64.204.142
- 58.64.204.139
- 47.252.54.82
- 47.251.46.35
- 47.243.116.155
- 47.241.56.157
- 207.246.64.38
- 165.154.135.108
- 165.154.7.145
- 165.154.134.40
- 152.32.231.251
- 155.138.161.47
- 152.32.205.208
- 152.32.129.162
- 123.58.207.86
- 123.58.196.34
- 118.193.61.71
- 118.193.63.40
- 118.193.61.178
- 103.232.86.210
- 103.232.86.217
- 103.232.86.209
- 8.222.218.20
- 47.246.68.13
- 45.32.252.98
- 45.77.106.183
- 154.216.2.149
- 149.28.122.119
- 152.32.144.15
- reptile.shell
- number.rs
- cron.data
Attack Patterns
- VIRTUALSPHERE
- VIRTUALPIE
- VIRTUALSHINE
- RIFLESPINE
- MOPSLED
- Medusa
- REPTILE
- UNC3886
- T1003.001
- T1556
- T1110
- T1136
- T1059.001
- T1555
- T1071.001
- T1071
- T1040
- T1560
- T1053
- T1056
- T1003
- T1059