UNC5174’s evolution in China’s ongoing cyber warfare: From SNOWLIGHT to VShell

This security issue gives an attacker the ability to infiltrate systems using a multi-stage malware deployment, leveraging tools like SNOWLIGHT and VShell. The following protection guardrails can further prevent the following steps an attacker can take: If an attacker attempts to execute their initial malicious bash script, `download_backd.sh`, from an unauthorized location such as `/tmp`, **Process Path Exec Allow** prevents its execution. Should this script then try to use a utility like `curl` to download subsequent malware payloads such as `dnsloger` (SNOWLIGHT) or `system_worker` (Sliver), **Process Exec Deny** can block `curl`'s execution if it's on a deny list, for instance, due to its path ending in `/curl`. Furthermore, **Process Socket Deny** is critical in preventing the `curl` process, or the malware itself like `dnsloger`, from making outbound network connections to download additional payloads like the VShell RAT or to establish command and control with servers such as `vs[.]gooogleasia[.]com` or `sex666vr[.]com`. When the attacker's script attempts to establish persistence by modifying critical system files, for example by creating crontab entries or systemd service files for `dnsloger` and `system_worker`, **Sensitive File Access** detects and blocks these unauthorized changes, and can later prevent the VShell or Sliver implants from accessing sensitive data like SSH keys during espionage attempts. If the attack occurs within a containerized environment, **Container Drift Protection (Binaries & Scripts)** would block the execution of the initial script if it wasn't part of the original image, and crucially, prevent the fileless VShell RAT, even when disguised as `[kworker/0:2]`, from running as it's an unrecognized binary. Finally, as the VShell RAT or Sliver implant attempts to establish command and control, potentially by binding shell input/output to a network socket for interactive remote access, **Reverse Shell Protection** blocks such reverse shell activity, neutralizing the attacker's ability to directly control the compromised system.

• T1059.004: Command and Scripting Interpreter: Unix Shell: The attacker utilized a malicious bash script to download multiple executable files for persistence. This technique is associated with T1059.004 - Command and Scripting Interpreter: Unix Shell, as the script was responsible for executing commands to download and set up the malware.
• T1566: Phishing: The attacker used domain squatting to create fake domains that impersonate legitimate companies, likely for phishing and social engineering. This aligns with T1566 - Phishing, as it involves deceiving users into interacting with malicious domains.
• T1203: Exploitation for Client Execution: The SNOWLIGHT malware acts as a dropper for a fileless payload, which is indicative of T1203 - Exploitation for Client Execution, as it exploits systems to execute the payload in memory without writing to disk.
• T1055: Process Injection: The VShell payload operates entirely in memory, indicating the use of T1055 - Process Injection, as it involves injecting code into processes to evade detection and execute in memory.
• T1071.001: Application Layer Protocol: Web Protocols: The attacker used WebSockets for command and control, which corresponds to T1071.001 - Application Layer Protocol: Web Protocols, as it involves using web protocols for communication with the C2 server.
• T1543.002: Create or Modify System Process: Systemd Service: The malware establishes persistence by configuring malicious binaries to run at startup via systemd or init.d, aligning with T1543.002 - Create or Modify System Process: Systemd Service, as it involves setting up services to maintain persistence.
• T1589: Gather Victim Identity Information: The use of custom and open source tools like VShell and SNOWLIGHT for espionage and access brokering suggests T1589 - Gather Victim Identity Information, as it involves collecting information for further exploitation or selling access.