Multiple zero-days, persistence mechanisms leveraged in Chinese cyberespionage operations

Aside from exploiting Fortinet, VMware, and Ivanti software vulnerabilities, sophisticated Chinese cyberespionage operation UNC3886 has leveraged several persistence mechanisms to enable the prolonged compromise of organizations in the technology, energy, utility, aerospace and defense, and telecommunications sectors around the world, especially those in North America, Southeast Asia, and Oceania, The Hacker News reports.

UNC3886 has moved to bypass detection by infecting guest virtual machines with the Reptile and Medusa rootkits, with the latter enabling user credential logging and lateral movement across targeted networks, according to a Mandiant report. Attacks by the group also involved the deployment of Crosswalk malware successor MOPSLED, which allows plugin retrieval from a command-and-control server, as well as the RIFLESPINE backdoor, which enables file transfers and command execution via Google Drive. Moreover, intrusions by the group against vulnerable VMware instances were noted to involve a trojanized TACACS daemon, as well as the VIRTUALSHINE, VIRTUALSPHERE, and VIRTUALPIE backdoors.