UNC3886: Novel China-Nexus Cyber-Espionage Threat Actor Exploits Fortinet & VMware Zero-Days, Custom Malware for Long-Term Spying

In Q1 2024, Advanced Persistent Threat (APT) groups from China, North Korea, Iran, and russia demonstrated significantly enhanced and innovative offensive capabilities to proceed with sophisticated cyber-espionage campaigns. This surge in activity has posed considerable challenges to the global cybersecurity landscape. Recently, security experts revealed the activity of the China-linked Velvet Ant group infiltrating F5 BIG-IP devices for about three years to deploy malware and steal sensitive data. Yet, new day, new APT is on the radar. Cyber defenders spot the novel China-nexus actor known as UNC3886 relying on a sophisticated malicious toolkit to orchestrate long-term cyber-espionage operations.

Detecting UNC3886 Attacks

The analysis of UNC3886 by Google´s Threat Intelligence Team based on Mandiant research indicates that the threat actor leverages a broad malicious toolkit, including the VMware (CVE-2022-22948, CVE-2023-20867) and Fortinet (CVE-2022-41328) zero-day exploits, publicly available rootkits, SHH backdoors, custom malware samples, and multiple persistent mechanisms. Seeing the complexity of their malicious infrastructure and ability to fly under the radar during long-lasting espionage, organizations should be equipped with relevant detection algorithms and tools to proactively identify and withstand potential intrusions. 

SOC Prime Platforn aggregates the relevant detection stack based on the Google´s Threat Intelligence Team research findings. Just hit the Explore Detections button below and immediately drill down to the rule collection, accompanied by extensive metadata, CTI links, and ATT&CK references.

Explore Detections

All the detections are compatible with 30+ SIEM, EDR, and Data Lake technologies and aligned with MITRE ATT&CK framework.

Cyber defenders looking for broader detection coverage to proceed with in-depth threat investigation can use SOC Prime’s Threat Detection Marketplace (TDM) to search for relevant rules and queries matching the CVE, malware, ATT&CK technique, or any other item of interest. TDM aggregates over 300,000 detection algorithms and relevant context on any cyber attack or threat, including zero-days, CTI and MITRE ATT&CK references, and Red Team tooling.

UNC3886 Attack Analysis

Defenders have uncovered the long-term cyber-espionage activity linked to the Chinese group tracked as UNC3886. According to Mandiant’s research into UNC3886 offensive operations, the group’s adversary behavior patterns can be characterized as sophisticated and evasive. Chinese attackers leverage multiple-layer persistence to maintain long-term access to targeted instances, ensuring they can remain under the radar even if one layer is discovered and neutralized. The group is also known to target multiple global organizations across diverse industry sectors and is believed to be behind the exploitation of zero-day vulnerabilities in FortiOS and VMware devices, including CVE-2023-34048, CVE-2022-41328, CVE-2022-22948, and CVE-2023-20867.

Upon successful vulnerability exploitation, UNC3886 takes advantage of REPTILE and MEDUSA publicly accessible rootkits for long-term persistence and detection evasion. Attackers also deploy MOPSLED and RIFLESPINE malware, which relies on trusted third-party platforms like GitHub and Google Drive for C2. In addition, they harvest and abuse legitimate credentials using SSH backdoors to move laterally among guest virtual machines operating on compromised VMware ESXi. UNC3886 also attempts to extend its access to the target network devices by compromising the TACACS server via LOOKOVE. The latter is a C-written sniffer that intercepts TACACS+ authentication packets, decrypts them, and saves the decrypted contents to a designated file path.

Other custom malicious samples from the UNC3886 adversary toolkit include VIRTUALSHINE backdoor, which relies on VMware VMCI sockets to facilitate access to a bash shell, VIRTUALPIE, a Python-based backdoor for file transfers, running arbitrary commands, and establishing reverse shells, and VIRTUALSPHERE, a controller module linked to a VMCI-based backdoor.

Defenders recommend that organizations adhere to the security guidelines outlined in VMware and Fortinet advisories to minimize the risk of stealthy UNC3886 attacks of increasing sophistication and evasion. With the escalating threats linked to China-backed hacking collectives, implementing proactive defense capabilties is imperative to strengthen the organization’s cybersecurity posture. SOC Prime’s complete product suite for AI-powered Detection Engineering, Automated Threat Hunting & Detection Stack Validation equips security teams with cutting-edge capabilities to identify and thwart emerging threats before they evolve into sophisticated incidents.