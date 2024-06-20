erek
“The most important of the listed attack tools are:
- Mopsled – Shellcode-based modular backdoor designed to retrieve and execute plugins, allowing it to expand its capabilities dynamically. It's seen in vCenter servers, and other breached endpoints alongside Reptile.
- Riflespine – Cross-platform backdoor leveraging Google Drive for command and control (C2). It uses a systemd service for persistence, collects system information, and executes commands received from the C2.
- Lookover – Custom sniffer to capture TACACS+ credentials by processing authentication packets, decrypting, and logging their contents. Deployed in TACACS+ servers, it helps attackers extend their network access reach.
- Backdoored SSH execs – UNC3886 deployed modified versions of SSH clients and daemons to capture credentials and store them in XOR-encrypted log files. To prevent overwriting by updates, the attackers use 'yum-versionlock.'
- VMCI backdoors – Backdoor family exploiting the Virtual Machine Communication Interface (VMCI) to facilitate communication between guest and host virtual machines. Includes 'VirtualShine' (bash shell access through VMCI sockets), 'VirtualPie' (file transfer, command execution, reverse shell), and 'VirtualSphere' (controller transmitting the commands).
The complete list with indicators of compromise and YARA rules to detect UNC3886 activity is at the bottom of Mandiant's report.”
Source: https://www.bleepingcomputer.com/ne...se-linux-rootkits-to-hide-on-vmware-esxi-vms/