An alleged Chinese hacking campaign has targeted unpatched SonicWall Secure Mobile Access (SMA) devices to install custom malware that establishes long-term persistence for cyber-espionage campaigns.
Deployed malware is customized for SonicWall devices and is used to steal user credentials, provide shell access to attackers, and even persist through firmware updates.
The campaign was discovered by Mandiant and SonicWall’s PSIRT team, who tracked down the actor behind it as UNC4540, likely of Chinese origin.
New malware targets SonicWall devices
The malware used on SonicWall devices consists of an ELF binary, TinyShell backdoor, and various bash scripts that display a deep understanding of the targeted network devices.
“The overall behavior of the malicious bash script suite shows a detailed understanding of the device and is well-matched to the system for stability and persistence,” Mandiant explains.
The main module, called ‘firewalld’, runs SQL commands against the device’s database to steal the encrypted credentials of all logged in users.
The stolen credentials are copied to a text file created by the attacker in ‘tmp/syslog.db’ and then retrieved for offline decryption.
Additionally, firewalld launches other malware components, such as TinyShell, to establish a reverse shell on the device for easy remote access.
Finally, the main malware module also adds a small patch to the legitimate ‘fire-based’ SonicWall binary, but Mandiant researchers were unable to determine its exact purpose.
Analysts hypothesize that this modification helps the stability of the malware when the shutdown command is entered on the device.
While it’s unclear which vulnerability was used to compromise the devices, Mandiant says the targeted devices weren’t patched, making them likely vulnerable to older flaws.
Recent Faults Revealed by SonicWall [1, 2, 3] that affected SMA devices allowed unauthenticated access to the devices, which could then be used in campaigns like this one.
Persistence and resilience
Mandiant says there are indications that the malware was installed on the systems tested as early as 2021 and persisted through multiple subsequent firmware updates on the device.
Threat actors achieved this by using scripts that offer redundancy and ensure long-term access to compromised devices.
For example, there is a script called “iptabled” which is essentially the same module as firewalld but will only be called by the startup script (“rc.local”) if the main malware process is killed, fails, or fails to start.
In addition, the attackers implemented a process where a bash script (“geoBotnetd”) checks “/cf/FIRMWARE/NEW/INITRD.GZ” for new firmware updates every 10 seconds. If one is found, the malware is injected into the update package to survive even after firmware updates.
The script also adds a backdoor user named “acme” to the update file so that it can maintain access after the firmware update is applied to the breached device.
System administrators are recommended to apply the latest security updates provided by SonicWall for SMA100 devices.
The recommended target version at this time is 10.2.1.7 or higher, which includes File Integrity Monitoring (FIM) and Failed Process Identification, which should detect and stop this threat.
This campaign shares many similarities with recent attacks that targeted a zero-day vulnerability in Fortinet SSL-VPN devices used by government organizations and government-related targets.
Similar to the SonicWall campaign, the threat actors behind the Fortinet attacks displayed intimate knowledge about the devices and how they operated to inject custom malware for persistence and data theft.
“In recent years, Chinese attackers have deployed multiple malware and zero-day exploits to a variety of Internet-facing network devices as a route to full-blown business intrusion, and the instance reported here is part of a recent pattern that Mandiant expected to continue in the near term,” Mandiant warns in the report.
