A Chinese state-sponsored threat actor, UNC5174, has been identified using a new open source tool and command and control infrastructure in a campaign against organizations in various regions. This threat actor was previously known for using the SUPERSHELL reverse shell tool but has now adopted VShell, an open source remote access trojan popular among Chinese-speaking cybercriminals. The SNOWLIGHT malware acts as a dropper for a fileless payload that resides solely in memory, called VShell.
The use of WebSockets for command and control is a notable feature of this threat actor's techniques. The SNOWLIGHT malware downloads multiple executable files for persistence, including the variant of UNC5174’s SNOWLIGHT malware. This campaign demonstrates the threat actor's highly technical capabilities and customized tools that are not easily copied by others.[/subscribe_to_unlock_form]
A Chinese state-sponsored threat actor, UNC5174, has been identified using a new open source tool and command and control infrastructure in a campaign against organizations in various regions. This threat actor was previously known for using the SUPERSHELL reverse shell tool but has now adopted VShell, an open source remote access trojan popular among Chinese-speaking cybercriminals. The SNOWLIGHT malware acts as a dropper for a fileless payload that resides solely in memory, called VShell.
The use of WebSockets for command and control is a notable feature of this threat actor's techniques. The SNOWLIGHT malware downloads multiple executable files for persistence, including the variant of UNC5174’s SNOWLIGHT malware. This campaign demonstrates the threat actor's highly technical capabilities and customized tools that are not easily copied by others.[emaillocker id="1283"]
UNC5174 targets various organizations, including research institutions, government organizations, think tanks, and technology companies in Western countries, as well as non-governmental organizations in the Asian-Pacific region. The use of VShell and SNOWLIGHT malware poses a significant risk to these organizations due to their stealthy and techniques.
| Tactic | Technique Id | Technique | Sub-technique |
|---|---|---|---|
| Initial access | T1566.002 | Phishing | Spearphishing Link |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Defence Evasion | T1036.005 | Masquerading | Match Legitimate Resource Name or Location |
| Collection | T1005 | Data from Local System | - |
| Command and control | T1071.001 | Application Layer Protocol | Web Protocols |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | - |
| Objective | Behavior ID | Behavior |
|---|---|---|
| Command & Control | B0030 | C2 Communication |
| Impact | B0022 | Remote Access |
| Execution | E1204 | User Execution |
| Persistence | F0012 | Registry Run Keys / Startup Folder |
| Command & Control | E1105 | Ingress Tool Transfer |
The following reports contain further technical details:
[/emaillocker]