Threat Advisory

UNC5174 Uses VShell Remote Access Trojan via Fileless Payload

Threat: Malware
Threat Actor Name: UNC5174
Targeted Region: China, Asia, United States, Canada, United Kingdom
Threat Actor Region: China
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

A Chinese state-sponsored threat actor, UNC5174, has been identified using a new open source tool and command and control infrastructure in a campaign against organizations in various regions. This threat actor was previously known for using the SUPERSHELL reverse shell tool but has now adopted VShell, an open source remote access trojan popular among Chinese-speaking cybercriminals. The SNOWLIGHT malware acts as a dropper for a fileless payload that resides solely in memory, called VShell.

The use of WebSockets for command and control is a notable feature of this threat actor's techniques. The SNOWLIGHT malware downloads multiple executable files for persistence, including the variant of UNC5174’s SNOWLIGHT malware. This campaign demonstrates the threat actor's highly technical capabilities and customized tools that are not easily copied by others.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

A Chinese state-sponsored threat actor, UNC5174, has been identified using a new open source tool and command and control infrastructure in a campaign against organizations in various regions. This threat actor was previously known for using the SUPERSHELL reverse shell tool but has now adopted VShell, an open source remote access trojan popular among Chinese-speaking cybercriminals. The SNOWLIGHT malware acts as a dropper for a fileless payload that resides solely in memory, called VShell.

The use of WebSockets for command and control is a notable feature of this threat actor's techniques. The SNOWLIGHT malware downloads multiple executable files for persistence, including the variant of UNC5174’s SNOWLIGHT malware. This campaign demonstrates the threat actor's highly technical capabilities and customized tools that are not easily copied by others.[emaillocker id="1283"]

UNC5174 targets various organizations, including research institutions, government organizations, think tanks, and technology companies in Western countries, as well as non-governmental organizations in the Asian-Pacific region. The use of VShell and SNOWLIGHT malware poses a significant risk to these organizations due to their stealthy and techniques.

THREAT PROFILE:

Tactic Technique Id Technique Sub-technique
Initial access T1566.002 Phishing Spearphishing Link
Execution T1059.001 Command and Scripting Interpreter PowerShell
Persistence T1547.001 Boot or Logon Autostart Execution Registry Run Keys / Startup Folder
Defence Evasion T1036.005 Masquerading Match Legitimate Resource Name or Location
Collection T1005 Data from Local System -
Command and control T1071.001 Application Layer Protocol Web Protocols
Exfiltration T1041 Exfiltration Over C2 Channel -

MBC MAPPING:

Objective Behavior ID Behavior
Command & Control B0030 C2 Communication
Impact B0022 Remote Access
Execution E1204 User Execution
Persistence F0012 Registry Run Keys / Startup Folder
Command & Control E1105 Ingress Tool Transfer

REFERENCES:

The following reports contain further technical details:

[/emaillocker]
crossmenu