A suspected Chinese hacking campaign has been targeting unpatched SonicWall Secure Mobile Access (SMA) appliances to install custom malware that establishes long-term persistence for cyber espionage campaigns.
The deployed malware is customized for SonicWall devices and is used to steal user credentials, provide shell access to the attackers, and even persist through firmware upgrades.
The campaign was discovered by Mandiant and SonicWall's PSIRT team, who track the actor behind it as UNC4540, likely to be of Chinese origin.
New malware targets SonicWall devices
The malware used on SonicWall devices consists of an ELF binary, the TinyShell backdoor, and several bash scripts that show a deep understanding of the targeted network devices.
"The overall behavior of the suite of malicious bash scripts shows a detailed understanding of the appliance and is well tailored to the system to provide stability and persistence," explains Mandiant.
The main module, named 'firewalld,' executes SQL commands against the appliance's database to steal the hashed credentials of all logged-in users.
The stolen credentials are copied on a text file created by the attacker at 'tmp/syslog.db' and are later retrieved to be cracked offline.
Additionally, firewalld launches other malware components, like TinyShell, to establish a reverse shell on the appliance for easy remote access.
Finally, the main malware module also adds a small patch to the legitimate SonicWall binary 'firebased,' but Mandiant's researchers couldn't determine its exact purpose.
The analysts hypothesize that this modification helps the malware's stability when the shutdown command is entered on the device.
While it is unclear what vulnerability was used to compromise devices, Mandiant says that the targeted devices were unpatched, making them likely vulnerable to older flaws.
Recent flaws disclosed by SonicWall [1, 2, 3] that impacted SMA devices allowed unauthenticated access to devices, which could then be used in campaigns like this one.
Persistence and resilience
Mandiant says there are signs that the malware was installed on the examined systems all the way back in 2021 and persisted through multiple subsequent firmware updates on the appliance.
The threat actors achieved this by using scripts that offer redundancy and ensure long-term access to breached devices.
For example, there's a script named "iptabled" that is essentially the same module as firewalld but will be only called by the startup script ("rc.local") if the primary malware process exits, crashes, or can't be launched.
Additionally, the attackers implemented a process where a bash script ("geoBotnetd") checks for new firmware updates at "/cf/FIRMWARE/NEW/INITRD.GZ" every 10 seconds. If one is found, the malware injects itself into the upgrade package to survive even after firmware upgrades.
The script also adds a backdoor user named "acme" on the upgrade file so they can maintain access after the firmware update is applied to the breached appliance.
System administrators are advised to apply the latest security updates provided by SonicWall for SMA100 appliances.
The recommended target version right now is 10.2.1.7 or higher, which includes File Integrity Monitoring (FIM) and anomalous process identification, which should detect and stop this threat.
This campaign shares many similarities with recent attacks that targeted a zero-day vulnerability in Fortinet SSL-VPN devices used by government organizations and government-related targets.
Similar to the SonicWall campaign, the threat actors behind the Fortinet attacks showed intimate knowledge about the devices and how they operated to inject custom malware for persistence and data theft.
"In recent years Chinese attackers have deployed multiple zero-day exploits and malware for a variety of internet facing network appliances as a route to full enterprise intrusion, and the instance reported here is part of a recent pattern that Mandiant expects to continue in the near term," warns Mandiant in the report.