A threat activity cluster has been observed and is targeting a fully patched Life-of-Life Sonicwall Secure Mobile Access (SMA) 100 Series appliance as part of a campaign designed to drop backdoors called OverStep.
Malicious activity dating back at least to October 2024 is attributed to a group tracking it as UNC6148 from Google Threat Intelligence Group (GTIG).
The tech giant has evaluated threat actors with confidence that “credits and one-time password (OTP) seeds are leveraging seeds that were stolen during previous intrusions, allowing organizations to regain access even after applying security updates.”
“Analysis of network traffic metadata records suggests that UNC6148 may have first excluded these credentials from the SMA appliance in January 2025.”
The exact initial access vector used to deliver malware is currently unknown due to the steps taken by threat actors to remove log entries. However, it is believed that access may have been gained through the use of known security flaws such as CVE-2021-20035, CVE-2021-20038, CVE-2021-20039, CVE-2024-38475, and OR CVE-2025-32819.
Alternatively, Tech Giant’s threat intelligence team theorized that administrator credentials could be retrieved through information-stealing logs or from the credential market. However, he said there was no evidence to support this hypothesis.
It is known that once access is obtained, the threat actor establishes an SSL-VPN session and generates a reverse shell, but considering that the design of these appliances makes shell access ineffective, it remains a mystery how this was achieved. It is believed that it may have been pulled away by a zero-day flaw.
The reverse shell is used to execute reconnaissance and file manipulation commands, not to mention export and import settings to an SMA appliance. This suggests that UNC6148 may have changed the export configuration file offline to include new rules to prevent the access gateway from interrupting or blocking operations.
The attack culminates in the deployment of previously undocumented implants. This leads to the deployment of previously undocumented implants named OverStep, which allows you to patch a variety of file system-related features to maintain qualified access, maintain qualified theft, and hide your own components to hide your own components, as well as modify the appliance’s boot process.
This is achieved by being able to open hijacked standard library functions and implement Usermode rootkit in readdir, and hide artifacts associated with the attack. The malware also connects to write API functions to receive commands from the attacker control server in the form embedded within a web request –
Dobackshell launches a reverse shell for the specified IP address and port DopassWords creates a Tar archive for the file /tmp/temp.db. It will be downloaded from a web browser
“UNC6148 changed the legal RC file ‘/etc/rc.d/rc.fwboot’ to achieve overstep persistence,” GTIG said. “The change meant that every time the appliance was restarted, an overstep binaries would be loaded into the appliance’s running file system.”
Once the deployment step is complete, the threat actor clears the system logs and restarts the firewall to activate C-based backdoor execution. The malware also tries to remove command execution traces from various log files, such as httpd.log, http_request.log, and inotify.log.
“The success in hiding actors’ tracks is primarily due to an overstep in their ability to selectively delete log entries. [from the three log files]”Google said, “Combining this anti-robbery scale and lack of shell history on disk will significantly reduce actors’ visibility into secondary goals.”
Google has moderately confidently evaluated that UNC6148 may have weaponized an unknown zero-day remote code execution vulnerability to deploy oversteps on targeted Sonicwall SMA appliances. Furthermore, it is suspected that the operation will be carried out with the intention of promoting data theft, operation of fear tor, and even the deployment of ransomware.
The connection comes from the fact that one of the organizations targeted by UNC6148 was posted on a data leak site run by World Leaks, a horror gang run by individuals previously associated with the Hunter International Ransomware Scheme. It is worth noting that Hunter International recently shut down criminal businesses.
According to Google, UNC6148 shows the pre-utilization and tactical overlap of Sonicwall SMA devices observed in July 2023.
The exploitation activity was then linked to the deployment of Abyss ransomware by security researcher Stephan Berger.
The findings once again highlight the increasing focus of threat actors on edge network systems that are not normally covered by popular security tools such as endpoint detection and response (EDR) and anti-virus software, slipping onto inconspicuous target networks.
“Organisations need to acquire disk images for forensic analysis to avoid interference from the anti-strong capabilities of the rootkit. Organizations may need to engage with Sonic Wall to capture disk images from physical appliances,” Google said.
Source link
