Uncovering UNC3886 Espionage Operations
Researchers have detailed the activities of the UNC3886 group which compromised guest virtual machines to access critical systems. The group used rootkits like REPTILE and MEDUSA for persistence deployed malware that used trusted third-party services (e.g. GitHub Google Drive) for command and control (C2) and utilized Secure Shell (SSH) backdoors to collect credentials. They exploited zero-day vulnerabilities to access vCenter servers and ESXi servers gaining control of guest VMs. UNC3886 used malware including MOPSLED and RIFLESPINE and relied on valid credentials for lateral movement. They also deployed backdoors such as VIRTUALSHINE VIRTUALPIE and VIRTUALSPHERE to facilitate communication and command execution between guest and host systems.