Ethical Hacking News
A new variant of malware has been discovered that targets SonicWall devices, potentially allowing attackers to steal sensitive data, execute ransomware, or extort money from organizations. The malware, dubbed UNC6148, is highly sophisticated and employs a range of evasive techniques to evade detection. This article provides an in-depth analysis of the malware's tactics and techniques and offers insights into how organizations can protect themselves against this threat.
Google's Threat Intelligence Group (GTIG) has identified a highly sophisticated malware campaign, UNC6148, targeting SonicWall SMA appliances with a custom-made backdoor and user-mode rootkit dubbed Overstep. UNC6148 uses stolen credentials, exploits zero-day vulnerabilities, and evades detection to potentially enable data theft, extortion, or ransomware attacks. The attackers leverage compromised credentials and one-time password seeds to regain access even after security updates have been applied. A potential link has been found between UNC6148's activities and earlier reported exploits tied to Abyss/VSOCIETY ransomware. UNC6148 deployed the OVERSTEP rootkit, which achieves persistence by modifying system directories and boot scripts, allowing it to remain on the device even after reboot. The OVERSTEP backdoor is designed to target SonicWall SMA 100 series appliances and can hijack standard library functions to inspect web server log data for embedded commands. Organizations that rely on SonicWall SMA devices are advised to take proactive measures to detect and respond to potential attacks as researchers continue to analyze the tactics, techniques, and procedures (TTPs) of the UNC6148 group.
The cybersecurity landscape has been shaken by a recent discovery of a highly sophisticated malware campaign, code-named UNC6148. This threat actor, tracked by Google's Threat Intelligence Group (GTIG), has been targeting SonicWall SMA appliances with a custom-made backdoor and user-mode rootkit dubbed Overstep. Active since at least October 2024, the group's tactics have demonstrated an impressive level of sophistication, leveraging stolen credentials, exploiting zero-day vulnerabilities, and employing evasive techniques to evade detection.
According to the report published by GTIG, UNC6148 has been utilizing a backdoor and user-mode rootkit to potentially enable data theft, extortion, or ransomware attacks. While these activities suggest financial motives, researchers have not yet confirmed them definitively. The attackers appear to be leveraging credentials and one-time password (OTP) seeds stolen during previous intrusions, allowing them to regain access even after organizations have applied security updates.
A May 2025 victim appeared on the "World Leaks" data leak site in June, suggesting a potential link between UNC6148's activities and earlier reported exploits tied to Abyss/VSOCIETY ransomware. In June 2025, threat group UNC6148 compromised a SonicWall SMA 100 series appliance by establishing a VPN session using stolen admin credentials. Once they gained access to the device, they launched a reverse shell, despite this not being supported by the device's design, likely via an unknown exploit.
Through the shell, UNC6148 conducted reconnaissance, manipulated files, and exported/imported device settings, possibly modifying them offline to maintain access. They then deployed the OVERSTEP rootkit by decoding it, placing it in key system directories, and achieving persistence via /etc/ld.so.preload. To further entrench OVERSTEP, they modified the device's boot script (rc.fwboot) to inject malicious code into the initial RAM disk (INITRD), ensuring it loads on every boot.
The OVERSTEP backdoor is a sophisticated piece of malware written in C and designed to target SonicWall SMA 100 series appliances. It achieves persistence by placing itself in the /etc/ld.so.preload file, injecting a malicious library into every newly launched process, allowing it to hijack standard library functions such as open, open64, readdir, readdir64, and write. The rootkit capabilities conceal its presence by blocking access to specific files and hiding associated processes and entries.
OVERSTEP uses a hijacked write function to inspect web server log data for embedded commands. These commands are delivered through seemingly normal web requests and are extracted directly from intercepted log buffers. The researchers identified two main commands: dobackshell, which launches a reverse shell to a specified IP and port, and dopasswords, which creates a tar archive of sensitive system files and stores it in a publicly accessible web directory with open permissions, allowing easy download by the attacker.
To cover its tracks, OVERSTEP attempts to remove traces of these commands from system log files such as httpd.log, http_request.log, and inotify.log, provided it can elevate privileges to root. The rootkit's persistence is reinforced by locking the /etc/ld.so.preload file with the FS_IMMUTABLE_FL flag, making it nearly impossible to modify or delete.
In conclusion, the UNC6148 campaign targeting SonicWall SMA appliances represents a significant threat to organizations that rely on these devices for their security posture. As researchers continue to analyze and understand the tactics, techniques, and procedures (TTPs) employed by this group, it is essential for organizations to take proactive measures to detect and respond to potential attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/UNC6148-Unleashes-Overstep-Malware-on-SonicWall-Devices-A-Sophisticated-Backdoor-and-Rootkit-ehn.shtml
https://securityaffairs.com/180035/hacking/unc6148-deploys-overstep-malware-on-sonicwall-devices-possibly-for-ransomware-operations.html
Published: Thu Jul 17 04:24:30 2025 by llama3.2 3B Q4_K_M
