“REPTILE seemed to be the rootkit of selection by UNC3886 because it was noticed being deployed instantly after getting access to compromised endpoints,” Mandiant added. “REPTILE is an open-source Linux rootkit, applied as a loadable kernel module (LKM), that gives backdoor entry to a system.”
MEDUSA, too, is an open-source rootkit with capabilities of logging person credentials from profitable authentications, both regionally or remotely, and command executions. “These capabilities are advantageous to UNC3886 as their modus operandi to maneuver laterally utilizing legitimate credentials,” Mandiant added.
Utilizing a trusted third occasion as C2
The risk actor was seen utilizing malware, similar to MOPSLED and RIFLESPINE, which exploits trusted third-party companies together with GitHub and Google Drive as command-and-control (C2) channels, whereas relying on rootkits for sustaining persistence.
