Full Report
The China-nexus cyber espionage group tracked as UNC3886 has been observed targeting end-of-life MX routers from Juniper Networks as part of a campaign designed to deploy custom backdoors, highlighting their ability to focus on internal networking infrastructure. "The backdoors had varying custom capabilities, including active and passive backdoor functions, as well as an embedded script that
Analysis Summary
# Threat Actor: UNC3886
## Attribution & Identity
- **Attribution:** China-nexus cyber espionage group.
- **Known Aliases/Associations:** Linked to threat actors that have used TinyShell-based backdoors, specifically mentioning **Liminal Panda** and **Velvet Ant** as previous users of the underlying backbone for implants.
## Activity Summary
UNC3886 is engaged in a cyber espionage campaign focusing on compromising internal networking infrastructure, specifically targeting end-of-life MX routers from Juniper Networks in mid-2024. The primary goal is to establish high-level, long-term remote access. Historically, the group has focused on exploiting zero-day vulnerabilities in edge devices, including Fortinet, Ivanti, and VMware products, since being first documented in September 2022. A significant aspect of their recent activity is circumventing Junos OS' Verified Exec (veriexec) protection by injecting payloads into legitimate processes (like `cat`) after gaining privileged access via terminal servers using legitimate credentials. The core purpose of the implants is often to disable logging before operator activity and restore logs afterward to maintain stealth.
## Tactics, Techniques & Procedures
- Exploitation of vulnerabilities in network perimeter devices (Juniper/Fortinet/Ivanti/VMware).
- Deployment of custom, TinyShell-based backdoors with specialized functions.
- **Evasion:** Disabling logging mechanisms (e.g., using the `lmpad` backdoor to stall logging) before hands-on activity and restoring them later.
- **Execution/Persistence:** Bypassing Junos OS Verified Exec protection by injecting payloads into legitimate processes in memory (e.g., injecting into the `cat` process).
- **Lateral Movement/Access:** Utilizing C2 communication via active and passive backdoors.
- **Anti-Forensics:** Use of tools like GHOSTTOWN.
- **Credential Theft:** Use of PITHOOK to hijack SSH authentications and capture credentials.
- **Persistence:** Use of rootkits like Reptile and Medusa.
- **MITRE ATT&CK IDs (Inferred from techniques):** Likely related to T1190 (Exploit Public-Facing Application), T1542 (Impair Defenses), T1021.001 (SSH).
## Targeting
- **Sectors:** Defense, technology, and telecommunication organizations.
- **Geography:** United States and Asia.
- **Victims:** Organizations running end-of-life Juniper Networks MX routers acting as internal networking infrastructure.
## Tools & Infrastructure
- **Malware Families Used:**
* **TinyShell-based Backdoors (Six variants identified):**
* **appid:** Supports file upload/download, interactive shell, SOCKS proxy, configuration changes (C2/port).
* **to:** Similar to `appid` but with a different set of hard-coded C2 servers.
* **irad:** Passive backdoor using libpcap to extract commands from ICMP packets.
* **lmpad:** Passive backdoor launching external scripts to perform process injection into Junos OS processes, specifically to stall logging.
* **jdosd:** UDP backdoor with file transfer and remote shell capabilities.
* **oemd:** Passive backdoor communicating via TCP, supporting standard TinyShell commands.
* **Other Tools:** Reptile (rootkit), Medusa (rootkit), PITHOOK (SSH hijacking), GHOSTTOWN (anti-forensics).
- **Infrastructure:** C2 communication facilitated via hard-coded servers embedded in specific backdoor variants.
## Implications
UNC3886 demonstrates an advanced understanding of networking device internals (Junos OS) and perimeter security controls. Their shift toward compromising routing devices grants them crucial, long-term access to the backbone of target networks, aligning with trends observed in espionage actors seeking high-level, potentially disruptive access while maintaining extreme stealth through aggressive log tampering.
## Mitigations
- Upgrade Juniper devices to the latest images released by Juniper Networks.
- Utilize the Juniper Malware Removal Tool (JMRT) to scan and remove infections.
- Implement robust security monitoring and detection solutions, especially on network perimeter/edge devices, as the actor exploits their relative lack of monitoring.
- Review and secure terminal servers used for network management to prevent unauthorized privileged access.