Full Report
The China-linked threat actor known as UNC5174 has been attributed to a new campaign that leverages a variant of a known malware dubbed SNOWLIGHT and a new open-source tool called VShell to infect Linux systems. "Threat actors are increasingly using open source tools in their arsenals for cost-effectiveness and obfuscation to save money and, in this case, plausibly blend in with the pool of
Analysis Summary
# Threat Actor: UNC5174
## Attribution & Identity
China-linked threat actor, affiliated with the Chinese government. Also referred to as Uteus (or Uetus). Characterized as moderately sophisticated and discreet.
## Activity Summary
UNC5174 has been attributed to a new campaign leveraging a variant of the SNOWLIGHT malware and the open-source tool VShell to infect Linux systems. Previously documented by Mandiant for exploiting security flaws in Connectwise ScreenConnect and F5 BIG-IP to deploy SNOWLIGHT and GOHEAVY. ANSSI observed similar tradecraft targeting Ivanti CSA vulnerabilities (CVE-2024-8963, CVE-2024-9380, CVE-2024-8190). The current campaign (observed late January 2025) utilized a malicious bash script to deploy SNOWLIGHT and Sliver components to establish persistence before delivering the VShell RAT.
## Tactics, Techniques & Procedures
- Leveraged open-source tools (VShell) to blend in with less technical adversaries.
- Used a C-based ELF downloader (SNOWLIGHT).
- Deployed Golang components, including the GOHEAVY tunneler and GOREVERSE reverse shell backdoor.
- Subsequent stages included a fileless, in-memory payload (VShell).
- Established persistence using binaries like 'dnsloger' and 'system\_worker'.
- Employed WebSockets for Command-and-Control (C2).
- Previously documented use of a rootkit code.
- Potential exploitation of vulnerabilities in Connectwise ScreenConnect, F5 BIG-IP, and Ivanti Cloud Service Appliance (CSA).
## Targeting
- Sectors: Critical Information Infrastructure (mentioned generally in relation to attribution claims), various sectors targeted by associated exploitation (e.g., Ivanti exploitation linked to a multitude of sectors).
- Geography: Not explicitly clear for the *new* campaign, but associated activities targeted organizations across Austria, Australia, France, Spain, Japan, South Korea, Netherlands, Singapore, Taiwan, the United Arab Emirates, the United Kingdom, and the United States.
- Victims: Specific organizations not named for the current SNOWLIGHT/VShell campaign, but previous activity targeted victims via Ivanti CSA, Connectwise ScreenConnect, and F5 BIG-IP.
## Tools & Infrastructure
- **Malware families used:** SNOWLIGHT (variant), VShell (RAT, open-source, distributed as fake Cloudflare authenticator on macOS), GOHEAVY (Golang tunneler), GOREVERSE (Golang reverse shell/backdoor), Sliver.
- **Infrastructure (C2, domains, IPs):** Infrastructure tied to the publicly available SUPERSHELL C2 framework. VShell leverages WebSockets for C2 communication.
## Implications
UNC5174 poses a significant risk due to its stealthy and sophisticated techniques, particularly the combination of established malware variants (SNOWLIGHT) with effective, fileless delivery of a RAT (VShell). The actor's increasing reliance on widely available open-source tools aids in operational security ("blending in") and complicates attribution efforts, suggesting an adaptive operational model. The capability to target Linux systems and portable malware capable of targeting macOS via VShell broadens the potential impact surface.
## Mitigations
- Monitor for the execution of malicious bash scripts for deploying initial payloads ('download\_backd.sh').
- Implement monitoring for the SNOWLIGHT and VShell binaries, focusing on fileless memory execution.
- Enhance detection and response capabilities for C2 communications utilizing WebSockets.
- Patch known vulnerabilities in ConnectWise ScreenConnect, F5 BIG-IP, and Ivanti CSA devices promptly.
- Maintain vigilance regarding the deployment of open-source tools (like VShell) that can be weaponized for RAT functionality.