Full Report
Google researchers reported on a malware campaign against end-of-life SonicWall appliances, noting that the attackers were good at covering their tracks.
Analysis Summary
# Tool/Technique: OVERSTEP Backdoor
## Overview
OVERSTEP is a custom backdoor used by threat actors (UNC6148) to maintain persistent access to compromised SonicWall Secure Mobile Access (SMA) 100 series appliances, even after security updates have been applied. It achieves persistence by modifying the appliance's boot process and allows for credential theft and log evasion.
## Technical Details
- Type: Malware (Backdoor)
- Platform: SonicWall Secure Mobile Access (SMA) 100 series appliances (Firmware/OS level modification)
- Capabilities: Modifies boot process for persistence, steals credentials, removes log entries to cover tracks.
- First Seen: Campaign dates back to October 2024.
## MITRE ATT&CK Mapping
The activity described primarily focuses on maintaining control after initial compromise and covering tracks:
- **TA0003 - Persistence**
- T1547.001 - Boot or Logon Autostart Execution: Path
- **TA0005 - Defense Evasion**
- T1070.001 - Indicator Removal: File Deletion
- T1070.004 - Indicator Removal: File Deletion
## Functionality
### Core Capabilities
- **Persistence via Boot Modification:** OVERSTEP modifies the appliance’s boot process to ensure continuous malicious execution upon system restart.
- **Credential Theft:** Designed to steal sensitive credentials stored on the appliance.
- **Covering Tracks:** Capable of removing log entries to hinder forensic investigation and attribution.
### Advanced Features
- **Platform Specificity:** Specifically designed to target and implant within the firmware/OS of SonicWall SMA 100 series appliances.
- **Post-Patch Persistence:** Allows threat actors to maintain access even if the initial exploitation vulnerability is patched, by leveraging stolen credentials and OTP seeds.
## Indicators of Compromise
- File Hashes: N/A (No specific hashes provided in the text)
- File Names: N/A (No specific file names provided in the text)
- Registry Keys: N/A (Not applicable to appliance firmware/OS modification context provided)
- Network Indicators: N/A (No network indicators provided in the text)
- Behavioral Indicators: System persistence established through modification of the boot process; unauthorized access utilizing previously stolen User Credentials and One-Time Password (OTP) seeds. Deletion of system logs.
## Associated Threat Actors
- UNC6148 (Unidentified threat group studied by Google Threat Intelligence Group and Mandiant)
- Possible linkage to Abyss ransomware gang (though researchers note this overlap cannot be ruled out as coincidental).
## Detection Methods
- Signature-based detection: N/A (Specific signatures for OVERSTEP were not detailed)
- Behavioral detection: Monitoring for unauthorized modifications to the appliance boot process. Monitoring for the removal/deletion of system and security logs.
- YARA rules: N/A
## Mitigation Strategies
- **Reset OTP Bindings:** Strongly advised by SonicWall to invalidate any potentially compromised or stale One-Time Password (OTP) secrets.
- **Hardware Replacement:** The campaign targets end-of-life SonicWall SMA 100 series appliances; migration away from these devices is the ultimate defense.
- **Credential Rotation:** Resetting all user credentials, especially administrative ones, given the actors rely on stolen credentials and OTP seeds.
## Related Tools/Techniques
- **Vulnerabilities Exploited (Initial Access):** CVE-2024-38475, CVE-2021-20038, CVE-2021-20035, CVE-2021-20039, CVE-2025-32819, or a potential unknown zero-day.
- **Persistence Method:** Similar concept to rootkits or firmware backdoors that alter system startup routines.