A financially motivated threat actor tracked as UNC6148 is actively targeting fully patched, end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances, according to the Google Threat Intelligence Group (GTIG) and Mandiant.
In recent activity observed by incident responders, UNC6148 leveraged previously stolen credentials and one-time-password (OTP) seeds to regain access and deploy a novel persistent malware, tracked as OVERSTEP, even after targeted organizations applied all available security updates.
Analysts believe UNC6148 likely exploited a known and possibly unknown remote code execution vulnerability to gain initial access, as initial infection evidence is scarce.
This absence of evidence is attributed to the actor’s anti-forensic measures; their custom malware is built to delete select log entries and shell history, severely hampering the effectiveness of traditional analysis.
According to the Report, GTIG states with moderate confidence that the group could have weaponized an unreported zero-day vulnerability for remote code execution, allowing them to implant OVERSTEP and evade security controls.
Sophisticated Bootkits
During incident response, Mandiant discovered that OVERSTEP modifies the appliance boot sequence and the initial RAM disk (INITRD) image, granting the attacker persistent access.
By hijacking legitimate files and injecting malicious code into system startup scripts and /etc/ld.so.preload, UNC6148 ensures their backdoor is run every time any dynamic executable launches on the system.
OVERSTEP functions as a user-mode rootkit compiled for x86 Linux, loaded via LD_PRELOAD.
It intercepts and hijacks critical functions like open, readdir, and write, hiding its presence by filtering system calls and concealing files, processes, and even itself from directory listings.
Furthermore, it enables attackers to open covert reverse shells and exfiltrate credentials, encryption keys, and user session tokens by hijacking log and file access frequently used by the system’s web server.
Incident responders also observed the malware systematically deleting log entries containing command activity, further frustrating forensic investigations.
Data Theft
UNC6148’s campaign appears to have started in late 2024, overlapping with other reported SonicWall attacks and the deployment of Abyss/VSOCIETY ransomware.
Experts connecting the dots highlight the potential for extortion and ransomware deployment, reinforced by at least one victim showing up on the “World Leaks” data leak site a month after suspected compromise.
The actor’s chief advantage is persistence even after patching using secrets harvested in earlier attacks, including credentials and OTP seeds, and targeting devices that have aged out of support.
For defenders, simple firmware updates are inadequate: direct, comprehensive credential resets and rotation of all keys and even OTP shared secrets are now imperative.
Incident responders also recommend replacing all SSL/TLS certificates and engaging forensic specialists, as the rootkit can make detection and eradication challenging.
Organizations are urged to image appliances for offline analysis; search for anomalous files, suspicious modifications to boot scripts, INITRD images, and unusual activity in available logs; and monitor for outbound traffic to known UNC6148 infrastructure.
Defenders should heed this campaign as a warning of the high risk associated with continuing to operate unsupported perimeter devices, even if they appear fully patched.
Key Indicators of Compromise (IOCs)
| Type | Indicator | Description |
|---|---|---|
| File Path | /cf/xxx.elf, /cf/libsamba-errors.so.6, /usr/lib/libsamba-errors.so.6 | OVERSTEP malware |
| SHA256 Hash | b28d57269fe4cd90d1650bde5e905611, 6de26d211966262e59359d0e2a67d473 |
OVERSTEP binaries |
| File Path | /etc/rc.d/rc.fwboot | Modified boot script |
| SHA256 Hash | f0e0db06ca665907770e2202957d3ecc, d5a070acac1debaf0889d0d48c10e149 |
Modified boot RC file hashes |
| IP Address | 193.149.180.50 | Source of VPN sessions (UNC6148 infrastructure) |
| IP Address | 64.52.80.80 | Reverse shell command & control address |
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates
