The Sysdig Threat Research Team (TRT) has highlighted significant advancements in the capabilities of the Chinese state-sponsored threat actor group, UNC5174. In January of this year, after a period of reduced activity, UNC5174 launched a new campaign introducing an open-source tool called VShell and a revamped command and control (C2) infrastructure. VShell, a remote access trojan (RAT), operates exclusively in memory, making it fileless and harder to detect as it leaves no persistent file on disk.
The deployment of VShell involves the use of SNOWLIGHT, a well-known dropper for UNC5174, which disguises VShell as a legitimate system process. Execution is achieved through system calls like memfd_create and fexecve, with VShell being retrieved over WebSockets via an HTTP GET request. This method underlines the group’s focus on evasion and stealth.
In their latest campaign, UNC5174 has implemented a sophisticated C2 infrastructure utilizing domain squatting with deceptive domains such as gooogleasia[.]com and sex666vr[.]com. These mimic reputable entities and use encrypted communication channels via mTLS, WireGuard, and HTTPS, typically on port 8443, to blend with legitimate traffic. These technical enhancements reflect the group’s sophistication and efforts to avoid detection, emphasizing their dual focus on cyber espionage and possibly selling access to compromised environments.
VShell’s integration signifies an escalation in UNC5174’s capabilities, particularly with its real-time communication over secure WebSockets, complicating detection and disruption efforts. Sysdig advises organizations, especially those in sectors critical to Chinese interests, to bolster security measures, monitor for fileless attacks, and stay informed about evolving C2 communications. This analysis underscores the importance of adaptive defenses against advanced threat actors, urging a proactive approach in the continuously evolving cybersecurity landscape.
