A risk actor has been deploying a beforehand unseen malware referred to as OVERSTEP that modifies the boot strategy of fully-patched however now not supported SonicWall Safe Cell Entry home equipment.
The backdoor is a user-mode rootkit that enables hackers to cover malicious parts, preserve persistent entry on the machine, and steal delicate credentials.
Researchers at Google Risk Intelligence Group (GTIG) noticed the rootkit in assaults which will have relied on “an unknown, zero-day distant code execution vulnerability”.
The risk actor is tracked as UNC6148 and has been working since at the very least final October, with a company being focused as lately as Could.
As a result of recordsdata stolen from the sufferer had been later revealed on the World Leaks (Hunters Worldwide rebrand) data-leak web site, GTIG researchers consider that UNC6148 engages in information theft and extortion assaults, and may deploy Abyss ransomware (tracked as VSOCIETY by GTIG).
Hackers come ready
The hackers are focusing on end-of-life (EoL) SonicWall SMA 100 Sequence units that present safe distant entry to enterprise sources on the native community, within the cloud, or hybrid datacenters.
It’s unclear how the hackers obtained preliminary entry, however researchers investigating UNC6148 assaults observed that the risk actor already had native administrator credentials on the focused equipment.
“GTIG assesses with excessive confidence that UNC6148 exploited a recognized vulnerability to steal administrator credentials previous to the focused SMA equipment being up to date to the newest firmware model (10.2.1.15-81sv)” – Google Risk Intelligence Group
Wanting on the community visitors metadata, the investigators discovered proof suggesting that UNC6148 had stolen the credentials for the focused equipment in January.
A number of n-day vulnerabilities (CVE-2021-20038, CVE-2024-38475, CVE-2021-20035, CVE-2021-20039, CVE-2025-32819) may have been exploited to this impact, the oldest of them disclosed in 2021 and the newest being from Could 2025.
Of those, the hackers could have exploited CVE-2024-38475 because it offers “native administrator credentials and legitimate session tokens that UNC6148 may reuse.”
Nevertheless, incident responders at Mandiant (a Google firm) couldn’t affirm that the attacker exploited the vulnerability.
Reverse-shell thriller
In an assault in June, UNC6148 used the native admin credentials to hook up with the focused SMA 100 sequence equipment over an SSL-VPN session.
The hackers began a reverse shell, though shell entry shouldn’t be doable by design on these home equipment.
SonicWall’s Product Safety Incident Response Group (PSIRT) tried to find out how this was doable however couldn’t provide you with a proof, and one reply could possibly be the exploitation of an unknown safety situation.
With shell entry on the equipment, the risk actor ran reconnaissance and file manipulation actions, and imported settings that included new community entry management coverage guidelines to permit the hacker’s IP addresses.
OVERSTEP rootkit leaves no clues
After this, UNC6148 deployed the OVERSTEP rootkit via a sequence of instructions that decoded the binary from base64 and planted it as a .ELF file.
“Following the set up, the attacker manually cleared the system logs earlier than restarting the equipment, activating the OVERSTEP backdoor” – Google Risk Intelligence Group
OVERSTEP acts as a backdoor that establishes a reverse shell and steals passwords from the host. It additionally implements user-mode rootkit capabilities to maintain its parts hidden on the host.
The rootkit element gave the risk actor long-term persistence by loading and executing malicious code every time a dynamic executable begins.
OVERSTEP’s anti-forensic characteristic lets the attacker selectively delete log entries and thus cowl their tracks. This functionality and the dearth of command historical past on disk denied researchers’ visibility within the risk actor’s post-compromise actions.
Nevertheless, GTIG warns that OVERSTEP can steal delicate recordsdata such because the persist.db database and certificates recordsdata, which give hackers entry to credentials, OTP seeds, and certificates that enable persistence.
Whereas researchers can not decide the true goal of UNC6148’s assaults, they spotlight “noteworthy overlaps” on this risk actor’s exercise and evaluation of incidents the place Abyss-related ransomware was deployed.
In late 2023, Truesec researchers investigated an Abyss ransowmare incident that occurred after hackers deployed an internet shell on an SMA equipment, hiding mechanism, and established persistence throughout firmware updates.
Just a few months later in March 2024, InfoGuard AG incident responder Stephan Berger revealed a put up describing an analogous compromise of an SMA machine that ended with the deployment of the identical Abyss malware.
Organizations with SMA home equipment are really useful to test the units for potential compromise by buying disk photos, which ought to forestall interference from the rootkit.
GTIG offers a set of indicators of compromise together with the indicators analysts ought to search for to find out if the machine was hacked.
Whereas cloud assaults could also be rising extra refined, attackers nonetheless succeed with surprisingly easy methods.
Drawing from Wiz’s detections throughout hundreds of organizations, this report reveals 8 key methods utilized by cloud-fluent risk actors.
