Linux, the target of Snowlight malware
- Javier Conejo del Cerro
- hace 12 minutos
- 2 Min. de lectura
A covert cyber campaign has placed Linux systems firmly in the crosshairs of China-linked threat actor UNC5174. The attackers are deploying two powerful tools—Snowlight malware and the stealthy remote access trojan (RAT) known as VShell—to infiltrate global systems. What makes this campaign particularly elusive is the attackers’ reliance on open-source loaders, SSH abuse, and fake Cloudflare authentication apps, all of which make detection and attribution incredibly difficult. Fileless execution and in-memory payloads further obscure their traces, leaving compromised systems vulnerable and unaware.
Worldwide Penguins at Stake
This is no isolated attack. UNC5174’s campaign spans nearly 20 countries, including Austria, Australia, France, Spain, Japan, South Korea, the Netherlands, Singapore, Taiwan, the UAE, the UK, and the US. Their targets include some of the most sensitive entities: critical infrastructure, government institutions, and defense-related organizations. While the method of initial access remains uncertain, evidence points to Snowlight as the first stage—dropping the fileless VShell RAT and establishing C2 communication via WebSockets.
Unbecoming Frosty Environment
The malware operation is initiated by a malicious bash script called "download_backd.sh," which launches two binaries—Snowlight (dnsloger) and Sliver (system_worker). These are used to ensure persistence and set up covert communications. VShell, once deployed, resides only in memory. It allows attackers to run arbitrary commands, transfer files, and move laterally across networks—all without ever touching disk storage. Adding to the complexity is the attackers' use of open-source tooling and impersonation of legitimate services like Cloudflare. This strategic camouflage lets them blend in with less sophisticated threat actors, muddling attribution.
Thawing Defenses
To counter UNC5174’s stealthy techniques and protect Linux environments from SNOWLIGHT and VShell, organizations should implement the following measures:
Monitor for bash script execution and memory-resident malware. Actively scan for the presence of suspicious bash scripts and anomalous processes that operate solely in memory, as these are hallmarks of fileless attacks like VShell.
Restrict outbound WebSocket traffic. Limit or inspect outbound WebSocket connections, which are used in this campaign for command-and-control communication, bypassing traditional firewall rules.
Use advanced EDR/XDR tools with in-memory detection capabilities. Deploy endpoint and extended detection tools capable of analyzing volatile memory to catch threats that never touch disk and would evade signature-based tools.
Harden SSH access policies and disable unused authentication methods. Tighten SSH configurations to reduce exposure, disabling password-based logins or unused ports that attackers may abuse to establish persistence or lateral movement.
Audit scheduled tasks, binaries, and scripts for anomalies. Regularly check cron jobs, system binaries, and custom scripts for unauthorized changes or additions that could indicate persistence mechanisms or implants.
Patch known vulnerabilities in Ivanti and F5 appliances promptly. Address known CVEs—such as those exploited in this campaign—to close off initial access vectors and reduce the window of opportunity for attackers.
Limit execution of unknown or unsigned scripts. Implement application control policies to block unverified scripts from executing, especially in sensitive environments like infrastructure or defense.
Validate digital certificates to prevent spoofed communications. Enforce strict certificate validation to prevent malware from communicating with fake services disguised as trusted entities.
Block dual-use and red-team tools like Sliver. Identify and restrict tools commonly used by adversaries for post-exploitation tasks, even if they are also used for legitimate testing, as they represent high risk.
تعليقات