APT-Gruppe UNC5174 kombiniert SNOWLIGHT und VShell

APT-Gruppe UNC5174 kombiniert SNOWLIGHT und VShell Sysdig hat eine Kampagne der chinesischen APT-Gruppe aufgedeckt, die auf Linux-basierte Systeme in westlichen Ländern und im asiatisch-pazifischen Raum abzielt. von ZDNet-Redaktion am 16. April 2025 , 13:47 Uhr Die Angreifer kombinieren dabei die bereits bekannte SNOWLIGHT-Malware mit dem Remote-Access-Trojaner (RAT) VShell, einem Open-Source-Tool, das als besonders schwer detektierbar gilt. Die initiale Infektion erfolgt über ein Bash-Skript, das zwei schädliche Binärdateien nachlädt: dnsloger – Verbindung mit SNOWLIGHT-Malware – und system_worker – Verbindung mit Sliver und Cobalt Strike. Die Besonderheit dieser Kampagne liegt im Einsatz von fileless Payloads, die vollständig im Arbeitsspeicher ausgeführt werden, sowie in der Verwendung von WebSockets für die C2-Kommunikation – ein Vorgehen, das auf maximale Tarnung gegenüber traditionellen Erkennungsmethoden abzielt.var screensize = document.documentElement.clientWidth;if (screensize < 1800) {var minscreenwidth = "1280";} else {var minscreenwidth = "1920";}var u_company = "n/a";var u_job_description = "n/a";var u_company_size = "n/a";var u_industry = "n/a";if (kaminoCookie.getItem("ct_echo") != undefined) {var ct_echo = JSON.parse(kaminoCookie.getItem("ct_echo"));ct_echo.details = ct_echo.details || {};u_company = "n/a";u_job_description = ct_echo.details.jd || "n/a";u_company_size = ct_echo.details.ne || "n/a";u_industry = ct_echo.details.is || "n/a";}console.log("id:DESKTOP_IN_ARTICLE-88421606-0");var scr = document.getElementById("DESKTOP_IN_ARTICLE-88421606-0");var device = "desktop";if(dfp_device_view == device){var slot_div = document.createElement("div");slot_div.setAttribute("id", "div-gpt-ad-DESKTOP_IN_ARTICLE-88421606-0");slot_div.setAttribute("class", "dfp_ad div-gpt-ad-DESKTOP_IN_ARTICLE-0 desktop sticky-DESKTOP_IN_ARTICLE-88421606-0");slot_div.setAttribute("height", "0");var word = "";if(word != ""){var slot_word_div = document.createElement("div");slot_word_div.setAttribute("class", "dfp_word");slot_word_div.innerHTML = word;slot_div.appendChild(slot_word_div);}scr.parentNode.insertBefore(slot_div, scr.nextSibling);googletag.cmd.push(function() {var infinite_scroll = false;if("" != ""){infinite_scroll = true;if(hutt_original_page_id != ""){hutt_original_page_id = "";hutt_defineSlot_slot_object_infinite_scroll = [];}}var slot = googletag.defineSlot("/16255858/zdnet/article/security/cyberwar",[8, 8], "div-gpt-ad-DESKTOP_IN_ARTICLE-88421606-0").setTargeting("artid", "88421606").setTargeting("cat", ["alerts","cyberwar","security"]).setTargeting("tag", ["apt","malware","trojaner"]).setTargeting("type", "post").setTargeting("min_width", minscreenwidth).setTargeting("job_description", u_job_description).setTargeting("company_size", u_company_size).setTargeting("industry", u_industry).setTargeting("company", u_company).addService(googletag.pubads());if(infinite_scroll == true){hutt_defineSlot_slot_object_infinite_scroll.push( slot );}var size = "[8, 8]";size = size.replace(/s+/g, "");hutt_defineSlot["div-gpt-ad-DESKTOP_IN_ARTICLE-88421606-0"] = {};hutt_defineSlot["div-gpt-ad-DESKTOP_IN_ARTICLE-88421606-0"]["size"] = size;hutt_defineSlot_slot_object["div-gpt-ad-DESKTOP_IN_ARTICLE-88421606-0"] = {};hutt_defineSlot_slot_object["div-gpt-ad-DESKTOP_IN_ARTICLE-88421606-0"]["slot"] = slot;googletag.display("div-gpt-ad-DESKTOP_IN_ARTICLE-88421606-0");});}var screensize = document.documentElement.clientWidth;if (screensize < 1800) {var minscreenwidth = "1280";} else {var minscreenwidth = "1920";}var u_company = "n/a";var u_job_description = "n/a";var u_company_size = "n/a";var u_industry = "n/a";if (kaminoCookie.getItem("ct_echo") != undefined) {var ct_echo = JSON.parse(kaminoCookie.getItem("ct_echo"));ct_echo.details = ct_echo.details || {};u_company = "n/a";u_job_description = ct_echo.details.jd || "n/a";u_company_size = ct_echo.details.ne || "n/a";u_industry = ct_echo.details.is || "n/a";}console.log("id:VIDEO_INFEED-88421606-0");var scr = document.getElementById("VIDEO_INFEED-88421606-0");var device = "desktop";if(dfp_device_view == device){var slot_div = document.createElement("div");slot_div.setAttribute("id", "div-gpt-ad-VIDEO_INFEED-88421606-0");slot_div.setAttribute("class", "dfp_ad div-gpt-ad-VIDEO_INFEED-0 desktop sticky-VIDEO_INFEED-88421606-0");slot_div.setAttribute("height", "0");var word = "";if(word != ""){var slot_word_div = document.createElement("div");slot_word_div.setAttribute("class", "dfp_word");slot_word_div.innerHTML = word;slot_div.appendChild(slot_word_div);}scr.parentNode.insertBefore(slot_div, scr.nextSibling);googletag.cmd.push(function() {var infinite_scroll = false;if("" != ""){infinite_scroll = true;if(hutt_original_page_id != ""){hutt_original_page_id = "";hutt_defineSlot_slot_object_infinite_scroll = [];}}var slot = googletag.defineSlot("/16255858/zdnet/article/security/cyberwar",['fluid'], "div-gpt-ad-VIDEO_INFEED-88421606-0").setTargeting("artid", "88421606").setTargeting("cat", ["alerts","cyberwar","security"]).setTargeting("tag", ["apt","malware","trojaner"]).setTargeting("type", "post").setTargeting("min_width", minscreenwidth).setTargeting("job_description", u_job_description).setTargeting("company_size", u_company_size).setTargeting("industry", u_industry).setTargeting("company", u_company).addService(googletag.pubads());if(infinite_scroll == true){hutt_defineSlot_slot_object_infinite_scroll.push( slot );}var size = "['fluid']";size = size.replace(/s+/g, "");hutt_defineSlot["div-gpt-ad-VIDEO_INFEED-88421606-0"] = {};hutt_defineSlot["div-gpt-ad-VIDEO_INFEED-88421606-0"]["size"] = size;hutt_defineSlot_slot_object["div-gpt-ad-VIDEO_INFEED-88421606-0"] = {};hutt_defineSlot_slot_object["div-gpt-ad-VIDEO_INFEED-88421606-0"]["slot"] = slot;googletag.display("div-gpt-ad-VIDEO_INFEED-88421606-0");});} UNC5174 ist laut Mandiant und ANSSI als staatlich unterstützter Akteur mit Fokus auf Cyberspionage und Zugriffsvermittlung bekannt. Die aktuelle Infrastruktur nutzt Domain-Spoofing bekannter Marken wie Cloudflare oder Telegram, um Phishing-Opfer gezielt zu kompromittieren. Alle identifizierten Tools sind stark individualisiert und ermöglichen nach der Infektion umfassenden Remote-Zugriff auf betroffene Systeme. Der Hintergrund der Angriffe legt nahe, dass die Aktivitäten sowohl der Cyberspionage als auch dem Zugangshandel an kompromittierten Netzwerken dienen. Bereits bei den Olympischen Spielen 2024 wurde UNC5174 mit Angriffen auf Cloud-Dienste von Ivanti in Verbindung gebracht. Themenseiten: APT, Malware, Trojaner Fanden Sie diesen Artikel nützlich? var screensize = document.documentElement.clientWidth;if (screensize < 1800) {var minscreenwidth = "1280";} else {var minscreenwidth = "1920";}var u_company = "n/a";var u_job_description = "n/a";var u_company_size = "n/a";var u_industry = "n/a";if (kaminoCookie.getItem("ct_echo") != undefined) {var ct_echo = JSON.parse(kaminoCookie.getItem("ct_echo"));ct_echo.details = ct_echo.details || {};u_company = "n/a";u_job_description = ct_echo.details.jd || "n/a";u_company_size = ct_echo.details.ne || "n/a";u_industry = ct_echo.details.is || "n/a";}console.log("id:MOBILE_MPU-88421606-4");var scr = document.getElementById("MOBILE_MPU-88421606-4");var device = "mobile";if(dfp_device_view == device){var slot_div = document.createElement("div");slot_div.setAttribute("id", "div-gpt-ad-MOBILE_MPU-88421606-4");slot_div.setAttribute("class", "dfp_ad div-gpt-ad-MOBILE_MPU-4 mobile sticky-MOBILE_MPU-88421606-4");slot_div.setAttribute("height", "0");var word = "";if(word != ""){var slot_word_div = document.createElement("div");slot_word_div.setAttribute("class", "dfp_word");slot_word_div.innerHTML = word;slot_div.appendChild(slot_word_div);}scr.parentNode.insertBefore(slot_div, scr.nextSibling);googletag.cmd.push(function() {var infinite_scroll = false;if("" != ""){infinite_scroll = true;if(hutt_original_page_id != ""){hutt_original_page_id = "";hutt_defineSlot_slot_object_infinite_scroll = [];}}var slot = googletag.defineSlot("/16255858/zdnet/article/security/cyberwar",[[300, 250], [300, 600]], "div-gpt-ad-MOBILE_MPU-88421606-4").setTargeting("pos", 4).setTargeting("artid", "88421606").setTargeting("cat", ["alerts","cyberwar","security"]).setTargeting("tag", ["apt","malware","trojaner"]).setTargeting("type", "post").setTargeting("min_width", minscreenwidth).setTargeting("job_description", u_job_description).setTargeting("company_size", u_company_size).setTargeting("industry", u_industry).setTargeting("company", u_company).addService(googletag.pubads());if(infinite_scroll == true){hutt_defineSlot_slot_object_infinite_scroll.push( slot );}var size = "[[300, 250], [300, 600]]";size = size.replace(/s+/g, "");hutt_defineSlot["div-gpt-ad-MOBILE_MPU-88421606-4"] = {};hutt_defineSlot["div-gpt-ad-MOBILE_MPU-88421606-4"]["size"] = size;hutt_defineSlot_slot_object["div-gpt-ad-MOBILE_MPU-88421606-4"] = {};hutt_defineSlot_slot_object["div-gpt-ad-MOBILE_MPU-88421606-4"]["slot"] = slot;googletag.display("div-gpt-ad-MOBILE_MPU-88421606-4");});} Whitepaper Umgang mit Veränderungen bei der Beschaffung im Gesundheitswesen 01.01.1970, Amazon Business Cloud-basierter elektronischer Datenaustausch | Der Weg zur digitalen Transformation 01.01.1970, Esker Geschäftliche Herausforderungen mit Daten und KI lösen: 5 Erkenntnisse von Führungskräften der C-Ebene 01.01.1970, Elastic » Alle Whitepaper … Artikel empfehlen: 0