Security News > 2024 > June > UNC3886 hackers use Linux rootkits to hide on VMware ESXi VMs
A suspected Chinese threat actor tracked as UNC3886 uses publicly available open-source rootkits named 'Reptile' and 'Medusa' to remain hidden on VMware ESXi virtual machines, allowing them to conduct credential theft, command execution, and lateral movement.
A new report by Mandiant unveils UNC3886's use of the mentioned rootkits on virtual machines for long-term persistence and evasion, as well as custom malware tools such as 'Mopsled' and 'Riflespine,' which leveraged GitHub and Google Drive for command and control.
Rootkitting VMware ESXi VMs. Mandiant says the threat actors breach VMware ESXi VMs and install open-source rootkits to maintain access for long-term operations.
"After exploiting zero-day vulnerabilities to gain access to vCenter servers and subsequently managed ESXi servers, the actor obtained total control of guest virtual machines that shared the same ESXi server as the vCenter server," explained Mandiant.
"REPTILE appeared to be the rootkit of choice by UNC3886 as it was observed being deployed immediately after gaining access to compromised endpoints," continued Mandiant.
UNC3886 modified the rootkit to use unique keywords for different deployments, aiding in evasion, while they also made changes to the rootkit's launcher and startup scripts aimed at boosting persistence and stealth.