A risk actor has been deploying a beforehand unseen malware referred to as OVERSTEP that modifies the boot strategy of fully-patched however not supported SonicWall Safe Cellular Entry home equipment.
The backdoor is a user-mode rootkit that permits hackers to cover malicious elements, keep persistent entry on the gadget, and steal delicate credentials.
Researchers at Google Menace Intelligence Group (GTIG) noticed the rootkit in assaults that will have relied on “an unknown, zero-day distant code execution vulnerability”.
The risk actor is tracked as UNC6148 and has been working since at the very least final October, with a company being focused as lately as Might.
As a result of recordsdata stolen from the sufferer had been later printed on the World Leaks (Hunters Worldwide rebrand) data-leak website, GTIG researchers imagine that UNC6148 engages in information theft and extortion assaults, and may additionally deploy Abyss ransomware (tracked as VSOCIETY by GTIG).
Hackers come ready
The hackers are concentrating on end-of-life (EoL) SonicWall SMA 100 Collection gadgets that present safe distant entry to enterprise assets on the native community, within the cloud, or hybrid datacenters.
It’s unclear how the hackers obtained preliminary entry, however researchers investigating UNC6148 assaults seen that the risk actor already had native administrator credentials on the focused equipment.
“GTIG assesses with excessive confidence that UNC6148 exploited a identified vulnerability to steal administrator credentials previous to the focused SMA equipment being up to date to the newest firmware model (10.2.1.15-81sv)” – Google Menace Intelligence Group
Wanting on the community site visitors metadata, the investigators discovered proof suggesting that UNC6148 had stolen the credentials for the focused equipment in January.
A number of n-day vulnerabilities (CVE-2021-20038, CVE-2024-38475, CVE-2021-20035, CVE-2021-20039, CVE-2025-32819) may have been exploited to this impact, the oldest of them disclosed in 2021 and the latest being from Might 2025.
Of those, the hackers could have exploited CVE-2024-38475 because it gives “native administrator credentials and legitimate session tokens that UNC6148 may reuse.”
Nevertheless, incident responders at Mandiant (a Google firm) couldn’t verify that the attacker exploited the vulnerability.
Reverse-shell thriller
In an assault in June, UNC6148 used the native admin credentials to connect with the focused SMA 100 collection equipment over an SSL-VPN session.
The hackers began a reverse shell, though shell entry shouldn’t be attainable by design on these home equipment.
SonicWall’s Product Safety Incident Response Staff (PSIRT) tried to find out how this was attainable however couldn’t provide you with an evidence, and one reply may very well be the exploitation of an unknown safety difficulty.
With shell entry on the equipment, the risk actor ran reconnaissance and file manipulation actions, and imported settings that included new community entry management coverage guidelines to permit the hacker’s IP addresses.
OVERSTEP rootkit leaves no clues
After this, UNC6148 deployed the OVERSTEP rootkit via a collection of instructions that decoded the binary from base64 and planted it as a .ELF file.
“Following the set up, the attacker manually cleared the system logs earlier than restarting the equipment, activating the OVERSTEP backdoor” – Google Menace Intelligence Group
OVERSTEP acts as a backdoor that establishes a reverse shell and steals passwords from the host. It additionally implements user-mode rootkit capabilities to maintain its elements hidden on the host.
The rootkit part gave the risk actor long-term persistence by loading and executing malicious code every time a dynamic executable begins.
OVERSTEP’s anti-forensic characteristic lets the attacker selectively delete log entries and thus cowl their tracks. This functionality and the shortage of command historical past on disk denied researchers’ visibility within the risk actor’s post-compromise actions.
Nevertheless, GTIG warns that OVERSTEP can steal delicate recordsdata such because the persist.db database and certificates recordsdata, which give hackers entry to credentials, OTP seeds, and certificates that enable persistence.
Whereas researchers can not decide the true objective of UNC6148’s assaults, they spotlight “noteworthy overlaps” on this risk actor’s exercise and evaluation of incidents the place Abyss-related ransomware was deployed.
In late 2023, Truesec researchers investigated an Abyss ransowmare incident that occurred after hackers deployed an internet shell on an SMA equipment, hiding mechanism, and established persistence throughout firmware updates.
Just a few months later in March 2024, InfoGuard AG incident responder Stephan Berger printed a submit describing an analogous compromise of an SMA gadget that ended with the deployment of the identical Abyss malware.
Organizations with SMA home equipment are beneficial to test the gadgets for potential compromise by buying disk pictures, which ought to forestall interference from the rootkit.
GTIG gives a set of indicators of compromise together with the indicators analysts ought to search for to find out if the gadget was hacked.
Whereas cloud assaults could also be rising extra subtle, attackers nonetheless succeed with surprisingly easy methods.
Drawing from Wiz’s detections throughout hundreds of organizations, this report reveals 8 key methods utilized by cloud-fluent risk actors.
