CyberWire Daily - China’s new cyber arsenal revealed. [Research Saturday]
Episode Date: April 26, 2025Today we are joined by Crystal Morin, Cybersecurity Strategist from Sysdig, as she is sharing their work on "UNC5174’s evolution in China’s ongoing cyber warfare: From SNOWLIGHT to VShell." UNC517...4, a Chinese state-sponsored threat actor, has resurfaced with a stealthy cyber campaign using a new arsenal of customized and open-source tools, including a variant of their SNOWLIGHT malware and the VShell RAT. Sysdig researchers discovered that the group targets Linux systems through malicious bash scripts, domain squatting, and in-memory payloads, indicating a high level of sophistication and espionage intent. Their evolving tactics, such as using spoofed domains and fileless malware, continue to blur attribution and pose a significant threat to research institutions, critical infrastructure, and NGOs across the West and Asia-Pacific regions. The research can be found here: UNC5174’s evolution in China’s ongoing cyber warfare: From SNOWLIGHT to VShell Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting
your executives and their families at home?
Black Cloak's award-winning
digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families 24 7 365 with Black
Cloak. Learn more at black cloak.io
Hello everyone and welcome to the CyberWires Research Saturday. I'm Dave
Bittner and this is our weekly conversation
with researchers and analysts
tracking down the threats and vulnerabilities,
solving some of the hard problems
and protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
This threat actor was identified by Google's Mandiant Threat Group about a year ago.
The interesting thing about this threat actor is they are not the typical Chinese nation-state
APT like you expect.
They're not a government-sponsored entity.
We believe from the way that this actor is behaving and from what Mandiant has
said in their previous reporting, that this is an individual or possibly
multiple, but as of right now, it's a person who is contracted
by the Chinese government to support their cyber war efforts.
That's Crystal Morin,
cybersecurity strategist from Sysdig.
The research we're discussing today is titled
UNC 5174's Evolution in China's Ongoing Cyber Warfare,
from Snowlight to V-Shell.
So it's not someone who works for the government.
He's just his own independent person.
They perhaps reached out to this person and said,
Hey, we've seen what you're doing online.
You're really great.
Do you want to come and work for us and support our efforts?
He was contracted into the Chinese government.
I'm saying he, but we don't know that that's for certain.
That's how this person is operating right now.
Completely independent, can do their own work on the side as well, but this
particular campaign is on behalf of the Chinese government. However, what we saw
that was also very interesting, so in the report we said that the motivations for
this report, or for this campaign rather, were for espionage,
but also possibly for reselling access.
Those are two very different motivations that you don't normally see from one threat actor
in one campaign.
So the reason that we think this is happening again,
is attributing it to the reason that this threat actor
is a contractor.
So when they get an initial access into a victim
environment and they exfiltrate data and do what they need
to do, go to the Chinese government and say,
hey, look at all this cool information that we stole
from this particular entity.
Here you go. And they either take it or the government says, oh, we don't really care about
them. Thanks, but no thanks. We don't want it. So then this threat actor can potentially take
that information and turn around and sell it. Well, I already have access to this victim.
I did all of the hard work.
The government's not gonna pay me.
Somebody else might pay me for access.
So I think that's where we're seeing
those two different motivations
or why we're seeing this data ax fell
and these victims go two different ways
in this campaign right now.
Yeah, so perhaps a double-dipping mercenary, if you will. now. Yeah, so perhaps a double dipping mercenary.
Absolutely.
Yeah, interesting.
Well, describe for us, for folks who aren't familiar,
what is V-Shell and how does it compare
to some of the other remote access tools that are out there?
Okay, so V-Shell is a fairly advanced open source tool.
It's relatively new as well.
I believe it just came out in 2024 in the open source world
on GitHub.
It allows for persistent access, command execution,
data exfiltration, like a lot of rats
allow all kinds of different capabilities
within your attack spectrum. V shell for this particular actor allowed a lot of stealth. Like
I said, the persistence for just prolonged access to these compromised networks. We saw V shell pop
up in Chinese underground channels on the dark web. That's where they were talking about it. V shell pop up in Chinese underground channels
on the dark web, that's where they were talking about it.
V shell was created by a Chinese speaking developer,
which is why we saw it in those channels.
And the developer actually abandoned it
and removed V shell from GitHub and from the web,
tried to take down as much of the code as he could for legal reasons,
because it started being used right away,
like many other open source tools for malicious purposes,
shortly after he released it to the public.
Its original intent was for a Red Team security tool.
There's a lot of incredibly intelligent developers all over the world
that create these fascinating Red Team tools that are really, really useful
for defenders to work through their environments and look for weaknesses,
look for vulnerabilities, they're really useful.
But when they're published on GitHub,
you're not just sharing those tools with good guys.
The bad guys can find them too.
So that's what happened in this case.
So the developer took it down,
but obviously it was shared quite a bit. Vokes already had the
code from when he did initially upload it. So the binaries for V-SHAL were already in telegram
channels and they were leaked out toward the end of 2024. Some of the whisperings were China quote unquote leaked it,
but we don't know what that means, right?
Everybody, a lot of the folks using V-shell
were Chinese speaking, so it was a Chinese government
that leaked V-shell after the developer shut it down.
We don't know.
One of the other really fascinating aspects of V shell
that he worked into this rat is that it's file-less.
So file-less execution, again, stealth,
means that the code can be executed
without residing on a disk or as a file binary.
So it makes it very, again, difficult to find.
It's really easy for users to obfuscate.
Then in conjunction with V shell,
this threat actor used WebSockets for C2 to then obtain the data that they're exfilling from victim environments
to send those payloads encrypted that they were picking up with the V shell.
One of the things that your research highlights is the use of Snowlight malware in this attack
chain. Can you describe for us what that is
and what part it played?
Yes, so Snowlight is a custom malware,
which we're very used to seeing
from advanced threat groups, right?
So this is a contractor working on behalf
of the Chinese government.
So we're going to consider this threat actor
advanced very knowledgeable and very capable
in offensive cyber.
So this threat actor has developed this custom malware.
So anytime we see the use of Snowlight,
we can safely assume that it's probably being used by UNC 5174.
It's not code that is accessible open source.
It's only going to be available to that particular threat actor.
So that's one of the reasons that we know it's this threat actor and we were able to attribute this entire campaign to this person.
This campaign was interesting in that custom malware has a binary, right?
That's how in threat intelligence often when we're writing IOC-based detections,
you take the MD5 hash,
you can just throw that into a detection and if you trigger,
it's easy, you're like, okay,
something bad's happening over here.
For malware and custom malware like this, it's not easy to change the binary like it is with a file hash.
For a hash related to just a file of a script,
you can change the file name
and the hash changes that's associated with it.
The binaries for malware,
you have to actually make modifications to your malware scripts
and that takes time and effort. So in this campaign, we identified 40 different binaries
so far associated with Snowlight. We can see that this is very clearly Snowlight malware.
It performs the same, it looks the same,
but every deployment of the malware is slightly different.
So every victim that's breached by this malware,
if they just have these IOC-based detection set up based on other victims who
may be seeing Snow White, they're not necessarily going to see this activity happening because
this threat actor is changing his malware ever so slightly every time he enters a victim environment. That was fascinating to see that.
That is very advanced capability and a pain.
That takes a lot of effort.
So that's a lot of work. Yeah.
Yeah.
We'll be right back.
Secure access is crucial for U.S. public sector missions.
Ensuring that only authorized users can access certain systems, networks, or data.
Are your defenses ready? Cisco's Security Service Edge delivers
comprehensive protection for your network and users. Experience the power of zero trust
and secure your workforce wherever they are. Elevate your security strategy by visiting
cisco.com slash GO slash SSE.
Bad actors don't break in, they log in.
Attackers use stolen credentials in nearly 9 out of 10 data breaches.
Once inside, they're after one thing, your data.
Varonis' AI-powered data security platform secures your data at scale.
Across LAS, SAS, and hybrid cloud environments,
join thousands of organizations who trust Varonis to keep their data safe.
Get a free data risk assessment at veronis.com.
Well, what types of organizations is this threat actor targeting here?
So this particular threat actor, we're seeing them target government agencies,
educational institutions, non-governmental organizations, research facilities. This is
mostly in the West, US and allies in Europe, and then a handful of organizations in Asia as well,
handful of organizations in Asia as well, strategically concerning China and their adversaries in APAC.
What are your recommendations then for organizations
to defend themselves?
I'm thinking both against this specifically, but also
this kind of thing.
Well, so in the end of our report that we put out,
our threat research team actually wrote a detection
analytic to be able to capture the behaviors associated
with V-shell.
So like I said, with any type of advanced threat or this kind of behavior, they take
the time to evade defenses.
They don't want to be captured.
It's not easy to find them.
So you need to look for their behavior and multiple things chained together.
You can't just alert on IOCs.
Our threat research team wrote
a detection analytic that is open-source.
It's not just for our customers,
it's for everyone to be able to capture some of
the behaviors that we noticed with V shell deployment.
So if V shell is deployed in your environment,
then this detection alert should trigger for you and then that would obviously
initiate an investigation to see and this again,
V shell is an open source tool.
Just because you see V-Shell in your environment
doesn't mean you're being attacked
by a nation state threat actor.
It could just be your rent team conducting something
and an operation.
So it just requires some look into that activity just as anything else would.
But if you fall within that geographical focus and you're in that targeted sector, you know
your organization is a target of China, and you see something like this in your environment,
then that would definitely require some further investigation.
Well, you mentioned earlier that there's a certain amount of sophistication here from this actor.
I mean, how would you rate them as you look at the various groups you've been tracking?
Is this more sophisticated than average?
In my personal opinion, yes, I would say so.
I think this threat actor definitely took some steps
to up their game.
This is the TTPs that they chose to employ in this campaign
were incredibly intentional.
Snowlight malware is a custom malware
that takes time and effort to develop something like that.
This V shell rat malware is open source,
which is just convenient.
But it is a very capable tool as well.
But then like I said, that WebSocket C2 is pretty uncommon.
So this threat actor is really thinking through
from beginning to end of campaign.
And yes, I would say fairly well advanced
as opposed to some other threat groups.
I mean, you could definitely, he's state sponsored.
So this isn't just a regular cyber criminal.
This isn't a ransomware group.
This isn't just luck.
Everything that this threat actor is doing is intentional.
And the capabilities of this campaign definitely show that.
What about persistence? I mean if someone discovers that they have an issue here
and they go to remove it, are there things that the threat actors put in
place to be able to stick around?
The V-Shell malware is supposed to allow the threat actor persistence. Unfortunately, with these campaigns, we have yet to identify what the initial access vector was.
So if you have been a target of UNC 5174 and you are seeing
Snowlight malware and you're seeing V shell in your environment.
Obviously that's definitely going to trigger a much larger investigation and it could have started
with a spear phishing campaign, right? Stolen credentials, if there's a vulnerability,
a misconfiguration, I don't know.
So if you're able to remove the malware from your system when you find it, that's great.
But if you're not able to trace back to how the threat actor got into your environment,
then they're just going to let themselves back in.
So like I said, in this case, unfortunately, we don't know how they're getting into the
environments right now.
But typically, from all of the reporting that we're seeing, it's usually done in pretty
similar fashion across the board.
So you look for those typical initial access vectors
and remediate those issues.
Does the fact that it's file-less, as you mentioned,
does that add extra complications?
It makes it difficult to track
because there's nothing,
there's no code execution that exists.
Again, it makes it harder to just write
simple detection analytics to capture behavior
happening in your environment.
So that's just the challenging aspect of it.
If you don't know that this is happening,
you don't know what to look for,
then you're never going to alert on this kind of behavior.
But if you're staying up on threat intelligence
and you're reading these kinds of reports,
sharing with your friends and ISACs and things like that,
then that's how you can mitigate this from happening in the future.
Our thanks to Crystal Morin from Sysdig for joining us.
The research is titled, UNC 5174's Evolution in China's
Ongoing Cyberwarfare from Snowlight to V-Shell. We'll have a link in the show notes.
And that's Research Saturday brought to you by N2K Cyberwire. We'd love to know what
you think of this podcast. Your feedback ensures we deliver the insights that keep you a step
ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app
Please also fill out the survey in the show notes or send an email to cyber wire at n2k.com
This episode was produced by Liz Stokes were mixed by Elliot Peltzman and Trey Hester our executive producers
Jennifer Ibane Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here next time.