Researchers at Mandiant have discovered that a custom malware has been deployed by a group of China-linked threat actors to steal user credentials and achieve persistence through firmware upgrades on a SonicWall SMA appliance. The malware is composed of a series of bash scripts and an ELF binary identified as a TinyShell variant.
According to Mandiant, the hackers have a deep understanding of the system, and the malware is well-tailored to the appliance to provide stability and maintain persistence, even in the case of firmware upgrades.
The primary purpose of the malware is to steal hashed credentials from all logged-in users. It does this by routinely executing the SQL command select userName, password from Sessions against sqlite3 database /tmp/temp.db and copying them out to the attacker created text file /tmp/syslog.db.
The source database /tmp/temp.db is used by the appliance to track session information, including hashed credentials. Once retrieved by the attacker, the hashes can be cracked offline. Mandiant believes that the malware, or a predecessor of it, was likely first installed in 2021 giving attackers persistent access.
Developing malware for a managed appliance is complex and requires deep knowledge of the target. According to Mandiant, vendors typically do not enable direct access to the Operating System or filesystem for users, making it difficult to develop such custom malware.
While it remains unclear how the attackers gained initial access to the unpatched SonicWall SMA appliance, Mandiant experts believe the threat actors may have exploited a known vulnerability.
