“REPTILE appeared to be the host of choice for UNC3886 as it was seen to spread rapidly after gaining access to sensitive areas,” added Mandiant. “REPTILE is an open source Linux rootkit, implemented as a loadable kernel module (LKM), which provides background access to the system.”
MEDUSA, in turn, is an open source rootkit capable of user login from effective authentication, local or remote, and command execution. “These capabilities are useful for UNC3886 as a way of working side-by-side using formal information,” added Mandiant.
Using a trusted third party like C2
A threat actor has been seen using malware, such as MOPSLED and RIFLESTINE, using trusted third-party resources including GitHub and Google Drive as command and control (C2) channels, while relying on rootkits to maintain persistence.
Source link