UNC6148 Exploits SonicWall SMA with OVERSTEP Backdoor

Published Date: July 17, 2025
Category: ShadowOpsIntel
Share:

Google Threat Intelligence Group (GTIG) and Mandiant have uncovered an ongoing exploitation campaign targeting end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances. This attack, attributed to UNC6148, involves a sophisticated rootkit named OVERSTEP, used to maintain persistent access, exfiltrate credentials, and potentially enable extortion and ransomware operations.

Severity Level: High

Threat Overview

    • Threat Actor: Financially motivated group UNC6148, possibly tied to ransomware gang VSOCIETY.
    • Campaign Scale: Ongoing since at least October 2024; multiple organizations affected.
    • Affected Products / Versions: Fully patched end-of-life SonicWall SMA 100 series appliances.
    • Malware: OVERSTEP – a persistent user-mode rootkit and backdoor.
    • Attack Vectors: Reuse of stolen credentials, likely exploitation of known and possibly zero-day vulnerabilities.

    Attack Flow

    1. Initial Compromise

    • Entry Vector: Possibly exploitation of,
      • CVE-2021-20038 – RCE via memory corruption.
      • CVE-2024-38475 – Path traversal allowing SQLite DB exfiltration (e.g., persist.db, temp.db with OTPs).
      • CVE-2021-20035, 20039, 2025-32819 – Authenticated RCE and credential reset vectors.
    • Credential Access: UNC6148 used admin credentials they likely exfiltrated in earlier campaigns.
    • Date of Initial Access: As early as January 2025 via observed network metadata.

    2. Establishing Persistence via SSL VPN

    • In June 2025, UNC6148 initiated SSL VPN access using local admin credentials.
    • Access originated from 193.149.180[.]50 (BitLaunch VPS).
    • Once connected, they spawned a reverse shell, exported/imported appliance settings, and modified network access rules.

    3. Deployment of OVERSTEP Backdoor

    • The attacker:
      • Decoded a base64 payload to a file /cf/xxx.elf.
      • Renamed and moved it to /usr/lib/libsamba-errors.so.6.
      • Appended this path to /etc/ld.so.preload, ensuring persistent loading on every process start.
      • Timestomping and chmod 777 made detection harder.
      • Persistence achieved by modifying bootloader script rc.fwboot to reinject the backdoor into INITRD.GZ, which is loaded at boot.

    4. INITRD Bootloader Hijack Process

    • UNC6148 modified the SMA’s boot sequence:
      • Decompressed INITRD.GZ, mounted it, and inserted malicious .so file.
      • Recompressed and replaced the INITRD file with the infected one.
      • Used kexec to soft reboot into the infected kernel with OVERSTEP preloaded.

    5. OVERSTEP Rootkit Capabilities

    • Hijacks libc functions (open, write, readdir) to:
      • Launch reverse shells (dobackshell).
      • Exfiltrate sensitive files (dopasswords) like:
        • /tmp/temp.db
        • /etc/EasyAccess/var/conf/persist.db
        • /etc/EasyAccess/var/cert/
    • Places TAR archive in web directory: /usr/src/EasyAccess/www/htdocs/ with chmod 777.

    6. Log Cleansing and Anti-Forensics

    • OVERSTEP uses sed to delete its own traces from:
      • /var/log/httpd.log
      • /var/log/http_request.log
      • /var/log/inotify.log

    This limits forensic visibility into command execution and secondary actions.

    7. Command Execution via HTTP

    • Commands embedded in HTTP queries
    • The malicious write function intercepts these requests, parses the buffer, and executes commands in memory.

    8. Post-Compromise Observations

    • Minimal lateral movement was observed.
    • Evidence of beaconing traffic and persistence, but not active ransomware deployment (yet).
    • One compromised organization showed up on “World Leaks” in June 2025.

    Recommendations

    1. Reset ALL credentials on impacted and potentially exposed SMA appliances.
    2. Decommission end-of-life (EOL) SMA 100 series devices. These are unsupported and not receiving security updates. Replace with supported alternatives and ensure firmware is kept up to date.
    3. Acquire full disk images and perform offline forensic analysis looking for:
      o /etc/ld.so.preload (should not exist on SMA)
      o /usr/lib/libsamba-errors.so.6 (malicious .so file)
      o Modified INITRD and rc.fwboot script
    4. Look for unexpected binaries in /cf/ and /usr/lib/.
    5. Monitor for:
      o HTTP requests with suspicious query parameters: dobackshell, dopasswords
      o VPN logins from unusual IPs or geo-locations, especially low-reputation hosting services
      o Events such as: “Current settings exported/imported”, “Clear all logs manually”
      o Creation of TAR files in web directories (/usr/src/EasyAccess/www/htdocs/)
    6. Revoke and reissue any SSL certificates stored or used by the SMA appliance.
    7. Block the IOCs at their respective controls.
      https://www.virustotal.com/gui/collection/b1562abeffbc37865c4a3ecb6dc1cc359c28ff6575ca4ae899476dcf61cf3869/iocs

    Source:

    • https://cloud.google.com/blog/topics/threat-intelligence/sonicwall-secure-mobile-access-exploitation-overstep-backdoor

    Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

    No related posts found.

    Ampcus Cyber
    Privacy Overview

    This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

     Talk to an expert