The SNOWLIGHT malware deploys the VShell remote access trojan on victims.
Linux and Ivanti Connect Secure VPN devices have been targeted in separate Chinese malware attack campaigns.
According to research by Sysdig, in a report shared with The Hacker News, the China-linked threat actor, known as UNC5174, has been attributed to a new campaign that leverages a variant of a known malware dubbed SNOWLIGHT and a new open-source tool called VShell to infect Linux systems.
SNOWLIGHT deploys the VShell remote access trojan, which allows arbitrary command execution and file uploads or downloads, said Sysdig researchers. The initial access vector used for the attack is presently unknown.
This access is used to execute a malicious bash script ("download_backd.sh") that deploys two binaries associated with SNOWLIGHT (dnsloger) and Sliver (system_worker), both of which are used to set up persistence and establish communications with a C2 server.
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
