A newly discovered malware campaign is targeting legacy SonicWall Secure Mobile Access (SMA) 100 series appliances, deploying a sophisticated user-mode rootkit known as OVERSTEP. The campaign, attributed to the financially motivated threat group UNC6148, has enabled persistent access to enterprise networks, credential theft, and facilitated follow-on extortion activities linked to ransomware operators.
Stealthy Backdoor Targets End-of-Life SonicWall Devices
Despite being fully patched, end-of-life SonicWall SMA 100 series devices have become a popular infiltration point for UNC6148, a threat actor known for advanced and persistent access to network edge appliances. These devices serve as critical access gateways for remote users, but their discontinued status and lack of ongoing vendor support make them an attractive target for attackers.
OVERSTEP, a newly discovered rootkit and backdoor, was observed on compromised appliances, giving attackers long-term, covert access by modifying core system behavior while evading detection. The malware collects sensitive information, establishes command-and-control channels, and hides its presence using anti-forensic techniques.
Likely Use of Zero-Day or Known Vulnerabilities
While the exact root vector remains unidentified, investigators suspect that the initial compromise may involve the exploitation of vulnerabilities in the SMA platform. Potential entry points include either previously disclosed bugs such as CVE-2021-20035, CVE-2021-20038, and CVE-2024-38475, or the exploitation of a new zero-day vulnerability yet to be publicly disclosed.
Following the breach, attackers were observed deploying reverse shell access to deliver the OVERSTEP payload. Once installed, the malware ensured persistence by embedding itself within the system’s boot process while manipulating audit logs and monitoring services to minimize detection.
Technical Capabilities of OVERSTEP
Analyses of the OVERSTEP malware detail a feature-rich, user-mode rootkit tailored to the SonicWall SMA environment. Its capabilities include:
- Stealth and Evasion: Hides malicious processes and files from administrative interfaces and forensic scans.
- Credential Harvesting: Extracts stored user passwords, OTP (one-time password) seeds, session tokens, and cryptographic certificates.
- Command-and-Control Operations: Receives remote instructions through covert channels, maintaining ongoing attacker control.
- Anti-Forensics: Deletes or alters system logs to obscure malicious activity and impede post-incident analysis.
These capabilities allow continuous attacker access and device control, even after reboot or upgrade attempts.
Links to Ransomware and Extortion
Data compromised in these intrusions has surfaced on the leak site World Leaks, associated with the Hunters International ransomware group and connected to extortionware campaigns involving the Abyss/VSOCIETY ransomware variant. In several cases, enterprise data stolen via OVERSTEP-enabled access was either offered for sale or used to extort victims—demonstrating an apparent operational overlap between UNC6148 and ransomware affiliates.
