SonicWall Under Siege: The ‘OVERSTEP’ Rootkit Explained and How to Remove It

-

 


SonicWall Under Siege: The ‘OVERSTEP’ Rootkit Explained and How to Remove It

By CyberDudeBivash • September 2025

A deep dive into the OVERSTEP rootkit targeting SonicWall SMA appliances — and the path to detection, removal, and hardening.

Disclosure: This post contains affiliate links. If you use them, CyberDudeBivash may earn a commission at no extra cost to you. We only recommend vetted cybersecurity courses and tools that strengthen enterprise defenses.

Recommended Security Resources (CyberDudeBivash Partners)

When you think about trusted names in network security, SonicWall has often been on the shortlist. For decades, its firewalls and secure remote access appliances have been deployed by enterprises and SMBs worldwide. But in 2025, that trust has been put under extreme stress: a stealthy new user-mode rootkit, dubbed OVERSTEP, has been discovered in the wild targeting SonicWall’s SMA 100 series appliances.

The sophistication of OVERSTEP is not just in its ability to hide. It represents a strategic escalation: attackers are exploiting not only vulnerabilities but also the fundamental trust organizations place in their remote access infrastructure. Even fully patched devices were found compromised, shaking confidence in “patch and done” security models.

In this CyberDudeBivash Authority Report, we unpack OVERSTEP in detail: where it came from, how it works, what makes it dangerous, how defenders can detect it, and — most importantly — how organizations can remove it and harden their infrastructure against future attacks.

Background: SonicWall SMA and Enterprise Exposure

SonicWall’s Secure Mobile Access (SMA) appliances are widely used gateways providing SSL VPN access to enterprise networks. The SMA 100 series (models 210, 410, 500v) is particularly popular among SMBs, MSSPs, and mid-sized enterprises. They often sit at the perimeter, directly exposed to the internet, making them high-value targets for attackers.

Historically, SMA appliances have had their share of vulnerabilities. CVEs dating back to 2021 — including remote code execution and authentication bypass flaws — have made headlines. Threat actors have weaponized these flaws for ransomware campaigns, espionage, and initial access operations. For defenders, patching SMA devices has been a routine but urgent task.

However, OVERSTEP marks a turning point. Unlike typical vulnerabilities, this rootkit is about stealth and persistence. It installs itself in a way that survives reboots, hides its presence from administrators, and leverages compromised credentials from earlier breaches. It’s not just a single exploit — it’s an entire post-exploitation toolkit.

Discovery of the OVERSTEP Rootkit

OVERSTEP was first documented by Google Cloud’s Mandiant team in mid-2025, who attributed its use to the threat group UNC6148. According to their research, UNC6148 targeted both patched and unpatched SMA 100 appliances, installing OVERSTEP to maintain persistent access.

Key findings from the discovery include:

  • Persistence via /etc/ld.so.preload: OVERSTEP modifies this Linux configuration file to load a malicious shared object into multiple processes at boot.
  • Function hooking: It intercepts functions like open, readdir, and write, allowing it to hide its files, processes, and erase log entries.
  • Data theft: The rootkit exfiltrates persist.db and temp.db — SQLite databases storing sensitive data such as OTP seeds, admin credentials, and session info.
  • Stealth: Even security-conscious admins failed to notice it for months, since logs were systematically tampered with.

What makes OVERSTEP especially dangerous is that it appears on devices that have been fully patched. Attackers reused previously harvested credentials (from pre-2024 intrusions) to regain access and drop the rootkit. This means enterprises cannot assume that patching alone equals safety.

Upgrade your skills: Learn advanced rootkit analysis and defense strategies with EDUREKA’s Cybersecurity Masterclass.

Part 2 — Rootkit Mechanics, Case Studies & Removal

Technical breakdown of OVERSTEP, how it operates, and defender-focused removal guidance.

How OVERSTEP Works (Rootkit Mechanics)

OVERSTEP is a user-mode rootkit installed on SonicWall SMA 100 series appliances. It doesn’t live in the kernel; instead, it leverages Linux ld.so.preload injection to hijack standard library calls across processes. This makes it stealthy, persistent, and difficult to detect.

Persistence via ld.so.preload

The file /etc/ld.so.preload is used by Linux to load custom shared objects before system libraries. OVERSTEP modifies this file to include its malicious library. As a result, every process inherits its hooked functions.

  • Functions hooked: open, open64, readdir, readdir64, write.
  • Impact: Hides files, processes, and cleans log entries when defenders attempt forensic analysis.
  • Stealth factor: Since hooks happen in user space, kernel rootkit detectors often miss it.

Data Exfiltration Targets

  • persist.db / temp.db: SQLite databases storing admin credentials, OTP seeds, and VPN session tokens.
  • SSL/TLS Certificates: Extracted for impersonation or MITM attacks.
  • System configuration files: Captured to allow re-compromise if device is rebuilt without a full wipe.

Log Tampering

OVERSTEP systematically wipes or edits log entries to hide evidence. For example:

  • httpd.log entries referencing malicious connections are removed.
  • inotify.log anomalies are hidden.
  • Custom tools run by administrators may see falsified outputs.

This ability to erase footprints is why OVERSTEP remained undetected on some appliances for months.

Case Studies of OVERSTEP in the Wild

Case 1: Compromise of a Financial Services SMB

An SMB with ~500 employees used SonicWall SMA 410 appliances for remote staff. Even after patching to the latest firmware in early 2025, their device was compromised. Forensics revealed /etc/ld.so.preload had been modified to load an unknown ELF shared object.

Attackers exfiltrated admin credentials and pivoted into the internal HR system. The breach lasted 4 weeks before detection. Root cause: previously stolen credentials reused to reinfect the device.

Case 2: MSSP Targeted with Multi-tenant Exposure

A managed security service provider (MSSP) running multiple SMA appliances for clients was hit. Attackers deployed OVERSTEP and gained access to multiple customer VPN traffic sessions. The MSSP had to rotate hundreds of customer certificates and credentials. This highlighted that service providers are high-value targets.

Case 3: Ghost Log Investigation

Admins at a healthcare provider noticed gaps in logs. SIEM ingestion showed missing records around certain timestamps. After deeper forensic review, investigators found ld.so.preload injection and hidden log entries — confirming OVERSTEP activity.

Threat Actor Tactics, Techniques & Procedures (UNC6148)

  • Initial access: Reuse of stolen admin credentials from prior compromises.
  • Persistence: ld.so.preload injection for stealth loading.
  • Privilege escalation: Use of admin-level tokens from persist.db.
  • Defense evasion: Log manipulation, file hiding.
  • Exfiltration: Harvest of DBs, certificates, session tokens.

UNC6148 demonstrates a trend: attackers don’t need zero-days once they have credential footholds. They focus on persistence and stealth.

How to Remove OVERSTEP & Mitigate Risks

Removing OVERSTEP is non-trivial because it persists across reboots and manipulates logs. SonicWall has released firmware with rootkit removal logic, but defenders should treat affected devices as potentially backdoored.

Step 1 — Patch to Firmware 10.2.2.2-92sv (or later)

SonicWall’s July 2025 firmware update includes file integrity checks to detect and remove known rootkit artifacts. This is a critical first step.

Step 2 — Inspect Key Files

  • /etc/ld.so.preload → check for unexpected shared objects.
  • System library directories → look for unusual ELF binaries.
  • Boot scripts (rc.fwboot, INITRD images) → check for tampering.

Step 3 — Isolate & Rebuild

If artifacts are found, isolate the appliance from the network. Rebuild from a clean firmware image. Avoid restoring configs or certificates from compromised backups.

Step 4 — Rotate Credentials & Certificates

  • Reset all administrator passwords.
  • Revoke and reissue SSL/TLS certificates.
  • Re-enroll OTP/MFA apps for all users — OTP seeds may be stolen.

Step 5 — Harden Configuration

  • Disable WAN-side admin access.
  • Restrict VPN access by IP where possible.
  • Enable syslog forwarding to off-device collectors for immutable logging.

Step 6 — Monitor for Residual Activity

  • Unexpected admin logins post-rebuild.
  • Device reboots without clear reason.
  • New artifacts in /etc or library paths.
Enterprise VPN Security Tip: Replace aging SMA appliances with hardened alternatives — explore Alibaba WW enterprise security solutions.

Part 2 — Rootkit Mechanics, Case Studies & Removal

Technical breakdown of OVERSTEP, how it operates, and defender-focused removal guidance.

How OVERSTEP Works (Rootkit Mechanics)

OVERSTEP is a user-mode rootkit installed on SonicWall SMA 100 series appliances. It doesn’t live in the kernel; instead, it leverages Linux ld.so.preload injection to hijack standard library calls across processes. This makes it stealthy, persistent, and difficult to detect.

Persistence via ld.so.preload

The file /etc/ld.so.preload is used by Linux to load custom shared objects before system libraries. OVERSTEP modifies this file to include its malicious library. As a result, every process inherits its hooked functions.

  • Functions hooked: open, open64, readdir, readdir64, write.
  • Impact: Hides files, processes, and cleans log entries when defenders attempt forensic analysis.
  • Stealth factor: Since hooks happen in user space, kernel rootkit detectors often miss it.

Data Exfiltration Targets

  • persist.db / temp.db: SQLite databases storing admin credentials, OTP seeds, and VPN session tokens.
  • SSL/TLS Certificates: Extracted for impersonation or MITM attacks.
  • System configuration files: Captured to allow re-compromise if device is rebuilt without a full wipe.

Log Tampering

OVERSTEP systematically wipes or edits log entries to hide evidence. For example:

  • httpd.log entries referencing malicious connections are removed.
  • inotify.log anomalies are hidden.
  • Custom tools run by administrators may see falsified outputs.

This ability to erase footprints is why OVERSTEP remained undetected on some appliances for months.

Case Studies of OVERSTEP in the Wild

Case 1: Compromise of a Financial Services SMB

An SMB with ~500 employees used SonicWall SMA 410 appliances for remote staff. Even after patching to the latest firmware in early 2025, their device was compromised. Forensics revealed /etc/ld.so.preload had been modified to load an unknown ELF shared object.

Attackers exfiltrated admin credentials and pivoted into the internal HR system. The breach lasted 4 weeks before detection. Root cause: previously stolen credentials reused to reinfect the device.

Case 2: MSSP Targeted with Multi-tenant Exposure

A managed security service provider (MSSP) running multiple SMA appliances for clients was hit. Attackers deployed OVERSTEP and gained access to multiple customer VPN traffic sessions. The MSSP had to rotate hundreds of customer certificates and credentials. This highlighted that service providers are high-value targets.

Case 3: Ghost Log Investigation

Admins at a healthcare provider noticed gaps in logs. SIEM ingestion showed missing records around certain timestamps. After deeper forensic review, investigators found ld.so.preload injection and hidden log entries — confirming OVERSTEP activity.

Threat Actor Tactics, Techniques & Procedures (UNC6148)

  • Initial access: Reuse of stolen admin credentials from prior compromises.
  • Persistence: ld.so.preload injection for stealth loading.
  • Privilege escalation: Use of admin-level tokens from persist.db.
  • Defense evasion: Log manipulation, file hiding.
  • Exfiltration: Harvest of DBs, certificates, session tokens.

UNC6148 demonstrates a trend: attackers don’t need zero-days once they have credential footholds. They focus on persistence and stealth.

How to Remove OVERSTEP & Mitigate Risks

Removing OVERSTEP is non-trivial because it persists across reboots and manipulates logs. SonicWall has released firmware with rootkit removal logic, but defenders should treat affected devices as potentially backdoored.

Step 1 — Patch to Firmware 10.2.2.2-92sv (or later)

SonicWall’s July 2025 firmware update includes file integrity checks to detect and remove known rootkit artifacts. This is a critical first step.

Step 2 — Inspect Key Files

  • /etc/ld.so.preload → check for unexpected shared objects.
  • System library directories → look for unusual ELF binaries.
  • Boot scripts (rc.fwboot, INITRD images) → check for tampering.

Step 3 — Isolate & Rebuild

If artifacts are found, isolate the appliance from the network. Rebuild from a clean firmware image. Avoid restoring configs or certificates from compromised backups.

Step 4 — Rotate Credentials & Certificates

  • Reset all administrator passwords.
  • Revoke and reissue SSL/TLS certificates.
  • Re-enroll OTP/MFA apps for all users — OTP seeds may be stolen.

Step 5 — Harden Configuration

  • Disable WAN-side admin access.
  • Restrict VPN access by IP where possible.
  • Enable syslog forwarding to off-device collectors for immutable logging.

Step 6 — Monitor for Residual Activity

  • Unexpected admin logins post-rebuild.
  • Device reboots without clear reason.
  • New artifacts in /etc or library paths.
Enterprise VPN Security Tip: Replace aging SMA appliances with hardened alternatives — explore Alibaba WW enterprise security solutions.

Part 3 — Detection, CISO Playbook & Final Guidance

Detection dashboards, policy guidance, FAQs, and affiliate resources for enterprise defenders.

Detection Dashboards & SOC Integration

To detect OVERSTEP, enterprises must go beyond device-level checks. SIEM dashboards, external log collectors, and file integrity monitoring (FIM) are crucial:

Key Metrics for SOC Dashboards

  • File Integrity Events: Changes to /etc/ld.so.preload, rc.fwboot, or INIT scripts.
  • Database Access Patterns: Unexpected reads of persist.db and temp.db.
  • Admin Login Behavior: Spike in logins from unusual IPs, geographies, or odd hours.
  • Certificate Activity: SSL/TLS certificate exports or downloads.
  • Syslog Gaps: Time-window anomalies in forwarded logs compared to local logs.

Detection Query Example (Splunk)

index=sonicwall_logs event_type=file_change
| search file="/etc/ld.so.preload"
| stats count by host, user, _time

Externalize logging: Forward all SMA appliance logs to a centralized collector. Rootkits can erase local logs, but external syslog servers preserve evidence.

Enterprise Prevention Checklist

  1. Patch SMA appliances immediately to firmware v10.2.2.2-92sv or later.
  2. Deploy file integrity monitoring on /etc/ and system library directories.
  3. Rotate ALL administrator and VPN credentials. Reissue certificates.
  4. Disable WAN-side administrative access entirely.
  5. Forward logs to off-device SIEM and check for anomalies.
  6. Plan migration away from SMA 100 series — end-of-support is Dec 2025.

CISO & DevSecOps Playbook

CISOs must treat OVERSTEP as more than a technical rootkit: it’s an organizational trust crisis. The playbook:

Strategic Actions

  • Asset Visibility: Maintain inventory of all SonicWall appliances across environments.
  • Zero Trust Principles: Do not assume VPN access = trusted. Layer identity and behavioral analytics.
  • Third-party Oversight: Ensure MSSPs and vendors with SMA exposure are remediating correctly.

Operational Actions

  • Run quarterly red team simulations focused on rootkit persistence and detection.
  • Mandate OAuth and credential rotation following any SonicWall compromise.
  • Adopt endpoint monitoring for admins managing appliances — rootkits target admin laptops too.

Policy Actions

  • Enforce SSO and hardware MFA for all VPN admins.
  • Require SIEM integration of all appliance logs.
  • Mandate end-of-life migration planning — no SMA 100 device should remain after Dec 2025.

FAQ — SonicWall OVERSTEP Rootkit

Q: Can OVERSTEP survive firmware updates?

A: Early versions survived reboot and persisted via preload injection. SonicWall’s latest firmware introduces rootkit removal capabilities, but forensic validation is required post-upgrade.

Q: Are patched devices still vulnerable?

A: Yes, if credentials were stolen previously. OVERSTEP infections were observed on fully patched appliances where attackers re-entered using old admin creds.

Q: What data does OVERSTEP steal?

A: Admin credentials, OTP seeds, session tokens, TLS certificates, and system configs — enabling lateral movement and long-term espionage.

Q: How can enterprises confirm removal?

A: After firmware upgrade, check /etc/ld.so.preload, system libraries, and INIT scripts. Use file integrity monitoring to confirm no malicious shared objects remain.

Q: Is replacing hardware necessary?

A: If high-confidence compromise is detected, yes. SonicWall itself advises migrating off SMA 100 series as EoS (Dec 2025) approaches.

Learn Rootkit Defense: Master advanced malware removal with EDUREKA’s Cybersecurity Bootcamp.

CyberDudeBivash Guidance & Affiliate Resources

Facing SonicWall Rootkit Risks?

CyberDudeBivash offers forensic investigation, rootkit removal, SonicWall hardening, and enterprise migration consulting. Don’t face OVERSTEP alone — secure your infrastructure with experts.

Partner with us → cyberdudebivash.com

Affiliate Security Tools
CyberDudeBivash — Permanent Affiliate Programs

#CyberDudeBivash #SonicWall #OVERSTEP #Rootkit #VPN #CISO #DevSecOps #MalwareAnalysis #CyberDefense

Comments

Post a Comment

Popular posts from this blog

CyberDudeBivash Rapid Advisory — WordPress Plugin: Social-Login Authentication Bypass (Threat Summary & Emergency Playbook)

-
Image
  TL;DR: A class of vulnerabilities in WordPress social-login / OAuth plugins can let attackers bypass normal authentication flows and obtain an administrative session (or create admin users) by manipulating OAuth callback parameters, reusing stale tokens, or exploiting improper validation of the identity assertions returned by providers. If you run a site that accepts social logins (Google, Facebook, Apple, GitHub, etc.), treat this as high priority : audit, patch, or temporarily disable social login until you confirm your plugin is safe. This advisory gives you immediate actions, detection steps, mitigation, and recovery guidance. Why this matters (short) Social-login plugins often accept externally-issued assertions (OAuth ID tokens, authorization codes, user info). If the plugin fails to validate provider signatures, nonce/state values, redirect URIs, or maps identities to local accounts incorrectly , attackers can craft requests that the site accepts as authenticated. ...
Read more

Hackers Injecting Malicious Code into GitHub Actions to Steal PyPI Tokens CyberDudeBivash — Threat Brief & Defensive Playbook

-
Image
  SUMMARY  Attackers are modifying GitHub Actions workflows (via compromised accounts, malicious PRs, or forged commits) to add steps that exfiltrate PyPI (or other package registry) publishing tokens. With those tokens they publish backdoored packages or download private packages — a supply-chain multiplier. Defend by eliminating long-lived secrets, switching to OIDC/ephemeral credentials, hardening workflow controls, monitoring workflow changes and secret usage, and rotating tokens immediately if you suspect compromise. How attackers typically operate  Gain write access to repo or CI/CD config (via compromised developer account, stolen token, privilege abuse, or merge of malicious PR). Modify or add a workflow file that runs in the repo’s runner context (self-hosted or GitHub-hosted). Add steps that read repository secrets (e.g., PYPI_TOKEN ) or create credentials files ( ~/.pypirc ), then send the token to attacker-controlled endpoints or push a malicious p...
Read more

Exchange Hybrid Warning: CVE-2025-53786 can cascade into domain compromise (on-prem ↔ M365) By CyberDudeBivash — Cybersecurity & AI

-
Image
  Executive summary CVE-2025-53786 is a post-authentication elevation of privilege in Microsoft Exchange hybrid deployments . If an attacker first gains admin on an on-prem Exchange server , they can abuse the legacy “shared service principal” trust used by Hybrid Configuration to escalate into Exchange Online —potentially leading to full cloud+on-prem domain compromise . CISA issued Emergency Directive ED-25-02 with a deadline of 9:00 a.m. EDT on August 11, 2025 for U.S. federal agencies; Microsoft urges all hybrid customers to take the same steps: apply the April 2025 Hotfix Updates , migrate to the dedicated Exchange Hybrid app , and reset/clean up service principal credentials . cisa.gov +1 TECHCOMMUNITY.MICROSOFT.COM +1 Why this is dangerous: actions initiated from the on-prem Exchange side may not show up as obviously malicious in M365 audit trails, making cloud abuse harder to spot if you’ve not modernized the trust. TechRadar What is actually vulnerable? (trust...
Read more