Junos OS provides administrators with a custom command-line interface (CLI) that allows issuing Junos specific commands, but also the ability to switch to the underlying FreeBSD shell and use the general FreeBSD command-line tools and programs.
The OS also implements a modified variant of the NetBSD Verified Exec (veriexec), a kernel-based file integrity verification subsystem whose goal is to protect against the execution of unauthorized binaries. As such, deploying and running any malware implant requires a bypass of this feature or disabling it entirely, which could raise alerts.
UNC3886 developed a complex process injection technique in order to bypass variexec by creating a hung process using the built-in and legitimate cat utility, writing a malicious shellcode loader to specific memory locations assigned to the cat process and then tricking the process to execute that code. Since the malicious code execution happened through a trusted process, variexec was bypassed.
