Cyberespionage Group Targeting M&A, Corporate Transactions Personnel
Security researchers at Mandiant are documenting the discovery of a new hacking group focused on cyberespionage targeting employees responsible for corporate development, large corporate transactions, and mergers and acquisitions.
Referred to as UNC3524 – Mandiant uses ‘UNC’ to track uncategorized hacking groups – the threat actor does not appear interested in immediate financial gain, given that it manages to remain undetected for an order of magnitude longer than the average dwell time of 21 days in 2021.
Mandiant said the group managed to stay under the radar partly through the use of backdoors installed on appliances that do not support security tools, but also displays a high level of operational security and evasive skills.
The group has a small malware footprint, has built a large Internet of Things (IoT) botnet, and shows a focus on maintaining persistent access to the target environments by employing various mechanisms to immediately re-compromise a network after being booted, Mandiant said in a report.
After gaining initial access to a network, the group was observed installing a novel backdoor called QUIETXIT that was built on open-source Dropbear SSH client-server software – on appliances running older BSD or CentOS iterations. This has allowed the malicious file to remain undetected for more than 18 months.
“For their long-haul remote access, UNC3524 opted to deploy QUIETEXIT on opaque network appliances within the victim environment; think backdoors on SAN arrays, load balancers, and wireless access point controllers. These kinds of devices don’t support antivirus or endpoint detection and response tools (EDRs), subsequently leaving the underlying operating systems to vendors to manage,” Mandiant added.
The researchers found that QUIETEXIT was designed in such a manner that it reverses the traditional client-server roles in an SSH connection: the client running on the infected system establishes a TCP connection and then performs the SSH server role.
“The QUIETEXIT component running on the threat actor’s infrastructure initiates the SSH connection and sends a password. Once the backdoor establishes a connection, the threat actor can use any of the options available to an SSH client, including proxying traffic via SOCKS,” Mandiant said.
While QUIETEXIT has no persistence mechanism, UNC3524 would install a run command or hijack legitimate startup scripts to ensure the backdoor runs at system startup.
According to Mandiant, the observed QUIETEXIT command and control (C&C) servers use dynamic DNS providers, which allows the adversary to update the DNS records almost seamlessly.
In some instances, the threat actor deployed a secondary backdoor called REGEORG, a web shell designed to create a SOCKS proxy. Mandiant said the web shell was deployed on severs that had internet access in a manner that it would blend with legitimate applications (using specific names and even employing timestomping to match its timestamp with that of other files).
“UNC3452 only used these web shells when their QUIETEXIT backdoors stopped functioning and only to re-establish QUIETEXIT on another system in the network. UNC3452 used a still public but little-known version of the web shell that is heavily obfuscated. This allowed them to bypass common signature-based detections for REGEORG,” according to the Mandiant report.
To keep the malware footprint low, the attackers relied on built-in Windows protocols. Lateral movement was obtained through a customized version of Impacket’s WMIEXEC tool, which employs Windows Management Instrumentation to create a semi-interactive shell.
UNC3524 was observed employing privileged credentials to access the victim’s mail environment and target the mailboxes of executive teams and personnel in departments such as corporate development, IT security, or mergers and acquisitions.
The threat actor then moved to extract specific emails from the victim mailboxes, after getting a better understanding of those mailboxes – specifically, items created after the threat actor last accessed the mailbox were targeted for exfiltration.