This is not the kind of security discovery that happens often. A previously unknown group of hackers used a novel backdoor, top craftsmanship, and software engineering to create a spy botnet that is largely invisible to many victim networks. .
The team, which security firm Mandiant calls UNC3524, has spent the past 18 months digging into victims’ networks with unusual invisibility. In the event that the group is dropped, no time is wasted recreating the victim environment and starting everything over. There are many keys to its stealth, including:
- Using a single backdoor, which Mandiant calls Quietexit, runs on load balancers, wireless access point controllers, and other types of IoT devices that don’t support anti-virus or endpoint discovery. This makes detection through traditional means difficult.
- Custom versions of the backdoor use filenames and creation dates similar to legitimate files used on a particular infected device.
- The direct approach favors common Windows programming interfaces and tools over custom code with the goal of leaving a trace as light as possible.
- An unusual way that a second-stage backdoor connects to an attacker-controlled infrastructure that, in essence, acts as a TLS-encrypted server to send data over a proxy SOCKS protocol.
A tunnel fetish with SOCKS
In one uploadMandiant researchers Doug Bienstock, Melissa Derr, Josh Madeley, Tyler McLellan, and Chris Gardner wrote:
Over the course of its life, the threat agent has demonstrated sophisticated operational security that we’ve only seen a handful of threat actors demonstrate. Threat actors evade detection by operating from devices in the blind spot of the victim’s environment, including servers running unpopular versions of Linux and network devices running non-existent operating systems. clear. These devices and devices are running versions of the operating system that are not supported by agent-based security tools and often have an expected level of network traffic that allows attackers to infiltrate. The threat’s use of the QUIETEXIT tunneler allows them to survive largely off land, without carrying additional tools, further reducing the chances of detection. This allows the UNC3524 to remain undetected in the victim environment, in some cases, for up to 18 months.
SOCKS tunneling allows hackers to efficiently connect their control servers to the victim’s network, where they can execute tools without leaving a trace on any of the victim’s computers.
Mandiant
An extra backdoor provides an alternative means of access to infected networks. It is based on a version of reGeorg webshell has been heavily obfuscated to make detection harder. The threat actor used it in case the main backdoor stopped working. The researchers explain:
Once inside the victim environment, the threat actor spends time identifying web servers in the victim environment and making sure they find one that can access the Internet before copying the REGEORG into it. . They also took care in naming the file so that it matches the application running on the compromised server. Mandiant also observed instances of UNC3452 using time analysis [referring to a tool available here for deleting or modifying timestamp-related information on files] to change the REGEORG web shell Standard Information timestamp to match other files in the same directory.
One of the ways that hackers maintain low profile is by using standard Windows protocols rather than horizontally moving malware. For porting to systems of interest, UNC3524 used a customized version of WMIEXECa tool that uses Windows Management Tools to set up a shell on a remote system.
In the end, Quietexit fulfills its ultimate goal: to access the email accounts of executives and IT staff in the hopes of obtaining documents related to things like company development, purchasing, and sales. mergers as well as major financial transactions.
“Once UNC3524 successfully obtains privileged logins into the victim’s mail environment, they begin making Exchange Web Services (EWS) API requests to the on-premises Microsoft Exchange or Microsoft 365 Exchange Online environment, ‘ wrote the Mandiant researchers. “In each UNC3524 victim environment, the threat actor will target a subset of mailboxes….”
