Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Cyberespionage Group Targeting M&A, Corporate Transactions Personnel

Security researchers at Mandiant are documenting the discovery of a new hacking group focused on cyberespionage targeting employees responsible for corporate development, large corporate transactions, and mergers and acquisitions.

Security researchers at Mandiant are documenting the discovery of a new hacking group focused on cyberespionage targeting employees responsible for corporate development, large corporate transactions, and mergers and acquisitions.

Referred to as UNC3524 – Mandiant uses ‘UNC’ to track uncategorized hacking groups – the threat actor does not appear interested in immediate financial gain, given that it manages to remain undetected for an order of magnitude longer than the average dwell time of 21 days in 2021.

Mandiant said the group managed to stay under the radar partly through the use of backdoors installed on appliances that do not support security tools, but also displays a high level of operational security and evasive skills.

The group has a small malware footprint, has built a large Internet of Things (IoT) botnet, and shows a focus on maintaining persistent access to the target environments by employing various mechanisms to immediately re-compromise a network after being booted, Mandiant said in a report.

After gaining initial access to a network, the group was observed installing a novel backdoor called QUIETXIT that was built on open-source Dropbear SSH client-server software – on appliances running older BSD or CentOS iterations.  This has allowed the malicious file to remain undetected for more than 18 months.

[ READ: Mandiant: Attacker Dwell Times Down, But No Correlation to Breach Impact ]

“For their long-haul remote access, UNC3524 opted to deploy QUIETEXIT on opaque network appliances within the victim environment; think backdoors on SAN arrays, load balancers, and wireless access point controllers. These kinds of devices don’t support antivirus or endpoint detection and response tools (EDRs), subsequently leaving the underlying operating systems to vendors to manage,” Mandiant added.

The researchers found that QUIETEXIT was designed in such a manner that it reverses the traditional client-server roles in an SSH connection: the client running on the infected system establishes a TCP connection and then performs the SSH server role.

Advertisement. Scroll to continue reading.

“The QUIETEXIT component running on the threat actor’s infrastructure initiates the SSH connection and sends a password. Once the backdoor establishes a connection, the threat actor can use any of the options available to an SSH client, including proxying traffic via SOCKS,” Mandiant said.

While QUIETEXIT has no persistence mechanism, UNC3524 would install a run command or hijack legitimate startup scripts to ensure the backdoor runs at system startup.

According to Mandiant, the observed QUIETEXIT command and control (C&C) servers use dynamic DNS providers, which allows the adversary to update the DNS records almost seamlessly.

In some instances, the threat actor deployed a secondary backdoor called REGEORG, a web shell designed to create a SOCKS proxy.  Mandiant said the web shell was deployed on severs that had internet access in a manner that it would blend with legitimate applications (using specific names and even employing timestomping to match its timestamp with that of other files).

“UNC3452 only used these web shells when their QUIETEXIT backdoors stopped functioning and only to re-establish QUIETEXIT on another system in the network. UNC3452 used a still public but little-known version of the web shell that is heavily obfuscated. This allowed them to bypass common signature-based detections for REGEORG,” according to the Mandiant report.

To keep the malware footprint low, the attackers relied on built-in Windows protocols. Lateral movement was obtained through a customized version of Impacket’s WMIEXEC tool, which employs Windows Management Instrumentation to create a semi-interactive shell.

UNC3524 was observed employing privileged credentials to access the victim’s mail environment and target the mailboxes of executive teams and personnel in departments such as corporate development, IT security, or mergers and acquisitions.

The threat actor then moved to extract specific emails from the victim mailboxes, after getting a better understanding of those mailboxes – specifically, items created after the threat actor last accessed the mailbox were targeted for exfiltration.

Related: Chinese Cyberspies Seen Using macOS Variant of ‘Gimmick’ Malware

Related: FamousSparrow Cyberspies Exploit ProxyLogon in Attacks on Governments, Hotels

Related: Cyberespionage Implant Delivered via Targeted Government DNS Hijacking

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Stephanie Crowe has been appointed head of the Australian Cyber Security Centre (ACSC).

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

Cybersecurity and data protection company Acronis has appointed Gerald Beuchelt as CISO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.