Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Cloud Security

Cyberespionage Group Targeting M&A, Corporate Transactions Personnel

Security researchers at Mandiant are documenting the discovery of a new hacking group focused on cyberespionage targeting employees responsible for corporate development, large corporate transactions, and mergers and acquisitions.

Security researchers at Mandiant are documenting the discovery of a new hacking group focused on cyberespionage targeting employees responsible for corporate development, large corporate transactions, and mergers and acquisitions.

Referred to as UNC3524 – Mandiant uses ‘UNC’ to track uncategorized hacking groups – the threat actor does not appear interested in immediate financial gain, given that it manages to remain undetected for an order of magnitude longer than the average dwell time of 21 days in 2021.

Mandiant said the group managed to stay under the radar partly through the use of backdoors installed on appliances that do not support security tools, but also displays a high level of operational security and evasive skills.

The group has a small malware footprint, has built a large Internet of Things (IoT) botnet, and shows a focus on maintaining persistent access to the target environments by employing various mechanisms to immediately re-compromise a network after being booted, Mandiant said in a report.

After gaining initial access to a network, the group was observed installing a novel backdoor called QUIETXIT that was built on open-source Dropbear SSH client-server software – on appliances running older BSD or CentOS iterations.  This has allowed the malicious file to remain undetected for more than 18 months.

[ READ: Mandiant: Attacker Dwell Times Down, But No Correlation to Breach Impact ]

“For their long-haul remote access, UNC3524 opted to deploy QUIETEXIT on opaque network appliances within the victim environment; think backdoors on SAN arrays, load balancers, and wireless access point controllers. These kinds of devices don’t support antivirus or endpoint detection and response tools (EDRs), subsequently leaving the underlying operating systems to vendors to manage,” Mandiant added.

Advertisement. Scroll to continue reading.

The researchers found that QUIETEXIT was designed in such a manner that it reverses the traditional client-server roles in an SSH connection: the client running on the infected system establishes a TCP connection and then performs the SSH server role.

“The QUIETEXIT component running on the threat actor’s infrastructure initiates the SSH connection and sends a password. Once the backdoor establishes a connection, the threat actor can use any of the options available to an SSH client, including proxying traffic via SOCKS,” Mandiant said.

While QUIETEXIT has no persistence mechanism, UNC3524 would install a run command or hijack legitimate startup scripts to ensure the backdoor runs at system startup.

According to Mandiant, the observed QUIETEXIT command and control (C&C) servers use dynamic DNS providers, which allows the adversary to update the DNS records almost seamlessly.

In some instances, the threat actor deployed a secondary backdoor called REGEORG, a web shell designed to create a SOCKS proxy.  Mandiant said the web shell was deployed on severs that had internet access in a manner that it would blend with legitimate applications (using specific names and even employing timestomping to match its timestamp with that of other files).

“UNC3452 only used these web shells when their QUIETEXIT backdoors stopped functioning and only to re-establish QUIETEXIT on another system in the network. UNC3452 used a still public but little-known version of the web shell that is heavily obfuscated. This allowed them to bypass common signature-based detections for REGEORG,” according to the Mandiant report.

To keep the malware footprint low, the attackers relied on built-in Windows protocols. Lateral movement was obtained through a customized version of Impacket’s WMIEXEC tool, which employs Windows Management Instrumentation to create a semi-interactive shell.

UNC3524 was observed employing privileged credentials to access the victim’s mail environment and target the mailboxes of executive teams and personnel in departments such as corporate development, IT security, or mergers and acquisitions.

The threat actor then moved to extract specific emails from the victim mailboxes, after getting a better understanding of those mailboxes – specifically, items created after the threat actor last accessed the mailbox were targeted for exfiltration.

Related: Chinese Cyberspies Seen Using macOS Variant of ‘Gimmick’ Malware

Related: FamousSparrow Cyberspies Exploit ProxyLogon in Attacks on Governments, Hotels

Related: Cyberespionage Implant Delivered via Targeted Government DNS Hijacking

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...