Security firm Mandiant has released details about a threat actor it has named UNC3524, which infiltrates and resides for long periods in Windows environments where it can collect emails in bulk. The active backdoor is named QUIETEXIT and it is based on the Dropbear SSH client-server software which is generally used in environments with low memory and processor resources.
The company said in a blog post on Monday that the manner in which the actor gained access to systems was unknown. The systems themselves were characterised as “opaque network appliances”, like backdoors on SAN arrays, load balancers or wireless access point controllers.
Such devices do not support anti-virus programs or endpoint detection and response tools and often ran older versions of one of the BSDs or CentOS.
“By targeting trusted systems within victim environments that do not support any type of security tooling, UNC3524 was able to remain undetected in victim environments for at least 18 months,” Mandiant researchers Doug Bienstock, Melissa Derr, Josh Madeley, Tyler McLellan and Chris Gardner wrote.
The client part of QUIETEXIT on a compromised host established a TCP connection to a server and played the role of an SSH server. The component running on the threat actor’s infrastructure sent out a password for an SSH connection.
“Once the backdoor establishes a connection, the threat actor can use any of the options available to an SSH client, including proxying traffic via SOCKS,” the researchers noted.
“QUIETEXIT has no persistence mechanism; however, we have observed UNC3524 install a run command (rc) as well as hijack legitimate application-specific start-up scripts to enable the backdoor to execute on system start-up.”
Once QUIETEXIT starts, it tries to change its name to cron so as to pass unnoticed, but this failed as it had not been coded correctly. “During our incident response investigations, we recovered QUIETEXIT samples that were renamed to blend in with other legitimate files on the filesystem,” the researchers wrote.
“In one case, with an infected node of a NAS array, UNC3524 named the binary to blend in with a suite of scripts used to mount various filesystems to the NAS.”
In some cases, the threat actor used an alternate backdoor, a REGEORG web shell, that creates a SOCKS proxy, in keeping with UNC3452’s preference for tunnelling malware.
The malware used Windows protocols to move laterally within a system. “Once UNC3524 successfully obtained privileged credentials to the victim’s mail environment, it began making Exchange Web Services API requests to either the on-premises Microsoft Exchange or Microsoft 365 Exchange Online environment,” the post said.
“In each of the UNC3524 victim environments, the threat actor would target a subset of mailboxes, focusing its attention on executive teams and employees who work in corporate development, mergers and acquisitions, or IT security staff.”
The command and control systems for QUIETEXIT were mainly legacy conference room camera systems sold by LifeSize and, in one instance, a D-Link IP camera.
“These cameras were directly Internet exposed, possibly through an improper UPnP configuration, and may have been running older firmware,” the Mandiant team said.
“Mandiant suspects that default credentials, rather than an exploit, were the likely mechanism used to compromise these devices and form the IoT botnet used by UNC3524.
“Similar to the use of embedded network devices, UNC3524 can avoid detection by operating from compromised infrastructure connected directly to the public Internet such as IP cameras where typical anti-virus and security monitoring may be absent.”