[MART] - Daily Diary #503 - Meet UNC3524, A New Threat Actor Group

CTAS-MAT ctas-mat at appgate.com
Wed May 4 21:30:10 UTC 2022 

Hello,

I hope everyone is doing well!

Below is the entry for today.

05/04/2022 - Diary entry #503:

A new threat actor group with espionage purposes was recently discovered. Active since late 2019, UNC3524 has been targeting the mailboxes of individuals belonging to organizations by using tools to facilitate bulk email collection. UNC3524's focus is to infect environments that don't support security tools like anti-virus or endpoint protection, remaining undetected for at least 18 months.

After infecting an environment (SAN arrays, load balancers, and wireless access point controllers), UNC3524 deploys a backdoor tracked as QUIETEXIT, based on the open-source Dropbear SSH client-server software. Once executed, QUIETEXIT establishes a tunneled connection with the threat actors as if the traditional client-server roles in an SSH connection were reversed, with QUIETEXIT being the server.

QUIETEXIT supports command-line arguments to connect to a different C2 address and port other than the hardcoded address in the binary. UNC3524 can also deploy a secondary backdoor as a backup, if QUIETEXIT fails, by using a web shell known as REGEORG. Both threats have their file names blended to the applications' names running on the compromised target and have their timestamps modified to match the other files in the same directory.

UNC3524 reveals as a very advanced and persistent threat, targeting devices with no support to security solutions and with different operational systems. This can be very difficult since it requires crafting tools for running on those devices but certainly helps the threat actors to remain stealthy during their operations.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Tarijon de Almeida
Malware Analyst
Appgate

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220504/45c7cf85/attachment.htm>

More information about the MART mailing list