It’s not the kind of security discovery that happens often. A previously unknown group of hackers used a novel backdoor, top-notch craft and software engineering to create an espionage botnet that was largely invisible in many victim networks.
The group, which security firm Mandiant calls UNC3524, has spent the past 18 months poking into victims’ networks with unusual stealth. In cases where the group is kicked out, it wastes no time re-infecting the victim’s environment and picking up where it left off. There are many keys to your stealth, including:
- Using a unique backdoor Mandiant calls Quietexit, which runs on load balancers, wireless access point controllers, and other types of IoT devices that don’t support antivirus or endpoint detection. This makes detection difficult through traditional means.
- Customized versions of the backdoor that use similar filenames and creation dates to legitimate files used on a specific infected device.
- A live off the ground approach that favors common Windows programming interfaces and tools over custom code with the goal of leaving as light a footprint as possible.
- An unusual way in which a second-stage backdoor connects to attacker-controlled infrastructure, essentially acting as a TLS-encrypted server transmitting data over the network. Protocol SOCKS.
A tunnel fetish with SOCKS
in a mailMandiant researchers Doug Bienstock, Melissa Derr, Josh Madeley, Tyler McLellan, and Chris Gardner wrote:
Throughout its operations, the threat actor demonstrated sophisticated operational security that we see only a small number of threat actors demonstrate. The threat actor evaded detection by operating from devices in the blind spots of the victim’s environment, including servers running rare versions of Linux and network devices running opaque operating systems. These appliances and devices were running versions of operating systems that were not supported by agent-based security tools and often had an expected level of network traffic that allowed attackers to go unnoticed. off the ground, without the need to bring additional tools, further reducing the chance of detection. This allowed UNC3524 to remain undetected in victims’ environments for, in some cases, more than 18 months.
The SOCKS tunnel allowed the hackers to effectively connect their control servers to the victim’s network, where they were then able to run tools without leaving a trace on any of the victim’s computers.
A secondary backdoor provided an alternative means of access to infected networks. It was based on a version of the legitimate regeorg webshell that had been heavily obfuscated to make detection difficult. The threat actor used it in case the main backdoor stopped working. The researchers explained:
Once inside the victim’s environment, the threat actor spent time identifying the web servers in the victim’s environment and making sure to find one that was accessible over the Internet before copying REGEORG to it. They also took care to name the file so that it would blend in with the application running on the compromised server. Mandiant also noted instances where UNC3452 used time jumps [referring to a tool available here for deleting or modifying timestamp-related information on files] to modify the REGEORG web shell’s standard information timestamps to match other files in the same directory.
One of the ways hackers keep a low profile is by favoring standard Windows protocols over malware to move laterally. To pass to the systems of interest, UNC3524 used a custom version of WMIEXECa tool that is used by Windows Management Instrumentation to establish a shell on the remote system.
Eventually, Quietexit executes its ultimate goal: accessing email accounts of IT executives and staff in hopes of obtaining documents related to things like corporate development, mergers and acquisitions, and large financial transactions.
“Once UNC3524 successfully obtained privileged credentials for the victim’s mail environment, they began making Exchange Web Services (EWS) API requests to the on-premises Microsoft Exchange or Microsoft 365 Exchange Online environment,” the researchers wrote. Mandiant. “In each of the UNC3524 victim environments, the threat actor would target a subset of mailboxes…”