APT groups have evolved their tradecrafts and have become stealthier than ever to accomplish their mission. Mandiant researchers have recently discovered one such espionage group UNC3524 with sophisticated operational security, highly functional malware set, low malware footprints, and longer dwell time.

UNC3524’s TTPs

Mandiant researchers noted that UNC3524’s intrusion methodologies overlap with techniques used by several Russia-based espionage threat actors, including APT28 and APT29.
  • After gaining initial access to the target systems, in most cases, UNC3524 deploys QUIETEXIT, a novel backdoor based on the open-source Dropbear SSH client-server software.
  • In case QUIETEXIT backdoors stop functioning, to re-establish it on another system in the network, UNC3542 uses a little-known public version of the REGEORG web shell that is heavily obfuscated.
  • UNC3524 relies on built-in Windows protocols, QUIETEXIT tunneler, and Exchange Web Services (EWS) APIs. 

Once authenticated to the exchange infrastructure, UNC3524 targets a subset of mailboxes, focusing its attention on executive teams and employees, or IT security staff to extract the entire contents over a particular date range.

UNC3524’s attack strategy

The experts noted that UNC3524 has been persistently targeting the emails of employees in the corporate world that focus on development, mergers and acquisitions, and large transactions, with financial motivation.
  • UNC3524 deploys backdoors on such unsecured and unmonitored opaque systems, running older versions of BSD or CentOS, so they can remain undetected in victim environments for a longer time (at least 18 months).
  • UNC3524 mostly infected IP cameras sold by LifeSize, Inc., and D-Link which are directly internet-exposed or may have been running older firmware or using default credentials.
  • To maintain persistence, if a victim's environment removed the group’s access, UNC3524 immediately re-compromises the environment with a variety of mechanisms and restarts its data theft campaign.

Conclusion

UNC3542, by means of various attack tactics, including immediate persistence, multiple backdoors, furtive evasive skills, and well-planned strategies, has established itself as an advanced persistent threat. With larger success rates in such operations, more hackers will increase their investment in tools to facilitate bulk email collection from victim environments.

Cyware Publisher

Publisher

Cyware