QUIETCANARY

Malware updated 7 months ago (2024-05-04T20:24:59.507Z)

Download STIX

Preview STIX

Quietcanary is a malicious software (malware) that has been exploited by threat groups such as Pensive Ursa and Tomiris. The malware, known for its backdoor capabilities, has been in use since at least 2019, with Pensive Ursa deploying it against targets in Ukraine in September 2022, often in conjunction with another malware called Kopiluwak. Quietcanary is proxy-aware and uses the System.Net.HttpWebRequest class to identify any default proxy specified on the victim's computer. All communications between Quietcanary and its command and control server (C2) are encrypted using RC4 and then encoded using Base-64. The malware operates by handling various command codes sent from the C2, which it separates into two categories: fast commands and long commands. Some of these commands include ClearCommand, KillCommand, ExeCommand, TimeoutCommand, UploadCommand, and DownloadCommand. Each command has a specific function, ranging from aborting current command execution and starting a new one, to executing a command with arguments or uploading a command to a given path. Quietcanary can parse multiple commands in a single response from the C2, demonstrating its sophisticated design and functionality. Despite its complex operations, there are some aspects of Quietcanary that remain unused or unclear. For example, an unused class named ServerInfoExtractor was found in the analyzed sample, suggesting potential additional functionalities that might not have been activated or used in this instance. Furthermore, certain configuration values within the malware are assumed to be set by methods outside the malware itself, as no code setting these values is present within the Quietcanary sample. This hints at the possibility of external tools or processes being used in conjunction with the malware during an attack.

Description last updated: 2024-05-04T16:46:35.941Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Tunnus is a possible alias for QUIETCANARY. Tunnus is a type of malware, or malicious software, that has been identified as potentially harmful to computer systems and devices. Identified by the SHA-256 hash 046f11a6c561e46e6bf199ab7f50e74a4d2aaead68cdbd6ce44b37b5b4964758, Tunnus uses the same RC4 implementation as TunnusSched and Topinambour	2
Unc4210 is a possible alias for QUIETCANARY. UNC4210 is a malicious software (malware) discovered by Mandiant in September 2022, suspected to be an operation of the Turla Team. This malware was identified as it re-registered three expired ANDROMEDA command and control (C2) domains and began selectively deploying KOPILUWAK and QUIETCANARY to vi	2
Tomiris is a possible alias for QUIETCANARY. Tomiris is a malware group that has been active since at least 2019, known for using the backdoor QUIETCANARY. The group has also used Turla malware, indicating a possible cooperation or shared expertise between Tomiris and Turla. A significant development was observed in September 2022 when a Tunnu	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Backdoor

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The KOPILUWAK Malware is associated with QUIETCANARY. KopiLuwak is a JavaScript-based malware used for command and control (C2) communications and victim profiling. It was initially dropped by Pensive Ursa using an MSIL dropper in a G20-themed attack in 2017, and later as a self-extracting archive (SFX) executable in late 2022. Upon execution, the SFX	Unspecified	3

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Turla Threat Actor is associated with QUIETCANARY. Turla, a threat actor linked to Russia, is known for its sophisticated cyber espionage operations. The group has been associated with numerous high-profile attacks, often utilizing advanced backdoors and fileless malware for infiltration and persistence. Turla's tactics, techniques, and procedures (	Unspecified	2

Source Document References

Information about the QUIETCANARY Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
MITRE	a year ago	Turla: A Galaxy of Opportunity
CERT-EU	2 years ago	Russian Hackers Tomiris Targeting Central Asia for Intelligence Gathering \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker – National Cyber Security Consulting
CERT-EU	2 years ago	Tomiris called, they want their Turla malware back
Unit42	a year ago	Threat Group Assessment: Turla (aka Pensive Ursa)
CERT-EU	2 years ago	Russian Hackers Tomiris Targeting Central Asia for Intelligence Gathering
CERT-EU	2 years ago	APT trends report Q1 2023 - GIXtools
CERT-EU	2 years ago	Crooks show they don't need ChatGPT to scam victims
CERT-EU	a year ago	IT threat evolution in Q2 2023 – GIXtools
CERT-EU	a year ago	IT threat evolution Q2 2023
CERT-EU	2 years ago	Tomiris called, they want their Turla malware back - GIXtools
CERT-EU	2 years ago	APT trends report Q1 2023