QUIETEXIT

Malware Profile Updated 2 months ago
Download STIX
Preview STIX
QUIETEXIT is a novel malware deployed by threat group UNC3524, primarily used for long-haul remote access. It operates by being installed on opaque network appliances within the victim environment, such as SAN arrays, load balancers, and wireless access point controllers, effectively creating backdoors. The malware initiates an SSH connection from the threat actor's infrastructure and sends a password for authentication. Although QUIETEXIT lacks a built-in persistence mechanism, UNC3524 has been observed to install run commands and hijack legitimate application-specific startup scripts, enabling the backdoor to execute on system startup. Mandiant has tracked this backdoor, which is based on the open-source Dropbear SSH client-server software. On startup, QUIETEXIT attempts to change its name to 'cron', but due to a flaw in implementation by the malware author, this fails. Despite the lack of a persistence mechanism, UNC3524 has managed to maintain presence within compromised systems by using QUIETEXIT in conjunction with other techniques. This includes installing run commands (rc) and hijacking legitimate application-specific startup scripts to ensure the backdoor executes on system startup. The threat actor's use of QUIETEXIT tunneler allowed them to live off the land, reducing the need for additional tools and therefore lowering detection opportunities. For lateral movement to systems of interest, UNC3524 utilized a customized version of Impacket’s WMIEXEC, which uses Windows Management Instrumentation to establish a semi-interactive shell on a remote host. Mandiant has published remediation and hardening strategies and recommends hunting for QUIETEXIT on devices using provided grep commands.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
UNC3524
1
UNC3524, also known as Cranefly, is a newly identified threat actor suspected of espionage activities. This group primarily targets corporate emails, focusing on employees involved in corporate development, mergers and acquisitions, and large corporate transactions. UNC3524 has demonstrated serious
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Github
Mandiant
Backdoor
Malware
Windows
Lateral Move...
Microsoft
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
RegeorgUnspecified
1
Regeorg is a threat actor known for its malicious activities in the cyber landscape. Notably, operators of LuckyMouse initiated an attack by dropping the Nbtscan tool in C:\programdata\, followed by installing a variant of the ReGeorg webshell and issuing a GET request using curl. They then tried to
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the QUIETEXIT Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
7 months ago
UNC3524: Eye Spy on Your Email