QUIETEXIT

QUIETEXIT is a novel malware deployed by threat group UNC3524, primarily used for long-haul remote access. It operates by being installed on opaque network appliances within the victim environment, such as SAN arrays, load balancers, and wireless access point controllers, effectively creating backdoors. The malware initiates an SSH connection from the threat actor's infrastructure and sends a password for authentication. Although QUIETEXIT lacks a built-in persistence mechanism, UNC3524 has been observed to install run commands and hijack legitimate application-specific startup scripts, enabling the backdoor to execute on system startup. Mandiant has tracked this backdoor, which is based on the open-source Dropbear SSH client-server software. On startup, QUIETEXIT attempts to change its name to 'cron', but due to a flaw in implementation by the malware author, this fails. Despite the lack of a persistence mechanism, UNC3524 has managed to maintain presence within compromised systems by using QUIETEXIT in conjunction with other techniques. This includes installing run commands (rc) and hijacking legitimate application-specific startup scripts to ensure the backdoor executes on system startup. The threat actor's use of QUIETEXIT tunneler allowed them to live off the land, reducing the need for additional tools and therefore lowering detection opportunities. For lateral movement to systems of interest, UNC3524 utilized a customized version of Impacket’s WMIEXEC, which uses Windows Management Instrumentation to establish a semi-interactive shell on a remote host. Mandiant has published remediation and hardening strategies and recommends hunting for QUIETEXIT on devices using provided grep commands.