An eminently sophisticated and stealthy APT group is going after specific corporate email accounts and has, on occasion, managed to remain undetected in victim environments for at least 18 months.
Catalogued as UNC3524 by Mandiant, the threat actor is also extremely adept at re-gaining access to a victim environment when booted out, “re-compromising the environment with a variety of mechanisms, immediately restarting their data theft campaign.”
The APT and its route to corporate email
UNC3524 is mostly after emails and their contents, particularly those of employees that focus on corporate development, mergers and acquisitions, large corporate transactions, and IT security staff (the latter, most likely, to determine if their operation had been detected).
How the group gains initial access is unknown, but it then uses the QUIETEXIT backdoor on devices such as SAN and NAS arrays, load balancers, and wireless access point controllers – devices unequipped with antivirus or EDR tools – or, alternatively, a heavily obfuscated version of the REGEORG web shell, which it places on an internet-accessible DMZ web server.
“QUIETEXIT supports the full functionality of SSH, and our observation is consistent with UNC3524 using it to establish a SOCKS tunnel into the victim environments. By standing up a SOCKS tunnel, the threat actor effectively plugs in their machine to an ethernet jack within the victim’s network. By tunneling over SOCKS, the threat actor can execute tools to steal data from their own computer, leaving no traces of the tooling itself on victim computers,” Mandiant researchers shared.
The group uses a customized version of Impacket’s WMIEXEC for lateral movement and the built-in reg save command to save registry hives and extract LSA secrets offline.
After discovering privileged credentials to the victim’s mail environment, they start making Exchange Web Services (EWS) API requests to either the on-premises Microsoft Exchange or Microsoft 365 Exchange Online environment, to extract mail items from specific mailboxes.
A sophisticated threat actor
“Throughout their operations, the threat actor demonstrated sophisticated operational security that we see only a small number of threat actors demonstrate,” the researchers noted.
“The threat actor evaded detection by operating from devices in the victim environment’s blind spots, including servers running uncommon versions of Linux and network appliances running opaque OSes. These devices and appliances were running versions of operating systems that were unsupported by agent-based security tools, and often had an expected level of network traffic that allowed the attackers to blend in.”
The QUIETEXIT tunneler also allowed them to live-off-the-land, thereby reducing the opportunity for detection. Their C2 systems were traced back primarily to legacy conference room camera systems, which were likely compromised via default crendentials. Specific C2 domains were used to make C2 traffic blend in and appear legitimate.
Though UNC3524’s motivation seems financial, their ability to remain undetected for so long suggest their ultimate goal is protracted cyber espionage.
The researchers did not say what type of organizations and in what sectors have been compromised by the group, but they have provided defenders with threat hunting and remediation pointers, indicators of compromise and YARA signatures to broadly capture suspicious files.