Several advanced persistent threat groups like UNC3524 have upgraded their TTPs to become more elusive to many targets. Researchers have recently found out that the espionage group has sophisticated security, low malware footprints, extended persistence and highly functional malware sets in their arsenal.
The breach mechanics of the UNC3524 is undoubtedly similar to the methodologies used by Russian-speaking threat groups, APT29 and APT28. The researchers noted that in most cases, UNC3525 launches the QUIETEXIT after gaining access to their target’s system. QUIETEXIT is a novel backdoor based on the open-source Dropbear SSH client-server software.
Moreover, the threat actors re-establish the novel backdoor in another network system if the backdoor stops working. The espionage group also utilise a public version of the REGEORG web shell that is highly sophisticated.
UNC3524 also heavily relies on the default Windows protocol, Exchange Web Services APIs, and QUIETEXIT tunneler. Its operators once authenticated the exchange infrastructure. UNC3524 targets mailboxes that focus on executive teams and employees to exfiltrate the contents of a particular date range.
Cybersecurity experts found that UNC3524 has targeted employee emails of different organisations that focus on developments, financial sectors, and mergers & acquisitions.
UNC3524 spread backdoors on unsecured and unmonitored non-transparent systems that still run older patches of CentOS or BSD. Threat analysts cannot detect them in victim environments for an extended period of about 18 months.
The threat group primarily impacted IP cameras sold by D-Link and LifeSize, Inc., directly internet-exposed or may have been operating on outdated firmware or using default credentials. They immediately re-compromise the background with several mechanisms and restart their information-stealing campaign to establish their persistence in their target’s environment.
UNC3524 showed that they could immediately establish persistence, deploy several backdoors, conduct evasive skills, operate well-planned strategies, and exfiltrate data.
Experts claimed that more hackers would increase their investment in techniques and tools to aid their bulk email collection campaigns against targeted environments, resulting in a higher success rate for every attack.
