[BreachExchange] New Hacker Group Pursuing Corporate Employees Focused on Mergers and Acquisitions

[Matthew Wheeler]

https://thehackernews.com/2022/05/new-hacker-group-pursuing-corporate.html

A newly discovered suspected espionage threat actor has been targeting
employees focusing on mergers and acquisitions as well as large corporate
transactions to facilitate bulk email collection from victim environments.

Mandiant is tracking the activity cluster under the uncategorized moniker
UNC3524, citing a lack of evidence linking it to an existing group.
However, some of the intrusions are said to mirror techniques used by
different Russia-based hacking crews like APT28 and APT29.

"The high level of operational security, low malware footprint, adept
evasive skills, and a large Internet of Things (IoT) device botnet set this
group apart and emphasize the 'advanced' in Advanced Persistent Threat,"
the threat intelligence firm said in a Monday report.

The initial access route is unknown but upon gaining a foothold, attack
chains involving UNC3524 culminate in the deployment of a novel backdoor
called QUIETEXIT for persistent remote access for as long as 18 months
without getting detected in some cases.


What's more, the command-and-control domains — a botnet of internet-exposed
IP camera devices, likely with default credentials — are designed to blend
in with legitimate traffic originating from the infected endpoints,
suggesting attempts on the part of the threat actor to stay under the radar.

"UNC3524 also takes persistence seriously," Mandiant researchers pointed
out. "Each time a victim environment removed their access, the group wasted
no time re-compromising the environment with a variety of mechanisms,
immediately restarting their data theft campaign."

Also installed by the threat actor is a secondary implant, a web shell, as
a means of alternate access should QUIETEXIT stop functioning and for
propagating the primary backdoor on another system in the network.

The information-gathering mission, in its final stage, entails obtaining
privileged credentials to the victim's mail environment, using it to target
the mailboxes of executive teams that work in corporate development.

"UNC3524 targets opaque network appliances because they are often the most
unsecure and unmonitored systems in a victim environment," Mandiant said.
"Organizations should take steps to inventory their devices that are on the
network and do not support monitoring tools."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220503/5b9e9247/attachment.html>