<div dir="ltr"><a href="https://thehackernews.com/2022/05/new-hacker-group-pursuing-corporate.html">https://thehackernews.com/2022/05/new-hacker-group-pursuing-corporate.html</a><div><br></div><div><span id="gmail-docs-internal-guid-09aec723-7fff-0d19-b207-39c217d09d33"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11.5pt;font-family:Arial;color:rgb(51,51,51);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">A newly discovered suspected espionage threat actor has been targeting employees focusing on mergers and acquisitions as well as large corporate transactions to facilitate bulk email collection from victim environments.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11.5pt;font-family:Arial;color:rgb(51,51,51);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Mandiant is tracking the activity cluster under the uncategorized moniker UNC3524, citing a lack of evidence linking it to an existing group. However, some of the intrusions are said to mirror techniques used by different Russia-based hacking crews like APT28 and APT29.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11.5pt;font-family:Arial;color:rgb(51,51,51);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">"The high level of operational security, low malware footprint, adept evasive skills, and a large Internet of Things (IoT) device botnet set this group apart and emphasize the 'advanced' in Advanced Persistent Threat," the threat intelligence firm said in a Monday report.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11.5pt;font-family:Arial;color:rgb(51,51,51);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">The initial access route is unknown but upon gaining a foothold, attack chains involving UNC3524 culminate in the deployment of a novel backdoor called QUIETEXIT for persistent remote access for as long as 18 months without getting detected in some cases.</span></p><br><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11.5pt;font-family:Arial;color:rgb(51,51,51);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">What's more, the command-and-control domains — a botnet of internet-exposed IP camera devices, likely with default credentials — are designed to blend in with legitimate traffic originating from the infected endpoints, suggesting attempts on the part of the threat actor to stay under the radar.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11.5pt;font-family:Arial;color:rgb(51,51,51);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">"UNC3524 also takes persistence seriously," Mandiant researchers pointed out. "Each time a victim environment removed their access, the group wasted no time re-compromising the environment with a variety of mechanisms, immediately restarting their data theft campaign."</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11.5pt;font-family:Arial;color:rgb(51,51,51);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Also installed by the threat actor is a secondary implant, a web shell, as a means of alternate access should QUIETEXIT stop functioning and for propagating the primary backdoor on another system in the network.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11.5pt;font-family:Arial;color:rgb(51,51,51);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">The information-gathering mission, in its final stage, entails obtaining privileged credentials to the victim's mail environment, using it to target the mailboxes of executive teams that work in corporate development.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11.5pt;font-family:Arial;color:rgb(51,51,51);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">"UNC3524 targets opaque network appliances because they are often the most unsecure and unmonitored systems in a victim environment," Mandiant said. "Organizations should take steps to inventory their devices that are on the network and do not support monitoring tools."</span></p></span><br class="gmail-Apple-interchange-newline"></div></div>