Home Science & Technology Stealthy APT group robs very specific corporate email accounts

Stealthy APT group robs very specific corporate email accounts


The extremely sophisticated and secretive APT team has been searching for certain corporate email accounts and has sometimes managed to remain unnoticed among the victim for at least 18 months.

Listed in UNC3524 catalog from Mandientthe threat subject is also very adept at restoring access to the victim’s environment on boot, “re-compromising the environment through various mechanisms, immediately restarting his data theft campaign.”

APT and its route to corporate email

UNC3524 is mainly after emails and their content, especially those employees who focus on corporate development, mergers and acquisitionslarge corporate transactions and IT security officers (the latter are more likely to determine if their work has been discovered).

How the group got its initial access is unknown, but then it uses QUIETEXIT backdoors on devices such as SANs and NAS arrays, load balancers, and wireless access point controllers — devices not equipped with antivirus or EDR tools — or, conversely, a confusing version. -REGEORG shell, which it places on the DMZ web server with Internet access.

“QUIETEXIT supports the full functionality of SSH, and our monitoring is consistent with UNC3524, which uses it to create a SOCKS tunnel in a victim environment. By installing the SOCKS tunnel, the threat subject effectively connects his machine to the Ethernet connector in the victim’s network. Tunneling through SOCKS, the threat can use tools to steal data from their own computer, leaving no traces of tools on the victims’ computers, “- said Mandiant researchers.

The group uses a customized version of the WMIEXEC Imppacket for sideways and built-in reg.save command to maintain registry hives and retrieve LSA secrets offline.

Once they discover privileged credentials in a victim’s mail environment, they begin making Exchange Web Services (EWS) API requests to a local Microsoft Exchange or Microsoft 365 Exchange Online environment to retrieve mail items from specific mailboxes.

A refined threat actor

“Throughout its activities, the threat subject has demonstrated improved operational security, which, as we see, is demonstrated by only a small number of threat subjects,” the researchers said.

“The threat actor evaded detection by driving devices in blind areas of the victim’s environment, including servers with unusual versions of Linux and network devices with opaque OSes. These devices and gadgets worked with versions of operating systems that were not supported by agent-based security tools, and often had the expected level of network traffic that allowed attackers to merge.

The QUIETEXIT tunnel also allowed them to live outside the earth, thus reducing the possibility of detection. Their C2 systems were traced primarily to older conference room camera systems, which were probably compromised through default credentials. Specific C2 domains were used to make C2 traffic mixed and legitimate.

Although UNC3524’s motivation seems financial, their ability to remain unnoticed for so long testifies to their ultimate goal – long-term cyber espionage.

The researchers did not say what type of organizations and in which sectors the group was compromised, but they provided defenders with threat and elimination indicators, compromise indicators and YARA signatures for extensive capture of suspicious files.

Previous articleIndia has registered 3205 new cases of COVID-19, 31 deaths, active cases rose to 19 509, Health News, ET HealthWorld
Next articleThe only focus on the success of the diaspora is escape