Thank you to Tidal Cyber and SOC Prime for becoming ATT&CK's first Benefactors. To join the cohort, or learn more about this program visit our Benefactors page.

QuietSieve

QuietSieve is an information stealer that has been used by Gamaredon Group since at least 2021.^[1]

ID: S0686

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.0

Created: 18 February 2022

Last Modified: 15 April 2022

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	QuietSieve can use HTTPS in C2 communications.^[1]
Enterprise	T1005		Data from Local System	QuietSieve can collect files from a compromised host.^[1]
Enterprise	T1083		File and Directory Discovery	QuietSieve can search files on the target host by extension, including doc, docx, xls, rtf, odt, txt, jpg, pdf, rar, zip, and 7z.^[1]
Enterprise	T1564	.003	Hide Artifacts: Hidden Window	QuietSieve has the ability to execute payloads in a hidden window.^[1]
Enterprise	T1105		Ingress Tool Transfer	QuietSieve can download and execute payloads on a target host.^[1]
Enterprise	T1135		Network Share Discovery	QuietSieve can identify and search networked drives for specific file name extensions.^[1]
Enterprise	T1120		Peripheral Device Discovery	QuietSieve can identify and search removable drives for specific file name extensions.^[1]
Enterprise	T1113		Screen Capture	QuietSieve has taken screenshots every five minutes and saved them to the user's local Application Data folder under `Temp\SymbolSourceSymbols\icons` or `Temp\ModeAuto\icons`.^[1]
Enterprise	T1016	.001	System Network Configuration Discovery: Internet Connection Discovery	QuietSieve can check C2 connectivity with a `ping` to 8.8.8.8 (Google public DNS).^[1]

Groups That Use This Software

ID	Name	References
G0047	Gamaredon Group	^[1]

References

Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022.