QuietSieve is an information stealer that has been used by Gamaredon Group since at least 2021.[1]

ID: S0686
Platforms: Windows
Version: 1.0
Created: 18 February 2022
Last Modified: 15 April 2022

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

QuietSieve can use HTTPS in C2 communications.[1]

Enterprise T1005 Data from Local System

QuietSieve can collect files from a compromised host.[1]

Enterprise T1083 File and Directory Discovery

QuietSieve can search files on the target host by extension, including doc, docx, xls, rtf, odt, txt, jpg, pdf, rar, zip, and 7z.[1]

Enterprise T1564 .003 Hide Artifacts: Hidden Window

QuietSieve has the ability to execute payloads in a hidden window.[1]

Enterprise T1105 Ingress Tool Transfer

QuietSieve can download and execute payloads on a target host.[1]

Enterprise T1135 Network Share Discovery

QuietSieve can identify and search networked drives for specific file name extensions.[1]

Enterprise T1120 Peripheral Device Discovery

QuietSieve can identify and search removable drives for specific file name extensions.[1]

Enterprise T1113 Screen Capture

QuietSieve has taken screenshots every five minutes and saved them to the user's local Application Data folder under Temp\SymbolSourceSymbols\icons or Temp\ModeAuto\icons.[1]

Enterprise T1016 .001 System Network Configuration Discovery: Internet Connection Discovery

QuietSieve can check C2 connectivity with a ping to (Google public DNS).[1]

Groups That Use This Software

ID Name References
G0047 Gamaredon Group