QUIETEXIT

QUIETEXIT is a novel backdoor, based on the open-source Dropbear SSH client-server software, that has been used by APT29 since at least 2021. APT29 has deployed QUIETEXIT on opaque network appliances that typically don't support antivirus or endpoint detection and response tools within a victim environment.^[1]

ID: S1084

ⓘ

Type: MALWARE

ⓘ

Platforms: Network

Contributors: Joe Gumke, U.S. Bank

Version: 1.0

Created: 17 August 2023

Last Modified: 02 October 2023

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Enterprise	T1071		Application Layer Protocol	QUIETEXIT can use an inverse negotiated SSH connection as part of its C2.^[1]
Enterprise	T1008		Fallback Channels	QUIETEXIT can attempt to connect to a second hard-coded C2 if the first hard-coded C2 address fails.^[1]
Enterprise	T1036	.005	Masquerading: Match Legitimate Name or Location	QUIETEXIT has attempted to change its name to `cron` upon startup. During incident response, QUIETEXIT samples have been identified that were renamed to blend in with other legitimate files.^[1]
Enterprise	T1095		Non-Application Layer Protocol	QUIETEXIT can establish a TCP connection as part of its initial connection to the C2.^[1]
Enterprise	T1090	.002	Proxy: External Proxy	QUIETEXIT can proxy traffic via SOCKS.^[1]

Groups That Use This Software

ID	Name	References
G0016	APT29	^[1]

References

Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023.

QUIETEXIT

Enterprise Layer

Techniques Used

Groups That Use This Software

References