QUIETEXIT is a novel backdoor, based on the open-source Dropbear SSH client-server software, that has been used by APT29 since at least 2021. APT29 has deployed QUIETEXIT on opaque network appliances that typically don't support antivirus or endpoint detection and response tools within a victim environment.[1]

ID: S1084
Platforms: Network
Contributors: Joe Gumke, U.S. Bank
Version: 1.0
Created: 17 August 2023
Last Modified: 02 October 2023

Techniques Used

Domain ID Name Use
Enterprise T1071 Application Layer Protocol

QUIETEXIT can use an inverse negotiated SSH connection as part of its C2.[1]

Enterprise T1008 Fallback Channels

QUIETEXIT can attempt to connect to a second hard-coded C2 if the first hard-coded C2 address fails.[1]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

QUIETEXIT has attempted to change its name to cron upon startup. During incident response, QUIETEXIT samples have been identified that were renamed to blend in with other legitimate files.[1]

Enterprise T1095 Non-Application Layer Protocol

QUIETEXIT can establish a TCP connection as part of its initial connection to the C2.[1]

Enterprise T1090 .002 Proxy: External Proxy

QUIETEXIT can proxy traffic via SOCKS.[1]

Groups That Use This Software

ID Name References
G0016 APT29