Security News > 2022 > May > New Sophisticated Malware

The group, which security firm Mandiant is calling UNC3524, has spent the past 18 months burrowing into victims' networks with unusual stealth.

The use of a unique backdoor Mandiant calls Quietexit, which runs on load balancers, wireless access point controllers, and other types of IoT devices that don't support antivirus or endpoint detection.

UNC3524's high-caliber tradecraft, proficiency with sophisticated IoT botnets, and ability to remain undetected for so long suggests something more.

Throughout their operations, the threat actor demonstrated sophisticated operational security that we see only a small number of threat actors demonstrate.

The threat actor evaded detection by operating from devices in the victim environment's blind spots, including servers running uncommon versions of Linux and network appliances running opaque OSes.

The threat actor's use of the QUIETEXIT tunneler allowed them to largely live off the land, without the need to bring in additional tools, further reducing the opportunity for detection.

News URL

https://www.schneier.com/blog/archives/2022/05/new-sophisticated-malware.html