Article 5YTMR Botnet that hid for 18 months boasted some of the coolest tradecraft ever

Botnet that hid for 18 months boasted some of the coolest tradecraft ever

by
Dan Goodin
from Ars Technica - All content on (#5YTMR)
digital-eye-800x534.jpeg

Enlarge

It's not the kind of security discovery that happens often. A previously unknown hacker group used a novel backdoor, top-notch trade craft, and software engineering to create an espionage botnet that was largely invisible in many victim networks.

The group, which security firm Mandiant is calling UNC3524, has spent the past 18 months burrowing into victims' networks with unusual stealth. In cases where the group is ejected, it wastes no time reinfecting the victim environment and picking up where things left off. There are many keys to its stealth, including:

  • the use of a unique backdoor Mandiant calls Quietexit, which runs on load balancers, wireless access point controllers, and other types of IoT devices that don't support antivirus or endpoint detection. This makes detection through traditional means difficult
  • customized versions of the backdoor that use file names and creation dates that are similar to legitimate files used on a specific infected device
  • a live-off-the-land approach that favors common Windows programming interfaces and tools over custom code with the goal of leaving as light a footprint as possible
  • an unusual way a second-stage backdoor connects to attacker-controlled infrastructure by, in essence, acting as a TLS-encrypted server that proxies data through the SOCKS protocol
A tunneling fetish with SOCKS

In a post, Mandiant researchers Doug Bienstock, Melissa Derr, Josh Madeley, Tyler McLellan, and Chris Gardner wrote:

Read 11 remaining paragraphs | Comments

index?i=LyZTU007oLQ:Qkl2gy5NYC0:V_sGLiPB index?i=LyZTU007oLQ:Qkl2gy5NYC0:F7zBnMyn index?d=qj6IDK7rITs index?d=yIl2AUoC8zA
External Content
Source RSS or Atom Feed
Feed Location http://feeds.arstechnica.com/arstechnica/index
Feed Title Ars Technica - All content
Feed Link https://arstechnica.com/
Reply 0 comments