ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > List all tools > List all groups using tool QUIETEXIT

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: QUIETEXIT

NamesQUIETEXIT
CategoryMalware
TypeBackdoor, Tunneling
Description(Mandiant) QUIETEXIT works as if the traditional client-server roles in an SSH connection were reversed. Once the client, running on a compromised system, establishes a TCP connection to a server, it performs the SSH server role. The QUIETEXIT component running on the threat actor’s infrastructure initiates the SSH connection and sends a password. Once the backdoor establishes a connection, the threat actor can use any of the options available to an SSH client, including proxying traffic via SOCKS. QUIETEXIT has no persistence mechanism; however, we have observed UNC3524 install a run command (rc) as well as hijack legitimate application-specific startup scripts to enable the backdoor to execute on system startup.
Information<https://www.mandiant.com/resources/unc3524-eye-spy-email>
MITRE ATT&CK<https://attack.mitre.org/software/S1084>
Malpedia<https://malpedia.caad.fkie.fraunhofer.de/details/elf.quietexit>

Last change to this tool card: 30 November 2023

Download this tool card in JSON format

Previous: Quickcafe
Next: QuietSieve

All groups using tool QUIETEXIT

ChangedNameCountryObserved

APT groups

XAPT 29, Cozy Bear, The DukesRussia2008-Jun 2024X

1 group listed (1 APT, 0 other, 0 unknown)

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]