1. Home
  2. Software
  3. QUIETEXIT

QUIETEXIT

QUIETEXIT is a novel backdoor, based on the open-source Dropbear SSH client-server software, that has been used by APT29 since at least 2021. APT29 has deployed QUIETEXIT on opaque network appliances that typically don't support antivirus or endpoint detection and response tools within a victim environment.[1]

ID: S1084
Type: MALWARE
Platforms: Network
Contributors: Joe Gumke, U.S. Bank
Version: 1.0
Created: 17 August 2023
Last Modified: 02 October 2023
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1090 .002 代理: External Proxy

QUIETEXIT can proxy traffic via SOCKS.[1]
Enterprise T1036 .005 伪装: Match Legitimate Name or Location

QUIETEXIT has attempted to change its name to cron upon startup. During incident response, QUIETEXIT samples have been identified that were renamed to blend in with other legitimate files.[1]
Enterprise T1008 回退信道

QUIETEXIT can attempt to connect to a second hard-coded C2 if the first hard-coded C2 address fails.[1]
Enterprise T1071 应用层协议

QUIETEXIT can use an inverse negotiated SSH connection as part of its C2.[1]
Enterprise T1095 非应用层协议

QUIETEXIT can establish a TCP connection as part of its initial connection to the C2.[1]

Groups That Use This Software

ID Name References
G0016 APT29

[1]

References

  1. Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023.