QUIETEXIT

Description

(Mandiant) QUIETEXIT works as if the traditional client-server roles in an SSH connection were reversed. Once the client, running on a compromised system, establishes a TCP connection to a server, it performs the SSH server role. The QUIETEXIT component running on the threat actor’s infrastructure initiates the SSH connection and sends a password. Once the backdoor establishes a connection, the threat actor can use any of the options available to an SSH client, including proxying traffic via SOCKS. QUIETEXIT has no persistence mechanism; however, we have observed UNC3524 install a run command (rc) as well as hijack legitimate application-specific startup scripts to enable the backdoor to execute on system startup.

Names

Name
QUIETEXIT

Type

Backdoor
Tunneling

Information

https://www.mandiant.com/resources/unc3524-eye-spy-email

Mitre Attack

https://attack.mitre.org/software/S1084

Malpedia

https://malpedia.caad.fkie.fraunhofer.de/details/elf.quietexit

Other Information

Uuid

f7540533-ada8-45ac-915d-1c550090338a

Last Card Change

2023-11-30

Threat Intelligence Garden

Explorer

QUIETEXIT

QUIETEXIT

Description

Names

Category

Type

Information

Mitre Attack

Malpedia

Other Information

Uuid

Last Card Change

Graph View

Table of Contents

Backlinks