Corporate networks are being infiltrated by the novel advanced persistent threat group UNC3524 to exfiltrate Microsoft Exchange emails from employees, reports BleepingComputer.
UNC3524 also has the capability to maintain over 18 months of access to some compromised environments through the deployment of the recently discovered QUIETEXIT backdoor on network appliances without malware detection and security monitoring support, as well as the reGeorg web shell on DMZ web servers, according to a report from Mandiant.
"Once UNC3524 successfully obtained privileged credentials to the victim's mail environment, they began making Exchange Web Services (EWS) API requests to either the on-premises Microsoft Exchange or Microsoft 365 Exchange Online environment. In each of the UNC3524 victim environments, the threat actor would target a subset of mailboxes, focusing their attention on executive teams and employees that work in corporate development, mergers and acquisitions, or IT security staff," said researchers.
While UNC3524 has been leveraging tactics previously used by Russian state-sponsored threat groups, Mandiant has not conclusively attributed its activity to such threat actors.
Novel Go-based information stealer Aurora has been increasingly added by threat actors in their arsenal, with at least seven active cybercrime groups either leveraging the malware exclusively or alongside other info-stealers Raccoon and Redline, BleepingComputer reports.