QUIETCANARY

QUIETCANARY is a backdoor tool written in .NET that has been used since at least 2022 to gather and exfiltrate data from victim networks.^[1]

ID: S1076

ⓘ

Associated Software: Tunnus

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Contributors: Yoshihiro Kori, NEC Corporation; Manikantan Srinivasan, NEC Corporation India; Pooja Natarajan, NEC Corporation India

Version: 1.0

Created: 19 May 2023

Last Modified: 25 July 2023

Associated Software Descriptions

Name	Description
Tunnus	^[1]

Domain	ID		Name	Use
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	QUIETCANARY can use HTTPS for C2 communications.^[1]
Enterprise	T1132	.001	Data Encoding: Standard Encoding	QUIETCANARY can base64 encode C2 communications.^[1]
Enterprise	T1074		Data Staged	QUIETCANARY has the ability to stage data prior to exfiltration.^[1]
Enterprise	T1140		Deobfuscate/Decode Files or Information	QUIETCANARY can use a custom parsing routine to decode the command codes and additional parameters from the C2 before executing them.^[1]
Enterprise	T1573	.001	Encrypted Channel: Symmetric Cryptography	QUIETCANARY can RC4 encrypt C2 communications.^[1]
Enterprise	T1564	.003	Hide Artifacts: Hidden Window	QUIETCANARY can execute processes in a hidden window.^[1]
Enterprise	T1106		Native API	QUIETCANARY can call `System.Net.HttpWebRequest` to identify the default proxy configured on the victim computer.^[1]
Enterprise	T1012		Query Registry	QUIETCANARY has the ability to retrieve information from the Registry.^[1]
Enterprise	T1016		System Network Configuration Discovery	QUIETCANARY can identify the default proxy setting on a compromised host.^[1]

ID	Name	Description
C0026	C0026	During C0026, the threat actors used QUIETCANARY to gather and exfiltrate data. ^[1]