S0686 QuietSieve
QuietSieve is an information stealer that has been used by Gamaredon Group since at least 2021.
| Item |
Value |
| ID |
S0686 |
| Associated Names |
|
| Type |
MALWARE |
| Version |
1.0 |
| Created |
18 February 2022 |
| Last Modified |
15 April 2022 |
| Navigation Layer |
View In ATT&CK® Navigator |
Techniques Used
| Domain |
ID |
Name |
Use |
| enterprise |
T1071 |
Application Layer Protocol |
- |
| enterprise |
T1071.001 |
Web Protocols |
QuietSieve can use HTTPS in C2 communications. |
| enterprise |
T1005 |
Data from Local System |
QuietSieve can collect files from a compromised host. |
| enterprise |
T1083 |
File and Directory Discovery |
QuietSieve can search files on the target host by extension, including doc, docx, xls, rtf, odt, txt, jpg, pdf, rar, zip, and 7z. |
| enterprise |
T1564 |
Hide Artifacts |
- |
| enterprise |
T1564.003 |
Hidden Window |
QuietSieve has the ability to execute payloads in a hidden window. |
| enterprise |
T1105 |
Ingress Tool Transfer |
QuietSieve can download and execute payloads on a target host. |
| enterprise |
T1135 |
Network Share Discovery |
QuietSieve can identify and search networked drives for specific file name extensions. |
| enterprise |
T1120 |
Peripheral Device Discovery |
QuietSieve can identify and search removable drives for specific file name extensions. |
| enterprise |
T1113 |
Screen Capture |
QuietSieve has taken screenshots every five minutes and saved them to the user’s local Application Data folder under Temp\SymbolSourceSymbols\icons or Temp\ModeAuto\icons. |
| enterprise |
T1016 |
System Network Configuration Discovery |
- |
| enterprise |
T1016.001 |
Internet Connection Discovery |
QuietSieve can check C2 connectivity with a ping to 8.8.8.8 (Google public DNS). |
Groups That Use This Software
References