S1076 QUIETCANARY
QUIETCANARY is a backdoor tool written in .NET that has been used since at least 2022 to gather and exfiltrate data from victim networks.1
| Item | Value |
|---|---|
| ID | S1076 |
| Associated Names | Tunnus |
| Type | MALWARE |
| Version | 1.0 |
| Created | 19 May 2023 |
| Last Modified | 16 April 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| Tunnus | 1 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | QUIETCANARY can use HTTPS for C2 communications.1 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | QUIETCANARY can base64 encode C2 communications.1 |
| enterprise | T1074 | Data Staged | QUIETCANARY has the ability to stage data prior to exfiltration.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | QUIETCANARY can use a custom parsing routine to decode the command codes and additional parameters from the C2 before executing them.1 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | QUIETCANARY can RC4 encrypt C2 communications.1 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.003 | Hidden Window | QUIETCANARY can execute processes in a hidden window.1 |
| enterprise | T1106 | Native API | QUIETCANARY can call System.Net.HttpWebRequest to identify the default proxy configured on the victim computer.1 |
| enterprise | T1012 | Query Registry | QUIETCANARY has the ability to retrieve information from the Registry.1 |
| enterprise | T1016 | System Network Configuration Discovery | QUIETCANARY can identify the default proxy setting on a compromised host.1 |