- Joined
- May 15, 2016
- Messages
- 3,878
- Likes
- 2,573
- Points
- 1,730
Avast and ESET experts analyzed the malware used by an unknown Chinese APT group, spying on unnamed telecommunications and gas companies, as well as a government agency in Central Asia. ESET analysts gave this campaign the name Mikroceen.
In its operations, the hack group used backdoors to gain constant access to the corporate networks of its victims. Based on the data, the researchers suggest that the same group was previously involved in other attacks in Mongolia, Russia and Belarus, and was active at least in 2017.
Experts confirm this theory by the fact that hackers, firstly, used the Gh0st RAT Trojan, which has long been used by Chinese APT groups for a long time. Secondly, analysts found clear similarities in the code used by hackers of malware.
The studied backdoors allowed hackers to manage victims' files (delete, read, move, check availability), take screenshots, interfere with the processes and services, as well as execute console commands and hide signs of their presence in the system. On command, the malware could transmit the data of the victim company to its managing server, and infected devices could play the role of a proxy server or listen to a specific port on each network interface.
“The group behind this attack often recompiles their custom tools (which, in addition to backdoors, included Mimikatz and Gh0st RAT) to avoid detection by antivirus solutions. As a result, we have a large number of malvari samples, and binaries are often protected by VMProtect, which makes analysis difficult, ”said Luigino Kamastra, Avast researcher.
Experts have already reported their findings to CERT and tried to contact the affected telecommunications company, but so far no answers have been received from the affected organizations. Given that the grouping is still active, and the incidents studied have been associated with attacks on other targets, the researchers believe that we will still hear about this hack group, and it will continue to attack targets in other countries.
In its operations, the hack group used backdoors to gain constant access to the corporate networks of its victims. Based on the data, the researchers suggest that the same group was previously involved in other attacks in Mongolia, Russia and Belarus, and was active at least in 2017.
Experts confirm this theory by the fact that hackers, firstly, used the Gh0st RAT Trojan, which has long been used by Chinese APT groups for a long time. Secondly, analysts found clear similarities in the code used by hackers of malware.
The studied backdoors allowed hackers to manage victims' files (delete, read, move, check availability), take screenshots, interfere with the processes and services, as well as execute console commands and hide signs of their presence in the system. On command, the malware could transmit the data of the victim company to its managing server, and infected devices could play the role of a proxy server or listen to a specific port on each network interface.
“The group behind this attack often recompiles their custom tools (which, in addition to backdoors, included Mimikatz and Gh0st RAT) to avoid detection by antivirus solutions. As a result, we have a large number of malvari samples, and binaries are often protected by VMProtect, which makes analysis difficult, ”said Luigino Kamastra, Avast researcher.
Experts have already reported their findings to CERT and tried to contact the affected telecommunications company, but so far no answers have been received from the affected organizations. Given that the grouping is still active, and the incidents studied have been associated with attacks on other targets, the researchers believe that we will still hear about this hack group, and it will continue to attack targets in other countries.