Security researchers fro ESET has detected this evolving remote access tool (RAT) with the usual backdoor functionality and dubbed it as “Mikroceen” that is being used in spying attacks against the government Networks and High Profile networks like telcos and gas industries in Central Asia.
To perform a clean analysis of a persistently evolving remote access tool (RAT), the security firm, ESET, has collaborated with Avast. With a mission to spy on the targets in Central Asia, the security researchers at ESET and Avast have stated that all these attacks are performed by the professional threat actors, and these hackers are considered to be from China.
Moreover, the security researchers at ESET and Avast has also asserted about the three events of the past and their reports, to make the research more clear; Kaspersky’s Microcin against Russian military personnel, Palo Alto Networks’ BYEBY against the Belarussian government and Checkpoint’s Vicious Panda against the Mongolian public sector.
From the above image, you can see that how the attackers use the decryption loop to configure the data of the C&C domain, a name, and a password linked with each sample of the RAT.
Tools Used By The Attackers
The security experts have clarified that they didn’t able to find yet, how the attackers got into the compromised networks, but, they have mentioned all the tools used by the attackers, and here they are:-
RAT (client-side backdoor)
The code in the below image is used by the hackers to install the RAT (Remote Access Tool) on the victims’ machine. Then to establish the tenacity of the malware just after the reboot, the attacker simply uses the parameter ‘start= auto.’
Mimikatz is a sturdy tool developed by a French security researcher, Benjamin Delpy, and the attackers have used this tool in a two-stage mechanism. Here in the first stage, the attacker leaves the installer.exe or Yokel64.exe with the primary payload, while on the second stage, they leave an indicative external DLL name mktz64.dll.
Apart from this, the security experts have also stated that the Mikroceen never comes with debug information, and for example, you can see the string, “E:\2018_\MimHash\mimikatz\Bin\mktzx64.pdb” in the below image.
In this attack campaign, the attackers have used the WMI (Windows Management Instrumentation) to spread the infection in the hosting network. And to use and execute this tool, the attackers need all the relevant data like, “<ComputerName>,<UserName>,<Password>,.exe.”
It’s a Remote Access Tool that is developed in 2008, and here the attackers have used this tool as a “.dll” file. The “.dll” file used by the attacker is named “rastls.dll” on the compromised systems, and the exported DLL file is named “svchost.dll,” through which they try to connect with “https://yuemt.zzux[.]com:443”, that pilots the victim to the IP address in China.
Here the attacker command all the bots, and the security experts have managed to find the older version of RAT’s control panel, while the attackers have used the Gh0st RAT’s Command and Control (C&C) panel. Although the Gh0st RAT’s Command and Control (C&C) panel is not so advanced as compared to the older version of RAT’s control panel.
Apart from these things, the security researchers have clearly indicated that using the same toolkits, the hacker group is still running its operations in other countries.
Here the good news is that, if you are a user of Avast and ESET, then you don’t have to worry about this family of threats, as Avast and ESET have already updated their indicators of compromise (IoC) of the following:
IOC – SHA
So, what do you think about this? Simply share all your views and thoughts in the comment section below.