APT Hackers Using “Mikroceen” Backdoor to Attack & Spying Government and High Profile Networks

Security researchers fro ESET has detected this evolving remote access tool (RAT) with the usual backdoor functionality and dubbed it as “Mikroceen” that is being used in spying attacks against the government Networks and High Profile networks like telcos and gas industries in Central Asia.

To perform a clean analysis of a persistently evolving remote access tool (RAT), the security firm, ESET, has collaborated with Avast. With a mission to spy on the targets in Central Asia, the security researchers at ESET and Avast have stated that all these attacks are performed by the professional threat actors, and these hackers are considered to be from China.

Moreover, the security researchers at ESET and Avast has also asserted about the three events of the past and their reports, to make the research more clear; Kaspersky’s Microcin against Russian military personnel, Palo Alto Networks’ BYEBY against the Belarussian government and Checkpoint’s Vicious Panda against the Mongolian public sector.

From the above image, you can see that how the attackers use the decryption loop to configure the data of the C&C domain, a name, and a password linked with each sample of the RAT.

Tools Used By The Attackers

The security experts have clarified that they didn’t able to find yet, how the attackers got into the compromised networks, but, they have mentioned all the tools used by the attackers, and here they are:-

RAT (client-side backdoor)

The code in the below image is used by the hackers to install the RAT (Remote Access Tool) on the victims’ machine. Then to establish the tenacity of the malware just after the reboot, the attacker simply uses the parameter ‘start= auto.’

Mimikatz

Mimikatz is a sturdy tool developed by a French security researcher, Benjamin Delpy, and the attackers have used this tool in a two-stage mechanism. Here in the first stage, the attacker leaves the installer.exe or Yokel64.exe with the primary payload, while on the second stage, they leave an indicative external DLL name mktz64.dll.

Apart from this, the security experts have also stated that the Mikroceen never comes with debug information, and for example, you can see the string, “E:\2018_\MimHash\mimikatz\Bin\mktzx64.pdb” in the below image.

WMI

In this attack campaign, the attackers have used the WMI (Windows Management Instrumentation) to spread the infection in the hosting network. And to use and execute this tool, the attackers need all the relevant data like, “<ComputerName>,<UserName>,<Password>,.exe.”

Gh0st RAT

It’s a Remote Access Tool that is developed in 2008, and here the attackers have used this tool as a “.dll” file. The “.dll” file used by the attacker is named “rastls.dll” on the compromised systems, and the exported DLL file is named “svchost.dll,” through which they try to connect with “https://yuemt.zzux[.]com:443”, that pilots the victim to the IP address in China.

C&C panel

Here the attacker command all the bots, and the security experts have managed to find the older version of RAT’s control panel, while the attackers have used the Gh0st RAT’s Command and Control (C&C) panel. Although the Gh0st RAT’s Command and Control (C&C) panel is not so advanced as compared to the older version of RAT’s control panel.

Apart from these things, the security researchers have clearly indicated that using the same toolkits, the hacker group is still running its operations in other countries.

Here the good news is that, if you are a user of Avast and ESET, then you don’t have to worry about this family of threats, as Avast and ESET have already updated their indicators of compromise (IoC) of the following:

IOC – SHA

d215bb8af5581b31f194248fc3bd13d999a5991c
7a63fc9db2bc1e9b1ef793723d5877e6b4c566b8
2f80f51188dc9aea697868864d88925d64c26abc
302cf1a90507efbded6b8f53e380591a3eaf6dcb
21ffd24b8074d7cffdf4cc339d1fa8fe892eba27
5192023133dce042da8b6220e4e7e2e0dcb000b3
c18602552352fee592972603262fe15c2cdb215a
4de4b662055d3083a1bccf2bc49976cdd819bc01

So, what do you think about this? Simply share all your views and thoughts in the comment section below.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Also Read:

Beware!! Lazarus APT Hackers Launching New MacOS RAT “Dacls” Via Wepanized 2FA App

Operation AppleJeus – Lazarus APT Hackers Launching Highly Sophisticated Malware To Attack Windows & macOS Systems

Leave a Reply