LuckyMouse uses malicious NDISProxy Windows driver to target gov't entities

The hacking group is covertly infecting Windows machines with Trojans by way of stolen certificates belonging to a Chinese security company.
Written by Charlie Osborne, Contributing Writer

The LuckyMouse advanced persistent threat (APT) is back with a twist in tactics that harnesses LeagSoft certificates to spread Trojans by way of malicious NDISProxy drivers.

It was back in June that researchers discovered that LuckyMouse, also known as EmissaryPanda and APT27, had targeted a national data center containing Asian government resources.

In this previous campaign, LuckyMouse used malicious documents embedded with macros which exploited a widely-known Microsoft Word vulnerability. The Chinese-speaking threat group chose the center in order to steal a "wide range of government resources at one fell swoop."

However, in a fresh twist, the APT is back which uses seemingly legitimate security certificates issued by VeriSign to Chinese security software developer LeagSoft.

Kaspersky researchers said on Monday that LuckyMouse has harnessed the certificates belonging to the Shenzhen, Guangdong-based firm since March 2018. It appears they have been stolen.

By utilizing these certificates, the threat actors have launched a new campaign which aims to exploits the Windows network filtering driver NDISProxy, in both 32- and 64-bit versions, depending on the target machine.

NDISProxy, also known as Ndproxy.sys, is legitimate driver software which brings together NDISWAN and CoNDIS WAN drivers with TAPI services.

By compromising this Windows component by the use of a malicious NDISProxy tool signed off with a legitimate certificate, the driver tool can be used to infect lsass.exe system process memory.

The Trojan payload, which was previously unrecorded, consists of three main modules. The first is a custom C++ installer which creates a Windows autorun service for Trojan persistency. In addition, the module is able to drop the encrypted Trojan into the system registry.

Instead of using Windows executable file loaders, the remote access Trojan (RAT) is decrypted by the NDISProxy driver from the system registry and injected into the lsass.exe process memory through the use of Shellcode.

See also: Top Mac anti-adware software in App Store steals your browsing history

The second module filters port 3389 traffic to hide the Trojan's malicious network activities within. This step ensures the malware is able to communicate with its command-and-control (C2) server without detection.

The final module is a custom C++ Trojan which acts as an HTTPS server and platform for C2 communications.

"These modules allow attackers to silently move laterally in the infected infrastructure, but don't allow them to communicate with an external C2 if the new infected host only has a LAN IP," the researchers say. "Because of this, the operators used an Earthworm SOCKS tunneler in order to connect the LAN of the infected host to the external C2."

The Trojans will listen in and install keyloggers in order to harvest administrator credentials. If successful, the Scanline network scanner is also used in order to spread the malware via file sharing across a corporate network.

CNET: Justice Department charges North Korean over WannaCry, Sony hack

The Trojan is able to complete many of the tasks of a typical member of this malware family; including command execution and keylogging, as well as downloading and uploading files.

LuckyMouse's NDISProxy tool also makes use of a variety of other third-party components and open-source code, such as the Blackbone Windows hacking library hosted on GitHub.

TechRepublic: How you can get low-tech hacked

The researchers say that no phishing campaigns have been detected which use the Trojan dropper. Instead, it is currently believed that the malware is currently only spreading in networks which are already compromised in some way.

The latest LuckyMouse attacks have focused on government entities in the middle of Asia and took place at the same time as a "high-level meeting," although it has not been disclosed exactly what political situation was at hand.

While attribution is difficult, Kaspersky researchers believe that politics, in some manner, is at the heart of the campaign.

"This campaign appears to demonstrate once again LuckyMouse's interest in Central Asia and the political agenda surrounding the Shanghai Cooperation Organization," the firm says.

The Shanghai Cooperation Organization (SCO) is a pact made up of countries including China, Russia, and European entities to discuss global political, economic, and security issues.

Kaspersky has made LeagSoft aware of the issue via CN-CERT. ZDNet has also attempted to contact the company and Verisign and will update if we hear back.

A basic guide to diving in to the dark web

Previous and related coverage

Editorial standards