Mikroceen RAT backdoors Asian government networks in new attack wave

The backdoor paved the way for the deployment of other malware including Gh0st RAT.

Mobile malware: Hidden apps give cyber criminals a sneaky backdoor
1:09

Researchers examining a Trojan currently being used in attacks against an Asian government and other organizations believe it may be connected to past high-profile attacks in Russia, Belarus, and Mongolia. 

A joint reported issued on Thursday by cybersecurity teams from ESET and Avast suggests that the Remote Access Trojan (RAT), which is undergoing "constant" development, is likely the work of an Advanced Persistent Threat (APT) group -- possibly from China -- that has "planted backdoors to gain long-term access to corporate networks."

China has recently been formally accused by the US of cyberespionage in the attempted theft of coronavirus research. 

According to the researchers, the backdoor -- dubbed Mikroceen -- has been tracked in campaigns against public and private entities since 2017. Mikroceen focuses on targets in Central Asia and has been recently tracked in attacks against government entities, telecommunications firms, and the gas industry. 

The RAT and tools associated with the backdoor also appear to be connected to past attacks as documented by Kaspersky, Palo Alto Networks, and Checkpoint. In these campaigns, Russian military personnel, the Belarussian government, and the Mongolian public sector were targeted. 

The samples in question are linked to the past campaigns Microcin, BYEBY, and Vicious Panda, as separately named by the aforementioned companies. 

The attack vector of the Mikroceen RAT in recent campaigns is unknown, but once the malware lands on a compromised machine, custom tools are used to establish a connection with a command-and-control (C2) server. Mikroceen is established and linked to a bot that has an unusual feature -- an attacker must authenticate the system by entering a password to control the client. 

See also: Zeus Sphinx revamped as coronavirus relief payment attack wave continues

In addition, a client cannot connect directly to a C2; instead, this connection is secured via a certificate, a feature that the researchers say "distinguishes Mikroceen from the legion of backdoors we have seen since previously."

ESET and Avast cannot verify the exact reason why the authentication measure has been implemented, beyond the idea that it may be a security control to prevent "botnet takeover, in case a competing actor or law enforcement seize their infrastructure."

Mikroceen will fingerprint the infected system, check to see whether it is being run in a virtual environment, and is able to steal, move, and delete files; terminate and change processes and Windows services, maintain persistence, execute console commands, and send information back to the C2.

"The infected device can also be commanded by the C2 to act as a proxy or listen on a specific port on every network interface," Avast says. 

The basic grammar used for commands is the same as what has been used in previous reports on the RAT, being truncated to six letters and then base64 encoded. However, in the new campaigns, an additional layer of encryption has also been included. 

CNET: US accuses China of trying to hack coronavirus vaccine research

Tools associated with Mikroceen have also revealed clues to its connection to a possible APT. These include Mimikatz, an open source plaintext extraction system, and Gh0st RAT, an old Trojan. However, in the latter case, including the malware appears redundant as Mikroceen provides the same functionality, if not more. 

Previous reports have also noted the poor security measures implemented by the operators that fail to protect the RAT's control panel. It seems this is still the case, as the researchers were able to get their hands on a version of the panel and also trace back the malware's origin to the same bulletproof hosting network observed in the Vicious Panda campaign.

"The malware developers put great effort into the security and robustness of the connection with their victims and the operators managed to penetrate high-profile corporate networks," ESET says. "Moreover, they have a larger toolset of attack tools at their disposal and their projects are under constant development, mostly visible as variations in obfuscation."

TechRepublic: Phishing campaign exploits Symantec URL Protection to cover its tracks

Indicators of Compromise (IoCs) have been posted to ESET and Avast's GitHub repositories. 

In related news this week, ESET recently became subject to a Distributed Denial-of-Service (DDoS) attack launched from a malicious app that managed to circumvent Google's security measures and land on Google Play. The app was marketed as a news feed but actually enslaved mobile devices to launch DDoS attacks. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0