Backdoors in recent espionage attempts link to Microcin malware

Antivirus engines foiled an advanced attacker’s attempts to infiltrate a governmental institution and corporate networks of two companies in the telecommunications and gas sector.

Based on the set of tools discovered, the attacks are the work of a professional threat actor believed to be from China, with a mission to spy on targets in Central Asia.

Links to known malware

The attacks occurred last fall and were stopped automatically by Avast and ESET antivirus engines. A host of backdoors and tools for lateral movement were later analyzed by malware researchers, who found code similarities with past malware and campaigns attributed to a China-based actor.

Some hints pointing to a Chinese connection are the use of the hosting provider Choopa, LLC, for most of the command and control (C2) servers and the use of Gh0st RAT, attributed to Chinese APTs in the past.

In a report updated in March, Cisco described Choopa as “an attractive platform for criminals to host exploit kit domains, phishing, and other gray content.”

Tracking these campaigns goes back to 2017, when Kaspersky published information on Microcin targeting Russian military. A few days later, Palo Alto Network released they analysis on BYEBY targeting the Belarusian government.

Two months ago, Check Point announced a malicious campaign against the Mongolian public sector. All these operations are now linked through toolsets that share code similarities.

Avast and ESET today released reports [1, 2] with technical details about all the tools the threat actor employed for their intrusion attempts.

Protected backdoors

A set of three backdoors were discovered in the attacks. ESET refers to them collectively by the name Mikroceen. They allowed the attacker to modify and delete files, take screenshots, manipulate services and processes, run console commands, or deploy the self-delete routine.

All of them feature protection against reverse engineering. Two of them, “sqllauncher.dll” and “logon.dll,” run as services and use the same C2 server.

After establishing a secure connection to the control server, they send telemetry information about the infected system (operating system version, username). They can read and steal files, execute commands, and start a remote shell.

The third backdoor, “logsupport.dll,” relies on a different C2 and can check if runs in a virtual environment. It fingerprints the compromised host by uploading system info (NETBIOS name, IP address, username, OS version, MAC address, CPU cores, OEM code page).

The researchers say that particularly interesting is that this backdoor targets files with the extensions .TU and .TUT and can upload them to the C2 server to be modified.

For stealing credentials, the actor uses a version of the Mimikatz post-exploitation tool that installs in two stages; and for lateral movement, they relied on Windows Management Instrumentation (WMI) to set strict proxy security and to access local resources.

Gh0st RAT, a backdoor typically seen with East-Asia adversaries, was also used by the mysterious attackers. It is believed that its source code is available to various groups, so its use cannot reliably point to a particular attacker.

Avast says that they contacted the affected organizations and the local CERT teams after the discovery of the intrusions but received no reply.

Attacks with the samples they found continued in other countries, which indicates that the group is still running its operations using the same toolset.

Both Avast and ESET have updated their indicators of compromise (IoC) for this family of threats. They are freely available on GitHub here and here.

Comments are closed.