Kaspersky Lab experts presented a detailed report on the recent activity of the hacking group Microcin (aka SixLittleMonkeys), which specializes in surveillance for diplomatic organizations. To do this, the Microcin Trojan uses … a “sock in the washing machine”.
It all started with the fact that in February 2020, researchers discovered a trojan, embedded in the memory of the system process on the victim’s machine. As it turned out, the target of the attack was a diplomatic organization.The attention of specialists was attracted by the architecture of malware in general and asynchronous work with sockets in particular.
The function in the network module and its interaction with the loader were similar to the normal API. Such an approach is rare in the world of malware and is usually used by high-level APT groups,” — says the report.
Thanks to the reuse of the command server (rented from Choopa VPS service), application of profiling the infected system method and the similarity of the program code, the researchers attribute this campaign to the Microcin group. Although earlier this group did not use the mentioned programming style and architecture.
Moreover, during the analysis, were found no similar open source tools, therefore, it seems that the attackers created the Trojan on their own.
As mentioned above, the sphere of interest of the hack group remains the same – spying on diplomatic organizations.
Hackers also continue to use steganography to deliver configuration data and additional modules to victims’ systems, this time from the legitimate public image hosting cloudinary.com.
Among the images used by hackers, researchers identified a few. For example, one picture was dedicated to the sensational ban of GitLab on hiring Russia and China citizens, and the other for some reason demonstrates a lonely sock in the washing machine.
Let me remind you that AcidBox malware also uses some form of steganography and hides confidential data in icons, abusing the SSP interface to securely fix itself in the system.
The encrypted content in all images are PE files with a Trojan and configuration data containing only the domain of the corresponding command server. All other parameters are provided by the bootloader.
From a programming point of view, an API-like module architecture and asynchronous socket handling are progress for grouping. This, in particular, means asynchronous operation with sockets. From the point of view of user-space objects, Windows are I/O completion ports. In the space of the OS kernel, they correspond to the asynchronous procedure call (APC) queue“, – say the researchers.
This mechanism is usually used in backend applications on highly loaded servers, and a malware of this kind does not need a similar level of programming. Due to this fact, analysts believe that the malware developers have some experience in programming server applications and use familiar to them style of writing a code.
According to the researchers, recently Microcin group has taken a step forward – not from the point of view of the initial infection vector, but from the point of view of programming. The API-like network module used by hackers is much easier to maintain and update, and current improvements not only make it difficult to detect and analyze malware, but also add a new approach to software and bring the group closer to the implementation of a modular platform.