Kaspersky Lab researchers reveal return of LuckyMouse Trojan, find unique driver tactics in latest scheme

The Kaspersky Lab Global Research and Analysis Team (GReAT) has discovered several infections from a previously unknown Trojan, which is most likely related to the infamous Chinese-speaking threat actor, LuckyMouse. An unusual trait of this malware is its hand-picked driver, signed with a legitimate digital certificate, which has been issued by a company developing information security-related software.

LuckyMouse is known for highly-targeted cyberattacks on large entities around the world. The group’s activity is posing a danger to several regions including South Eastern and Central Asia, as the threat actor’s attacks seem to have a political agenda. Judging by victim profiles and the group’s previous attack vectors, Kaspersky Lab researchers believe the Trojan they’ve detected might have been used for nation-state backed cyberespionage.

Consumers are now advised not to automatically trust the code running on systems, as digital certificates do not guarantee the absence of backdoors. By using a security solution, equipped with malicious-behavior detection technologies, which enable even previously unknown threats to be caught, users can be protected. It also recommended that consumers’ subscribe their organization’s security team to a high quality threat intelligence reporting service in order to get early access to information on the most recent developments in the tactics, techniques and procedures of sophisticated threat actors.

In March this year, Kaspersky detected an ongoing campaign targeting a national data center in the Central Asia that it believes has been active since autumn 2017. The choice of target made this campaign especially significant – it meant the attackers gained access to a wide range of government resources at one fell swoop. Kaspersky believes this access was abused, for example, by inserting malicious scripts in the country’s official websites in order to conduct watering hole attacks.

The operators used the HyperBro Trojan as their last-stage in-memory remote administration tool (RAT). The timestamps for these modules are from December 2017 until January 2018. The anti-detection launcher and decompressor make extensive use of Metasploit’s shikata_ga_nai encoder as well as LZNT1 compression.

Kaspersky Lab products detect the different artifacts used in this campaign with the following verdicts: Trojan.Win32.Generic, Trojan-Downloader.Win32.Upatre and Backdoor.Win32.HyperBro. A full technical report, IoCs and YARA rules are available from its intelligence reporting service.

Due to tools and tactics in use, Kaspersky attributes the campaign to LuckyMouse Chinese-speaking actor (also known as EmissaryPanda and APT27). Also the C2 domain update.iaacstudio[.]com was previously used in their campaigns. The tools found in this campaign, such as the HyperBro Trojan, are regularly used by a variety of Chinese-speaking actors. Regarding Metasploit’s shikata_ga_nai encoder – although it’s available for everyone and couldn’t be the basis for attribution, we know this encoder has been used by LuckyMouse previously.

Government entities, including the Central Asian ones also were a target for this actor before. Due to LuckyMouse’s ongoing waterholing of government websites and the corresponding dates, we suspect that one of the aims of this campaign is to access web pages via the data center and inject JavaScripts into them.

The Trojan discovered by Kaspersky Lab experts infected a target computer through a driver built by the threat actors. This allowed the attackers to execute all common tasks such as command execution, downloading and uploading files as well as intercepting network traffic.

The driver became the most interesting part of this campaign. To make it appear trustworthy, the group seemingly stole a digital certificate that belonged to an information security-related software developer, and used this to sign malware samples. This was done in an attempt to avoid being detected by security solutions, since a legitimate signature makes the malware look like legal software.

Another noteworthy feature of the driver is that despite LuckyMouse’s ability to create its own malicious software, the software used in the attack appeared to be a combination of publicly available code samples from public repositories and custom malware. Such simple adoption of a ready-to-use third-party code, instead of writing original code, saves developers time and makes attribution more difficult.

“When a new LuckyMouse campaign appears, it’s almost always around the same time as the lead up to a high-profile political event, and the timing of an attack usually precedes world leader summits,” says Denis Legezo, security researcher, Kaspersky Lab. “The actor isn’t too worried about attribution because they are now implementing third-party code samples into their programs – it’s not time-consuming for them to add another layer to their droppers or to develop a modification for the malware and still remain untraced.”


Leave a Reply

WWPI – Covering the best in IT since 1980