(ESET) In this joint blogpost with fellow researchers from Avast, we provide a technical analysis of a constantly developed RAT that has been used in various targeted campaigns against both public and private subjects since late 2017. We observed multiple instances of attacks involving this RAT, and all of them happened in Central Asia. Among the targeted subjects were several important companies in the telecommunications and gas industries, and governmental entities. Moreover, we connect the dots between the latest campaign and three previously published reports: Kaspersky’s Microcin against Russian military personnel, Palo Alto Networks’ BYEBY against the Belarussian government and Checkpoint’s {{Vicious Panda}} against the Mongolian public sector. Also, we discuss other malware that was typically a part of the attacker’s toolset together with the RAT. We chose the name Mikroceen to cover all instances of the RAT, in acknowledgement of Kaspersky’s initial report on the family. The misspelling is intentional, in order to avoid the established microbiological notion, but also to have at least phonemic agreement.
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
| IP:Port | Timestamp |
|---|
| Domain | Timestamp |
|---|
| URL | Timestamp |
|---|
Actor: Mikroceen
Names: Mikroceen, SixLittleMonkeys
Country: China
Motivation: Information theft and espionage
First-seen: 2017
Description: (ESET) In this joint blogpost with fellow researchers from Avast, we provide a technical analysis of a constantly developed RAT that has been used in various targeted campaigns against both public and private subjects since late 2017. We observed multiple instances of attacks involving this RAT, and all of them happened in Central Asia. Among the targeted subjects were several important companies in the telecommunications and gas industries, and governmental entities. Moreover, we connect the dots between the latest campaign and three previously published reports: Kaspersky’s Microcin against Russian military personnel, Palo Alto Networks’ BYEBY against the Belarussian government and Checkpoint’s {{Vicious Panda}} against the Mongolian public sector. Also, we discuss other malware that was typically a part of the attacker’s toolset together with the RAT. We chose the name Mikroceen to cover all instances of the RAT, in acknowledgement of Kaspersky’s initial report on the family. The misspelling is intentional, in order to avoid the established microbiological notion, but also to have at least phonemic agreement.
Observed-sectors: Defense
Observed-sectors: Government
Observed-sectors: Oil and gas
Observed-sectors: Telecommunications
Observed-countries: Belarus
Observed-countries: Mongolia
Observed-countries: Russia
Observed-countries: Central Asia
Tools: Gh0st RAT
Tools: logon.dll
Tools: logsupport.dll
Tools: Microcin
Tools: Mimikatz
Tools: pcaudit.bat
Tools: sqllauncher.dll
Operations: 2021-03
Operations: Exchange servers under siege from at least 10 APT groups https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/
Information: https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia/
Information: https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia/
Information: https://securelist.com/microcin-is-here/97353/
Last-card-change: 2021-04-20
Source: https://apt.etda.or.th/cgi-bin/listtools.cgi
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |