It all started with the fact that in February 2020, researchers discovered a trojan embedded in the memory of the system process on the victim’s machine. As it turned out, the target of the attack was a diplomatic organization. The attention of specialists was attracted by the architecture of malvari in general and asynchronous work with sockets in particular. The function in the network module and its interaction with the loader were similar to the normal API. This approach is rare in the world of malware and is usually used by high-level APT groups, the report says.
Thanks to the reuse of the command server (rented from Choopa VPS service), the methods of profiling the infected system and the similarity of the program code, the researchers attribute this campaign to the Microcin group. Although earlier this group did not use the mentioned programming style and architecture. Moreover, during the analysis, no similar open source tools were found, that is, it seems that the attackers created the Trojan on their own.
As mentioned above, the sphere of interest of the hack group remains the same – spying on diplomatic organizations. Hackers also continue to use steganography to deliver configuration data and additional modules to victims' systems, this time from the legitimate public image hosting cloudinary.com. Among the images used by hackers, researchers identified a few. For example, one picture turned out to be connected with the sensational ban of GitLab on hiring citizens of Russia and China, and the other for some reason showed a lonely sock in the washing machine
The encrypted content in all images are PE files with a Trojan and configuration data containing only the domain of the corresponding command server. All other parameters are provided by the bootloader.
It is noted that, from a programming point of view, an architecture similar to the API module architecture and asynchronous operation with sockets are progress for grouping. This, in particular, means asynchronous operation with sockets. From the point of view of user-space objects, Windows are I / O completion ports. In the space of the OS kernel, they correspond to the asynchronous procedure call (APC) queue. This mechanism is usually used in backend applications on highly loaded servers, and a malware of this kind does not need a similar level of programming. Because of this, analysts believe that the malware developers have some experience in programming server applications and used the familiar style of writing code.
According to the researchers, recently Microcin group has taken a step forward – not from the point of view of the initial infection vector, but from the point of view of programming. The API-like network module used by hackers is much easier to maintain and update, and current improvements not only make it difficult to detect and analyze malware, but add a new approach to software and bring the group closer to the implementation of a modular platform.
A detailed technical analysis of the detected trojan can be found in the expert report.