MontysThree – Industrial Espionage with Steganography
In Summer 2020, Kaspersky ‘SecureList’ uncovered a multi-module C++ toolset used in a highly targeted industrial espionage attack dating back to 2018. The research team noticed no similarities at the code level with other attack infrastructures or TTP, thus considering it to be a new threat actor. The malware contains modules for persistence, bitmap with steganography, decryption of configuration tasks, execution, and network communication with legitimate public cloud services. Code modularity is a real-world practice that exists in the software development life cycle SDLC, promotes the reuse, replacement, and upgrading of modules to make code development more efficient. There has been an increase of malware in recent years that is developed like commercial software, with the intention of prolonged use and maintenance.
MontysThree searches for specific MS Office and Adobe Acrobat files stored in document directories and removable media. With the use of custom steganography (hiding files and data within files) and encryption (custom XOR based, 3DES and RSA) for encryption and decryption communications, MT3 seeks out directories that exist only on Cyrillic (Slavic, Turkic, Mongolic and Iranic-speaking countries) localized Windows versions. There is also use of Chinese false flags, emails used for cloud server authentication that were likely made to look Chinese. The security researchers attribute this to be a Russian speaking threat actor targeting Cyrillic Windows version, not a Chinese threat actor.
Since there are a lack of overlapping TTP’s in this campaign with other known campaigns, attribution of the threat actor goes to a new actor. The assumption of the actor being Russian speaking is still held by the researchers at SecureList, due to certain filenames and data-field titles being written in Russian as well English grammatical mistakes. Yet the security researchers do not consider this actor to be sophisticated when it comes to spreading the malware and persistence methods. But other choices the malware author has made seem ‘tech savvy’, using legitimate cloud servers to hide C2 traffic, use of custom stenography and 3DES key under RSA encryption to avoid IDS.
Sources:
Indicators of Compromise:
- File Hashes
- Loader
- 1B0EE014DD2D29476DF31BA078A3FF48
- 0976C442A06D2D8A34E9B6D38D45AE42
- A2AA414B30934893864A961B71F91D98
- Kernel
- A221671ED8C3956E0B9AF2A5E04BDEE3
- 3A885062DAA36AE3227F16718A5B2BDB
- 3AFA43E1BC578460BE002EB58FA7C2DE
- HTTP Transport
- 017539B3D744F7B6C62C94CE4BCA444F
- 501E91BA1CE1532D9790FCD1229CBBDA
- D6FB78D16DFE73E6DD416483A32E1D72
- Loader
- Domains and IPs
- autosport-club.tekcities[.]com
- dl10-web-stock[.]ru
- dl16-web-eticket[.]ru
- dl166-web-eticket[.]ru
- dl55-web-yachtbooking[.]xyz