New Wave of Mikroceen RAT Backdoors Target Asian Countries

What happened

• In May 2020, attackers used a set of backdoors collectively referred to by the name Mikroceen. The individual backdoors were identified by the names “sqllauncher.dll”, “logon.dll,” and “logsupport.dll”.
• The Mikroceen backdoors were found targeting several high-profile organizations in the telecom and gas industries, and governmental entities in the Central Asian region. These victims were not private individuals, but rather endpoints in corporate networks.
• The backdoors paved the way for the deployment of other malware such as Gh0st RAT and Mimikatz. Also, the hacker relied on Windows Management Instrumentation (WMI) to set strict proxy security and to access local resources.
• In this campaign, the majority of the C&C servers are registered to Choopa, LLC, a hosting platform that has been used by cybercriminals in the past. A GoDaddy registrar was also used early on in the campaign, but those servers were soon removed.

The connection with previous attacks

• There were several connecting dots between the latest campaign and three previously published intel reports: Kaspersky’s Microcin targeting Russian military personnel, Palo Alto Networks’ BYEBY against the Belarussian government, and Checkpoint’s Vicious Panda against the Mongolian public sector.
• The latest sample files (the COVID campaign from 2020) have several correlations (code similarities) to the Microcin sample from 2017, the BYEBY sample from 2017, and Vicious Panda.
• The analysis of the used toolsets, especially the use of the RTF weaponizer in the infection vector, connects this campaign to an APT group from China. The group is suspected to be behind attacks active in Mongolia, Russia, and Belarus. The targeted companies and institutions, as well as the malware code analysis point to an APT group.

Stay safe